The SSP should start being developed as soon as possible in the lifecycle, preferably along with the ICD, to get help define the security requirements of the system at the earliest point possible and updated at every milestone along the way.
Open full Question Details
FedRAMP has a great page that lists a ton of useful information and templates (https://www.fedramp.gov/developing-a-system-security-plan/).
NIST SP 800-18 Rev 1 provides additional guidance.
Also, DoDI 8510.01 says the Security Plan should be initiated in Step 1, Categorize, of the RMF process and updated at each Step. The "DoD Program Manager's Guidebook for Integrating the Cybersecurity Risk Management Framework (RMF) into the System Acquisition Lifecycle" is also a good reference as well as the RMF Knowledge Service website, https://rmfks.osd.mil.