About SSP

About SSP

Purpose

A system security plan comprises the implementable controls based on system characteristics. The current types of systems include:

  • Low-Risk Cloud
  • Low-Risk On-Premises
  • Medium-Risk Cloud
  • Sandbox

Agencies and their industry partners are required to assess the risks and threats for each of their systems, to determine the controls required to mitigate the risks.

Control Levels

Profile Level 0

These are Cardinal and Mandatory requirements.

Profile Level 1

These are basic hygiene process and technical control requirements, including toolings with alternatives. Agencies and industry partners are to assess and apply the controls in accordance with its risk impacts.

Profile Level 2

These are best practices for Agencies to consider and adopt where required.

The SSPs were last updated on 13 May 2025.

NEXT

Low Risk Cloud