What is a System Security Plan (SSP) and what Annex F requirements does it fulfill?

The main idea here is what an SSP is and how Annex F uses it. An SSP is the formal document that defines the system, the security controls in place, who is responsible for those controls, and how the system’s security is assessed and tracked. This aligns with Annex F because it requires clear documentation of the system, the controls and responsibilities, and the results of its assessments, providing a record that demonstrates accountability and ongoing security oversight. The other options describe different artifacts: a log of access attempts is a monitoring record, a disaster recovery plan focuses on continuity and backups, and a hardware inventory lists devices. None of those serve as the comprehensive plan that captures boundaries, controls, responsibilities, and assessment results that Annex F expects.