What Should Be in Your System Security Plan (SSP) for CMMC Level 2?

Executive Brief

Your System Security Plan (SSP) is not just documentation. It is the foundation of your Cybersecurity Maturity Model Certification (CMMC) Level 2 compliance.

If you handle Controlled Unclassified Information (CUI), your SSP must clearly describe how your environment meets all 110 National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 requirements.

Assessors rely heavily on your SSP. If it is incomplete, inconsistent, or disconnected from reality, your certification is at risk.

A strong SSP does three things well:

• Defines your system boundaries and scope
• Maps controls and objectives to real implementation
• Aligns documentation with evidence

Dig deeper below to learn more.

What Is an SSP?

An SSP is a formal document that outlines how your organization implements and manages security controls.

At CMMC Level 2, it must:

• Cover all systems that process, store, or transmit CUI
• Align directly to NIST SP 800-171 rev2
• Reflect your current, not future, state

It also serves as the backbone for other compliance artifacts.

• Your Supplier Performance Risk System (SPRS) score depends on it
• Your Plans of Action and Milestones (POA&Ms) reference it
• Your assessors validate against it

If your SSP is wrong, everything downstream is affected.

Define Your Scope First

Before writing anything, you need to define what is in scope.

This includes:

• CUI assets (where sensitive data lives)
• Security protection assets (tools like firewalls, endpoint protection)
• Contractor Risk Managed Assets (CRMAs)
• Shared responsibility matrices with external service providers and cloud service providers

Why it matters:

• Scope determines what controls apply
• Over-scoping increases cost and complexity
• Under-scoping creates audit risk
• Understanding what and who is in scope helps minimize surprises during your assessment

Many contractors are now segmenting environments to reduce scope and audit burden.

Core Components of a Strong SSP

Your SSP should be structured, detailed, and mapped directly to each control family.

System Description

Start with a clear picture of your environment:

• Network architecture and data flows
• Hardware and software inventory
• Boundaries of the CUI environment

If an assessor cannot understand your environment, they cannot validate it.

Control Implementation (The Core of the SSP)

This is where most SSPs fall short.

For each of the 110 controls, you must:

• Describe how the control is implemented
• Identify responsible roles
• Reference supporting tools or processes

But here’s where many organizations miss the mark:

Each control is made up of one or more assessment objectives. In total, that’s 320 assessment objectives that assessors validate during a CMMC Level 2 review.

Your SSP should be written to that level of detail.

That means:

• Breaking down implementation beyond the control title
• Addressing how each objective is satisfied in practice
• Ensuring evidence can be mapped directly to those objectives

Avoid generic language.

• Bad: “We use MFA.”
• Better: “We enforce multi-factor authentication through Azure AD for all privileged and remote access.”

Specificity is what assessors look for. They are not evaluating intent, they are validating implementation at the objective level.

If your SSP stays too high-level, assessors are forced to interpret how controls are met. That creates risk.

Clear, detailed descriptions allow an assessor to trace each control and objective to a system, a configuration, and supporting evidence without ambiguity.

If your SSP cannot map cleanly to the 320 assessment objectives, you are not ready for assessment.

Policies and Procedures

Your SSP should align with, and point to, your documented policies.

Include:

• Access control policies
• Incident response procedures
• Configuration management standards

Key point:

• Policies must match what is actually happening
• Mismatches are a common audit finding

Evidence Mapping

Your SSP should point to real artifacts.

Examples:

• Screenshots of configurations
• Log samples
• Training records
• System settings

Think of your SSP as the map and your evidence as the proof.

Plans of Action and Milestones (POA&Ms)

Not everything has to be perfect, but gaps must be documented correctly.

Your SSP should:

• Identify unmet controls
• Reference associated POA&Ms
• Track remediation status

Important:

• POA&Ms are limited under CMMC Level 2 rules
• You still need a clear path to full implementation

Common SSP Mistakes to Avoid

We see the same issues repeatedly:

• Copying templates without customization
• Describing future-state controls as implemented
• Misaligned policies and actual practices
• Missing system boundaries or unclear scope
• No linkage between SSP and evidence

Your SSP must reflect reality, not intention.

It should document what is fully implemented and operating today, not what is planned, in progress, or partially configured. If a control is not consistently enforced across your environment, it is not “met.” Assessors will validate your SSP against live systems, configurations, and evidence. Any gap between what is written and what exists will be flagged.

How Detailed Should Your SSP Be?

Short answer: more detailed than you think.

Your SSP should allow an assessor to:

• Understand your environment without guesswork
• Trace each control to implementation and evidence
• Validate that controls are consistently applied

If they have to interpret or assume, you are exposed. Ambiguity creates risk. When details are missing or unclear, assessors will default to what can be proven, not what was intended. That often results in controls being marked as not met.

Why Your SSP Matters More Than Ever

With CMMC enforcement accelerating, documentation is under scrutiny. As requirements begin appearing in more contracts, assessors and prime contractors are taking a closer look at how organizations document their security posture.

Your SSP, policies, and evidence are no longer internal references, they are assessment artifacts that must stand up to external validation.

Contractors are:

• Developing or updating SSPs alongside remediation efforts
• Using structured tools to track control implementation
• Aligning SSPs closely with assessment expectations

A strong SSP does more than support certification.

It helps you:

• Improve your SPRS score
• Reduce audit friction
• Build long-term security maturity

FAQs

What is the purpose of a System Security Plan in CMMC Level 2?

The SSP documents how your organization implements the 110 NIST SP 800-171 controls and defines the scope of your CUI environment. It serves as the primary artifact assessors use to evaluate your compliance and validate your SPRS score.

Can I use a template for my SSP?

Yes, but only as a starting point. Templates must be fully customized to reflect your actual systems, tools, and processes. Generic or copied content is one of the most common reasons organizations fail assessments.

Does my SSP need to be complete before a C3PAO assessment?

Yes. Your SSP must represent your current implemented state at the time of assessment. Any gaps should be documented in POA&Ms, but the SSP itself cannot be incomplete or hypothetical. Without an SSP in place, you will not be able to undergo an official Level 2 third-party assessment or pass a Level 2 self-assessment.

Helpful ISI Links

• Do You Really Need a GRC Platform for CMMC?
• Why AI Fails Without Organizational Change Management
• CMMC POA&Ms Explained: What You Can and Cannot Defer
• Steal Our CMMC Level 2 Readiness Strategy