What is the Security Plan (SSP) primarily used to document?

The Security Plan is the formal record that shows how a system is protected. It describes the system itself, the security controls that have been chosen and how they’re implemented, who is responsible for each control, and how those controls map to applicable policies and regulations. This document supports authorization decisions by making clear how the system meets security requirements and how risk is managed in its operating environment. It also defines the system boundary, environment of operation, and the relationships between policy language and actual controls. Other documents may cover specific areas like incident response or asset lists, but those are narrower in scope; the Security Plan provides a comprehensive view of the security posture, how controls are put into practice, and who oversees them. Describing user access rights and password policy alone or detailing only hardware inventory would not capture the full scope of protections the plan documents.