Published: 3/27/2024
The SSP is now the SSPP: Here’s Why
The plan formerly known as the System Security Plan (SSP) is now the System Security and Privacy Plan (SSPP)
The System Security and Privacy Plan (SSPP) is a collection of information associated with the FISMA system security. The SSPP provides an accurate, detailed description of the FISMA system itself, its security requirements, and the controls that are in place to protect the system.
We are announcing a subtle yet important change - the name has been updated from SSP to SSPP.
Why the name change?
This name change was prompted by HHS. It is important to adopt the name change within CMS to be consistent and ensure alignment with HHS.
HHS made this change - with the addition of the word privacy in the title - to reflect that the SSPP now includes all the requirements for the privacy baseline controls outlined in NIST SP 800-53, Revision 5. This update makes the SSPP more cohesive.
What does this change mean for you?
Don’t worry, this change does not affect the way in which system and business owners perform this job function. You simply need to remember to refer to this plan as “SSPP” going forward.
We hope this clarification sheds light on the reason behind the change and reassures you that there will be no change in how you perform your role.
Questions?
Thank you for your attention to this update. If you have any questions, please reach out to the policy team in CMS Slack #ispg-sec_privacy-policy, or you can email CISO@cms.hhs.gov.
About the publisher:
The ISPG Policy Team (also known as CMS CISO Team) manages the policies, standards, and guidance that keep information and systems safe at CMS. Our goal is to help you understand requirements and apply them effectively in your project environments – so you can focus on delivering value to CMS beneficiaries and customers.