Which statement about a System Security Plan is true?

A System Security Plan is the document that specifies what security is required for the system and how that security is implemented, including the security controls in place or planned and the people responsible for enforcing them, along with the expected behavior of all individuals who access the system. This makes the SSP a comprehensive guide that ties together security requirements, technical and non‑technical controls, and roles, so everyone knows what needs to be done to protect the system and how to operate it securely. It isn’t just about hardware components, but about how software, processes, policies, and people work together to meet the security requirements. It isn’t optional for federal systems; it’s a required artifact under FISMA. And it isn’t a one‑time certificate-only document—it's maintained and updated throughout the system’s lifecycle to reflect changes, assessments, and ongoing monitoring.