September 27, 2023 3 min read

NIST 800-53, Revision 5 System Security Plan (SSP) Template - LOW Impact

When developing a System Security Plan (SSP) based on the NIST 800-53 controls at the LOW impact level, you should consider the following key elements:

  1. System Overview: Provide a description of the information system, its purpose, and its intended use. Include information such as the system name, system owner, system identifier, and system categorization.
  1. System Boundaries: Clearly define the boundaries of the information system, including the hardware, software, and network components that make up the system. Identify interfaces with other systems and any external connections.
  1. Risk Assessment: Conduct a risk assessment to identify potential threats, vulnerabilities, and risks to the information system. Assess the likelihood and impact of these risks and prioritize them based on their significance.
  1. Security Controls: Identify and document the security controls that are implemented or planned to protect the information system. These controls should be selected from the NIST 800-53 control catalog based on their relevance to the LOW impact level.
  1. Control Implementation: Describe how each selected security control is implemented within the information system. Provide details on how the control is designed, configured, and managed to meet the specific security requirements.
  1. Control Effectiveness: Assess the effectiveness of the implemented security controls in mitigating risks. Describe the processes and methods used to evaluate the controls' performance and validate their effectiveness.
  1. Contingency Planning: Develop a contingency plan that outlines procedures for responding to and recovering from incidents that may impact the system's availability or integrity. This plan should include backup and recovery strategies, incident response procedures, and communication protocols.
  1. Personnel Security: Describe the measures in place to ensure that individuals who have access to the system are trustworthy and adequately trained. This includes background checks, security awareness training, and role-based access controls.
  1. Physical and Environmental Protection: Document the physical security measures in place to protect the information system. This includes access controls, visitor management, equipment protection, and environmental monitoring.
  1. Security Awareness and Training:Describe the security awareness and training programs provided to system users and administrators. Include details on the content, frequency, and delivery methods of the training sessions.
  1. System Maintenance: Outline the procedures and practices for maintaining the security of the information system. This includes patch management, configuration management, vulnerability scanning, and system documentation updates.
  1. System Monitoring: Describe the monitoring mechanisms in place to detect and respond to security incidents. This includes the collection and analysis of system logs, intrusion detection systems, and security event monitoring.

Remember to tailor the SSP to the specific characteristics and requirements of your organization's information system at the LOW impact level. The SSP should be periodically reviewed and updated to reflect changes in the system's environment and to address emerging threats and vulnerabilities.

100 + NIST 800-53 Templates Available for Download for Federal Contractors

The solution for federal contractors is the Arlington Security Portal (ASP), an online repository of world-class, industry leading security and privacy policies & procedures, programs, plans – and other highly essential documents & templates developed specifically on NIST SP 800-53, Revision 5. 

From Beginning to End, Complete Project Management for NIST RMF

With Arlington, we can manage your entire NIST RMF A&A process from beginning to end (i.e., from the initial scoping & gap assessment to post-Authorization to Operate (ATO) activities), providing essential services for getting you to the finish line in terms of your ATO.  Core services and solutions offered include the following:

  • Scoping & Gap (i.e., Readiness) Assessments
  • Remediation Services (Policy and Procedures writing)
  • Remediation Services (Technical and Operational)
  • System Security Plan (SSP) Development
  • Security Assessment Reports (SAR)
  • Continuous Monitoring (ConMon) Services

About Arlington

We are Arlington, a team of innovative, solution-oriented, highly agile, and well-versed professionals with decades of experience in working with America’s defense industry. From emerging cybersecurity regulations to helping our clients solve complex security & compliance solutions – and so much more – you can trust Arlington, the firm that’s Dedicated to Defense®.  Learn more at