SSP Workshop @ CPPC23

Advanced System Security Plan Workshop

One of the major challenges faced by institutions engaged in regulated research is determining how to align  their interpretation of controls with those of other institutions engaged in similar activities. Given the sensitive nature of implementation decisions and the varied resources available to institutions, the primary means of addressing this challenge is traditionally through internal teams or external consulting efforts. However, when teams have been heavily involved in the development and implementation of a System Security Plan, they may inadvertently overlook crucial details or overcommit themselves to additional and unnecessary effort  in their solutions.

This advanced, full-day workshop will focus on the creation of key components of a NIST 800-171 / CMMC Level 2 System Security Plan (SSP) through collaboration and expert input. Participants will learn if their peers share similar implementation strategies after discussing possible implementation strategies and depth of information shared. This workshop will produce a novel resource achieved from national experts finding consensus of implementation strategies and determining best practices. Regulated Research Community of Practice (RRCoP) will provide scholarships as a sponsor. For more information: https://www.regulatedresearch.org/cppcworkshop23

 Agenda: The full-day workshop will begin with common systems within a compliant enclave architecture, which will serve as the foundation for the rest of the day's activities. Most of the day will be spent collaborating with peers around the implementation strategies for NIST SP 800-171 controls, using small groups for consensus building. Throughout there will be broad opportunities for feedback from all workshop participants. The workshop will conclude with a summary of the day's accomplishments and closing remarks.

Workshop Output: This workshop will create a portion of a SSP, developed through consensus with peer experts and documentation of a select group of controls. All participants will have access to the newly created SSP and it will be available on www.regulatedresearch.org with the participants' attribution.

Participants: Participants are expected to have significant knowledge and experience with writing or owning an SSP or implementing NIST 800-171 / CMMC Level 2 controls. To improve diversity, participation from an institution will be limited, thus allowing participation from many institutions.

Schedule

Morning (3 hours)

• Introduction

• Scoping Exercise

• Controls in Small Groups

• Debrief & Discussion

Afternoon (3 hours)

• Controls in Small Groups

• Debrief & Discussion

• Closing & Actions to Continue