Guided SP 800-18 structured authoring — from system description and stakeholder assignments through FIPS 199 categorization, baseline tailoring, and SP 800-53 Rev 5 control implementation narratives.
A System Security Plan is one of the most demanding documents in the FISMA ecosystem — not because the concepts are difficult, but because the structure requires deep familiarity with two publications simultaneously: SP 800-18 for document organization and SP 800-53 for control content.
This tool combines both. Work through each SP 800-18 section with prompts that guide your narrative, and document SP 800-53 Rev 5 control implementations with structured fields that map to each applicable control.
Work through each SP 800-18 section in order or jump between them. Export a JSON snapshot to preserve your progress and continue later.
Document the system name, unique identifier, version, purpose, and operational environment. Define the authorization boundary, describe network architecture and major components, data flows, and interconnections with external systems. Identify system operational status and environment type.
Assign all SP 800-18 required roles: System Owner, Authorizing Official (AO), Information System Security Officer (ISSO), Information System Security Manager (ISSM), and other key personnel with security responsibilities. Document names, organizational units, and contact information for each role.
Perform FIPS 199 impact categorization with SP 800-60 information type mapping. Assign Confidentiality, Integrity, and Availability impact levels for each information type processed, stored, or transmitted by the system. The overall system impact level is derived from the high-water mark of all information type ratings.
Select the FISMA Low, Moderate, or High control baseline from SP 800-53B. Apply overlays (Privacy, CUI, cloud provider, etc.), exclude controls with documented justification, and define organization-specific parameters and assignments. Mark controls as common (inherited), hybrid, or system-specific.
Work through all applicable controls with structured implementation narrative fields. Each control displays its description, supplemental guidance summary, and enhancement options. Document implementation status, responsible entities, and system-specific implementation details for each control in your selected baseline.
SSPs take hours — sometimes days — to complete. Pro makes sure your effort persists, and produces a formatted document when you're ready to submit.
Export your SSP as a JSON file and import it later to continue. Share drafts with teammates or archive completed versions as records.
Generate a structured Excel workbook with all SSP sections and control narrative fields — useful for collaborative editing or secondary review workflows.
Produce a formatted, printable System Security Plan aligned to SP 800-18 section structure — suitable for ATO package assembly or formal review submission.
Begin with system description and work through every required SP 800-18 section at your own pace. Export a snapshot to preserve your work between sessions.
Risk Posture Tools