The System Security Plan (SSP) is the blueprint for your organization’s cybersecurity program. By way of an analogy, similar to how a blueprint contains drawings and instructions for the construction of your home, the SSP will contain all the details and specifications for how to build and run your program. But these details and instructions are confined by parameters—for example, you can’t build your home on the side of a cliff without certain structural elements; nor can you place electrical sockets wherever you want or use insufficient wiring for the sockets. So, in addition to outlining the building structure, your home blueprint needs to comply with certain codes and regulations. It’s the same with your SSP. In regard to building an SSP, those codes and regulations are cybersecurity frameworks–often dictated by laws or regulations–that contain cybersecurity safeguards or best practices, also known as “Controls”. The SSP is the medium that contains the descriptions of the managerial policies, operational procedures, and technical components that the organization plans to implement to meet the requirement of each Control. That medium—Word document, Excel spreadsheet, web form, whatever—is up to the organization to determine.