OSP Memo 1: Process for System Security Plans (SSPs)

*Please view the most recent version of this memo here.


Step 1:  Per the Defense Federal Acquisition Regulations (DFAR), the clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting (“7012 Clause”) is a mandatory clause.  The Government’s Contracting officer determines whether or not 7012 clause will be included in a pending contract.

Step 2:  OSP determines whether full SSP or FRE SSP is required based upon review of pending contract terms, to include publication restrictions, Foreign National Restrictions, use of any CUI, etc.

Step 3:  OSP notifies the proposed PI and the OIT GRC team of requirement for SSP and the type of SSP required.*

Step 4:  GRC reaches out to PI to complete SSP.

Step 5:  Working with PI, GRC completes SSP.

Step 6:  Using SSP portal the following approve the SSP:

  1. The PI
  2. GRC
  3. VP for Research (Jilda Garton) or authorized delegate

Step 7:  GRC works with PI to complete Report on Compliance (ROC)


Once steps 1 through 7 are complete, contract may be executed provided PI is found compliant in ROC.


* Please note that OSP’s decision is based upon contractual terms and is final unless the actual contract terms change.  Once OSP notifies PI and GRC of requirement, any discussions between the PI, GRC and the OSP Contracting Officer regarding the need for an SSP or the type of SSP required are unnecessary.