System Security Plan — Self-Assessment

System Security Plan (SSP)

Internal gap analysis mapping all 110 NIST SP 800-171 Rev 2 controls to OCSI's current implementation status, describing system boundaries, data flows, and CUI handling procedures.

Document ID: OCSI-SSP-2026-001 Version: 1.1 (Honest Revision) Classification: CUI Date: April 3, 2026 Owner: Sandra O. Floyd, President & CEO Prepared By: OCSI Internal (AI-Assisted) — Not externally validated
SELF-ASSESSMENT — NOT C3PAO CERTIFIED

This SSP represents an internal self-assessment. Control statuses reflect verified code implementations, not aspirational claims. 80 of 110 controls are currently not implemented or lack verifiable evidence. See POA&M for 13 open remediation items.

1. System Information

1.1 System Name

OCSI Staffing Operations Platform — Web Application & Command Center

1.2 Organization

OUTSOURCE Consulting Services, Inc. (OCSI)
7901 Oakport Street, North Building, Suite 3800, Oakland, CA 94621
Phone: 1.888.252.OCSI (6274) | Email: sales@ocsi.co

1.3 System Description

The OCSI Staffing Operations Platform is a web-based system consisting of: (a) a public-facing corporate website with information about staffing services, government contracting capabilities, and diversity certifications; (b) a Command Center administrative dashboard for managing candidates, job orders, clients, and placements; and (c) supporting security protocol documentation. The system processes, stores, and transmits information related to government staffing contracts, candidate records, and client data that may include Controlled Unclassified Information (CUI).

1.4 System Boundary

  • Web Server: GoDaddy shared hosting at ocsi.co (107.180.114.184)
  • Client-Side Storage: Browser localStorage and sessionStorage for Command Center data
  • External Services: Google Fonts, FontAwesome CDN (style resources only — no data transmission)
  • FTP Deployment: Secure FTP to production server

1.5 Information Types

  • Federal Contract Information (FCI): Contract details, job orders for federal agencies
  • CUI — Personnel Data: Candidate PII (names, emails, phone numbers, clearance levels)
  • CUI — Business Confidential: Client account details, placement records, pricing
2. Security Control Implementation Summary
IDFamilyControlsImplementedStatusPolicy
3.1Access Control (AC)2210 Partial — client-side auth, no RBACView
3.2Awareness & Training (AT)30 Not ImplementedView
3.3Audit & Accountability (AU)92 Partial — localStorage only, no SIEMView
3.4Configuration Management (CM)90 Not ImplementedView
3.5Identification & Authentication (IA)113 Partial — no MFA, password in sourceView
3.6Incident Response (IR)30 Partial — plan exists, not testedView
3.7Maintenance (MA)60 Organizational — no evidenceView
3.8Media Protection (MP)90 Organizational — no evidenceView
3.9Personnel Security (PS)20 Organizational — no evidenceView
3.10Physical Protection (PE)60 Organizational — no evidenceView
3.11Risk Assessment (RA)31 Partial — doc exists, no scanningView
3.12Security Assessment (CA)40 Not Implemented — no C3PAOView
3.13System & Comms Protection (SC)163 Partial — HTTPS/CSP, no encryption at restView
3.14System & Info Integrity (SI)70 Partial — input sanitization onlyView
TOTAL11016 verified + 14 partial Significant Gaps — 80 controls need action
3. Roles & Responsibilities
RoleNameResponsibilities
System OwnerSandra O. FloydOverall accountability for system security; approval authority for SSP
Security OfficerKit E. Floyd, Jr.Day-to-day security operations; incident response lead; POA&M management
Business DevelopmentByron BushFederal contract compliance; CUI scope identification; client-facing security documentation
Cybersecurity AssessorTBD — Not yet engagedThird-party assessment, vulnerability scanning, penetration testing (external MSSP or equivalent MSSP — engagement pending)
4. Continuous Monitoring Strategy (Planned)
Status: No external cybersecurity partner is currently engaged. The monitoring activities below are targets, not current capabilities. Current monitoring is limited to client-side audit logging in the Command Center.

Planned monitoring program (requires MSSP engagement):

  • Quarterly: Security control assessments and vulnerability scanning — not yet initiated
  • Semi-Annual: Penetration testing and SSP review — not yet initiated
  • Annual: Full NIST 800-171 self-assessment and SPRS score update — first assessment pending
  • Ongoing: Client-side audit log review (localStorage only — see POA&M for limitations)
  • As Needed: Incident response and POA&M remediation
C3PAO Assessment: A formal CMMC Level 2 C3PAO assessment has not been scheduled. This SSP is prepared as a gap analysis to support future assessment readiness. Significant remediation (see 13 open POA&M items) is required before assessment.

© 2026 OUTSOURCE Consulting Services, Inc. — CUI // SP-SSP // NIST 800-171

Self-assessment documentation — not externally validated