System Security Plan (SSP)
Comprises implementable controls based on different system characteristics.
Last updated 26 March 2026
Purpose
A system security plan comprises the implementable controls based on system characteristics. The current types of systems include:
Low-Risk Cloud
Low-Risk On-Premises
Medium-Risk Cloud
High-Risk Cloud CII
Generative AI
Digital Services (Others)
Digital Services (High Impact)
Sandbox
Agencies and their industry partners are required to assess the risks and threats for each of their systems, to determine the controls required to mitigate the risks.
Control Levels
The three control levels are:
Control | Description | |
Level 0 | These are cardinal and mandatory requirements. | |
Level 1 | These are basic hygiene process and technical control requirements, including toolings with alternatives. Agencies and industry partners are to assess and apply the controls in accordance with its risk impacts. | |
Level 2 | These are best practices for Agencies to consider and adopt where required. | |
System Security Plan (SSP)
The various types are listed below:
Low-Risk Cloud
The Low-Risk Cloud System Security Plan template includes Level 0 and Level 1 baseline controls that are recommended as the default controls for low-risk cloud systems. Agencies are to customise this template to create their own system-specific System Security Plan or use it as a default System Security Plan.
Low-Risk On Premises
The Low-Risk On-Premises System Security Plan template includes Level 0 and Level 1 baseline controls that are recommended as the default controls for low-risk on-premises systems. Agencies are to customise this template to create their own system-specific System Security Plan or use it as a default System Security Plan.
Medium-Risk Cloud
The Medium-Risk Cloud System Security Plan template includes Level 0 and Level 1 baseline controls that are recommended as the default controls for medium-risk cloud systems. Agencies are to customise this template to create their own system-specific System Security Plan or use it as a default System Security Plan.
High-Risk Cloud CII
The High-Risk Cloud CII System Security Plan template includes Level 0 and Level 1 baseline controls that are recommended as the default controls for high-risk cloud CII systems. Agencies are to customise this template to create their own system-specific System Security Plan or use it as a default System Security Plan. CII Owners are reminded to inform Cybersecurity Agency Singapore (CSA) prior to the migration to Cloud and the creation of an High-Risk Cloud CII SSP.
Generative AI
The Generative AI System Security Plan template includes Level 0 and Level 1 baseline controls that are recommended as the default controls for systems that utilise generative AI models. Agencies may customise this template to create their own system-specific System Security Plan or use it as a default System Security Plan for generic Generative AI systems.
Digital Services (Others)
Digital Service (also known as Government Digital Service) refers to any public service that is delivered digitally. It is used to convey the Government’s position, provide information, and/or deliver services to the public. Digital Services (Others) refer to Digital services with less than 1 million visits per year (note: this will be determined based on WOGAA statistics).
Digital Services (High Impact)
Digital Service (also known as Government Digital Service) refers to any public service that is delivered digitally. It is used to convey the Government’s position, provide information, and/or deliver services to the public. Digital Services (High impact) refer to Digital services with at least 1 million visits per year (note: this will be determined based on WOGAA statistics).
Sandbox
Pilot Sandbox System Security Plan.