Draft Research Institution Community Developed SSP


One of the major challenges faced by institutions engaged in regulated research is determining how to align  their interpretation of controls with those of other institutions engaged in similar activities. Given the sensitive nature of implementation decisions and the varied resources available to institutions, the primary means of addressing this challenge is traditionally through internal teams or external consulting efforts. However, when teams have been heavily involved in the development and implementation of a System Security Plan, they may inadvertently overlook crucial details or overcommit themselves to additional and unnecessary effort  in their solutions.

This advanced, full-day workshop focused on the creation of key components of a NIST 800-171 / CMMC Level 2 System Security Plan (SSP) through collaboration and expert input. 

This workshop produced a novel resource achieved from national experts finding consensus of implementation strategies and determining best practices.  As a group, we documented responses to 42 selected controls. We encourage you to use this reference as you build your own SSP.


Emily Adams

Achraf Adenane

Ravikant Agarwal

Damon Armour

Winston Armstrong

Cornelia Bailey

Mardecia Bell

Chris Bernard

Kendall Blaylock

Terry Butcher

Christopher Cashmere

Zepu Chen

Raina Collins

Louis Daher

Tim Daniel

Ramon Delacruz

Erik Deumens

William Drake

Ryan Duitman

Kira Dunn

Robert Edamala


Carolyn Ellis

Wendy Epley

Dan Fast

Cal Frye

Jay Gallman

Enrique Garcia

Jeff Gassaway

Michael Goay

Nick Harrison

David Heidorn

Laura Heilman

Kerry Hixon

Naom Hospodarsky

Curtis Kappenman

Paul Kern

Jesse La Grew

Bob Larsen

Douglas Lewis

Lillian Maestas

Alexander Magid

Dan Mahar


Tammie McClellan

Nan McKenna

William Miaoulis

Jeff Moore

Michael Navicky

Arian Padron

Sherry Pesino

Jacqueline Pitter

Laura Raderman

Jose Ramirez

David Richardson

Robby Rollins

Anurag Shankar

Adria Snead

Cameron Walther

Andrew Weisskopf

Ronni Wilkinson

Daren Wunderlich

Mona Zarei


Anderson University
Auburn University
Carnegie Mellon University
Case Western Reserve University
Chemeketa Community College
Clark University
Connecticut State Colleges & Universities
Cornell University
Duke University
Georgia Institute of Technology
Harvard University
Indiana University
Lafayette College
Lake Forest College
Madison Area Technical College
Mississippi State University
North Carolina Community College System
North Carolina State University
North Dakota State University
Princeton University
Purdue University
South Dakota State University

Spelman College

Stanford University
The University of Arizona
Union College
University of Alaska
University of California San Diego
University of Central Florida
University of Chicago
University of Connecticut
University of Delaware
University of Florida
University of Georgia
University of Miami
University of Michigan-Ann Arbor
University of Minnesota
University of Nebraska
University of New Mexico
University of South Carolina
University of Southern California
University of Tennessee System Office
University of Texas System
University of Utah
Vantage Technology Consulting Group


Find the final output on EDUCAUSE's site secured behind member login. Visit: https://events.educause.edu/special-topic-events/cybersecurity-and-privacy-professionals-conference/2023/agenda/advanced-system-security-plan-workshop-separate-registration-is-required 

If you are not a EDUCAUSE member, please request a copy at info@regulatedresearch.org from a .edu address.