Are System Security Plans and Plans of Action and Milestones CUI?

The short answer to this question is "almost always, no". 

To qualify as Controlled Unclassified Information ("CUI"), information must be created or possessed in performance of a government contract.  In almost all cases, System Security Plans ("SSPs") and Plans of Action and Milestones ("POA&Ms") are not created or possessed in performance of a government contract; they are created for the company's internal business purposes.  This means that, by definition, SSPs and POA&Ms cannot be CUI.

That does not mean, however, that SSPs and POA&Ms aren't sensitive information.  They absolutely are, and should be properly protected.  That is why we carefully protect the SSPs, POA&Ms, and all other information in the FutureFeed platform.  All of the processing and storage of their information occurs in the AWS GovCloud. We have third-parties perform penetration tests against our platform. We run static and dynamic analyses of our code.  More details are on our Security page.  We're also on a path toward CMMC Level 2 certification once the certifications are available to service providers.

We value the trust our Partners and Clients place in the FutureFeed platform, and look forward to continuing to supporting them in their cybersecurity journey.