Skip to main content

FedRAMP SSP Generator

Infracast automatically generates System Security Plans (SSPs) following FedRAMP and NIST 800-171 templates, pulling data directly from live infrastructure discovery and compliance assessments.

Overview

Writing an SSP is one of the most time-consuming parts of a FedRAMP authorization. Infracast eliminates manual narrative writing by generating implementation statements for each control family using real infrastructure data — then packaging everything into a ready-to-submit compliance bundle.

What Gets Generated

System Security Plan Document

  • Cover page and metadata — System name, system owner, ISSO, authorization boundary
  • System description — Auto-populated from discovered assets and topology
  • 18 NIST 800-53 Control Families — Per-control implementation narratives based on your actual configuration
  • Control origination — Inherited, system-specific, hybrid (mapped from cloud provider shared responsibility)
  • Information types and categorization — FIPS 199 impact levels

Per-Control Implementation Narratives

Infracast generates implementation statements for all 18 NIST 800-53 control families:

FamilyCodeExamples
Access ControlACIAM policies, role assignments, least privilege posture
Audit & AccountabilityAUCloudTrail, log retention, monitoring
Configuration ManagementCMBaseline configs, drift detection, change control
Identification & AuthenticationIAMFA enforcement, password policy, service accounts
Incident ResponseIRAlert integrations, SIEM connectivity
Risk AssessmentRAVulnerability scanning, threat intel correlation
System & Communications ProtectionSCEncryption in transit/at rest, network segmentation, DNS security
System & Information IntegritySIPatch status, malware protection, vulnerability remediation
(and 10 more families)

Narratives reference specific assets, configurations, and evidence artifacts found during discovery — not generic boilerplate.

Compliance Package Export (ZIP)

The exported ZIP contains:

  • SSP.docx — Full System Security Plan
  • asset-inventory.xlsx — Complete node inventory with asset types, IPs, and owner tags
  • POA&M.xlsx — Open findings with remediation milestones
  • architecture-diagrams/ — System boundary, network zone, and data flow SVG/PNG diagrams
  • evidence-bundle/ — Ed25519-signed evidence artifacts for each control

Generating an SSP

  1. Navigate to Compliance → SSP Generator
  2. Select your authorization baseline (FedRAMP Low / Moderate / High or NIST 800-171)
  3. Review pre-populated system metadata (edit any fields as needed)
  4. Click Generate SSP
  5. Download the compliance package ZIP when complete (typically 2–5 minutes)

Via API

# Trigger SSP generation
POST /api/v1/ssp/generate
Authorization: Bearer <token>
Content-Type: application/json

{
  "baseline": "fedramp-moderate",
  "system_name": "My Cloud System",
  "system_owner": "Jane Smith",
  "isso": "John Doe"
}

# Response:
{
  "job_id": "ssp-abc123",
  "status": "pending",
  "estimated_seconds": 120
}

# Poll for completion
GET /api/v1/ssp/jobs/ssp-abc123

# Download package
GET /api/v1/ssp/jobs/ssp-abc123/download

Supported Baselines

BaselineControlsUse Case
FedRAMP Low125 controlsLow-impact cloud systems
FedRAMP Moderate325 controlsMost federal cloud systems
FedRAMP High421 controlsHigh-impact / sensitive data
NIST 800-171110 practicesCUI / CMMC compliance

Compliance Mapping

The SSP Generator is particularly relevant for:

FrameworkBenefit
FedRAMPATO package accelerator — SSP is a core authorization artifact
CMMCNIST 800-171 practice implementation statements
DISA RMFSystem description and control implementation docs
NIST 800-53Per-control implementation evidence

Tips for Better SSPs

  • Run a full discovery first — The more assets Infracast knows about, the richer the narratives
  • Resolve critical findings — Open findings appear in the POA&M section; fewer findings = stronger SSP
  • Tag your assets — Owner, environment, and data classification tags improve the asset inventory output
  • Review narratives before submitting — AI-generated text is a starting point; review with your ISSO before submission to a 3PAO