PL-3 — System Security Plan Update

Your system security plan is a living document — it needs to be updated whenever there are significant changes to the system, its environment, or the threats it faces. An outdated SSP is almost as bad as no SSP.

Example 1: Set a calendar reminder to review your SSP at least annually. Also update it whenever you make significant changes: adding new servers, migrating to cloud, changing network architecture, or deploying new security tools. Track versions with a revision history table at the front of the document.

Example 2: Tie SSP updates to your change management process. When a significant change is approved, include 'Update SSP' as a required step in the change ticket. This ensures the SSP stays current without relying solely on periodic reviews. Use your GRC tool or a simple tracker to log every SSP update.