CMMCDocs.comThe System Security Plan (SSP) is the foundational document for CMMC Level 2 compliance. It describes your information system, your security environment, and how you implement each of the 110 NIST SP 800-171 Rev 2 security requirements. A well-written SSP is not just a compliance artifact — it is a living reference document that your IT team, management, and assessors will all rely on.
Step 1: Define Your CUI Boundary
Before you write a single word, you need to know where Controlled Unclassified Information lives in your environment. Map the data flow: where does CUI enter your network, where is it stored, where is it processed, and how does it leave? The systems, networks, and people involved in this flow define your assessment scope. Everything outside the boundary is out of scope, which is why careful scoping saves money and complexity.
Step 2: Document Your System Description
The front section of your SSP should describe your information system in plain language. Include your network architecture (reference a diagram), the hardware and software inventory, your physical locations, the types of CUI you handle, and the roles and responsibilities of personnel who interact with CUI. An assessor reading this section should understand your environment before looking at a single control.
Step 3: Address Each Security Requirement
For each of the 110 requirements in NIST 800-171 Rev 2, your SSP needs three things: a description of how you implement the requirement, identification of the specific tools or processes involved, and a reference to the evidence that demonstrates implementation. Do not copy generic language from templates — describe what your organization actually does.
For example, for AC.L2-3.1.1 (limit system access to authorized users), do not write "we limit access to authorized users." Instead, describe your specific access control process: "New user accounts are requested through our ticketing system by the employee's manager, approved by the IT Director, and provisioned in Active Directory with role-based group assignments. Access reviews are conducted quarterly using an exported AD report reviewed by department heads."
Step 4: Identify Gaps Honestly
You will have gaps. Every organization does. For requirements you have not fully implemented, document them as POA&M items with a clear remediation plan, responsible party, and target completion date. A C3PAO expects to see honest gap identification — trying to claim 110/110 compliance when you clearly have gaps will damage your credibility.
Step 5: Keep It Living
An SSP that was accurate six months ago and never updated is a liability. Assign an owner, establish a review cadence (quarterly at minimum), and update it whenever your environment changes. When you add a new system, change a process, or hire a new administrator, the SSP should reflect it.