System Security Plan

The SSP is the single most important document in your CMMC assessment. The assessor reads it before they arrive. They use it as their roadmap throughout the assessment. They compare everything they see against what it claims. If the SSP is missing, the assessment cannot proceed. If it’s wrong, every discrepancy becomes a question — and questions become findings.

What the SSP Must Contain

Per 32 CFR § 170.24 and requirement CA.L2-3.12.4, the SSP must include:

CMMC Assessment Scope description — a high-level description of the assets within scope. What’s in, what’s out, and why. This references your asset inventory and network diagram.

System boundary — the defined perimeter of your CUI environment. Where CUI enters, where it exits, and what controls exist at each boundary. This must match your network diagram.

System environment of operation — the infrastructure, operating systems, applications, and people that make up the environment. Not a generic “we use Windows and Office” — specific: “47 Windows 11 Enterprise workstations managed by Intune, 6 Windows Server 2022 servers, Palo Alto PA-820 firewall, Microsoft 365 GCC High tenant.”

Security requirement implementations — for each of the 110 requirements, a description of how your organization specifically implements it. This is the heart of the SSP and where most organizations fail. “We implement access control” is worthless. “User access is managed via Entra ID with security groups controlling CUI SharePoint access. Quarterly access reviews compare group membership against the current CUI-authorized personnel list. Offboarding disables accounts within 30 minutes via automated BambooHR-to-Entra workflow.” — that’s what the assessor needs.

Connections to other systems — every external connection documented: cloud services (M365, Azure, AWS), VPN connections, partner network links, ESP services. For each connection: what data flows, what protections exist, who’s responsible for what.

Non-applicable requirements — any requirement scored N/A must be identified with justification approved by the designated authority. “3.13.5 — N/A because no public-facing systems exist within the assessment scope.”

---

Keeping It Current

Update within 30 days of any significant change. A new server deployed, a cloud service added, a firewall rule changed, a policy updated, a person assigned to a new security role — the SSP must reflect the current state.

Review quarterly for accuracy. Walk through the SSP and verify claims against the actual environment. Do the IP addresses match? Are the system counts still right? Are the security group memberships current?

Review annually for completeness. Are there new requirements interpretations? Have your processes evolved? Is anything missing that should be documented?

Version control it. Track changes, maintain a revision log, and keep previous versions. The assessor may ask what changed since the last version.

---

Common Mistakes That Kill Assessments

Template SSP with generic text. The most common and most damaging mistake. A template SSP that says “the organization implements access control” without describing YOUR access controls is worse than no SSP — it shows the assessor you treated compliance as a checkbox exercise. Every section must describe your environment, your tools, your processes, your people.

SSP doesn’t match reality. The SSP describes a VPN solution you replaced six months ago. The network diagram shows a firewall that’s been decommissioned. The employee count is wrong. Every discrepancy erodes trust. The assessor starts testing claims more aggressively.

Implementation descriptions are vague. “We use encryption” — what algorithm? What key length? FIPS-validated? On which systems? Managed how? The assessor needs enough detail to know what to verify. If the SSP doesn’t tell them, they’ll ask — and the interruption slows the assessment and signals weak documentation.

No version control. The SSP was last updated “sometime last year.” No revision log, no change tracking, no evidence of periodic review. This fails CA.L2-3.12.4 directly.

Missing connections. The SSP doesn’t mention the AWS account, the Zoom subscription, or the third-party backup service. Every external connection must be documented. The assessor will discover undocumented connections — it’s just a question of whether it’s before or during the assessment.

The SSP Is Not a One-Time Exercise

The SSP is a living document. Companies that write it once for the assessment and never touch it again will fail their next assessment — or their annual affirmation — when the environment has changed but the SSP hasn’t. Build SSP maintenance into your monthly security operations.