SSP

A System Security Plan (SSP) is the foundational document for any CMMC Level 2 program. It describes the in-scope Information System (the people, processes, hardware, software, and facilities that handle CUI) and explains how the organization implements each of the 110 NIST SP 800-171 Rev 2 security requirements.

A defensible SSP includes: a description of the system boundary and authorization scope; an inventory of in-scope assets categorized as Information System (IS), Security Protection Asset (SPA), Contractor Risk Managed Asset (CRMA), or Out of Scope; a shared responsibility matrix for any external service providers; and a per-requirement narrative explaining what is implemented, by whom, and how it is verified.

The SSP is the first artifact a C3PAO will ask for during a Level 2 assessment. It must be current, accurate, and tied to real evidence — not boilerplate language copied from a template.