Understand what a CMMC SSP is and why it serves as the foundation of your CMMC Level 2 compliance program.
Jason Puleri, CISSP, CMMC CCA
A CMMC System Security Plan (SSP) is a formal document that describes the security requirements for an organization's information system and details the controls in place or planned to meet those requirements. For defense contractors pursuing CMMC Level 2 certification, the CMMC SSP is not just a compliance checkbox. It is the primary document C3PAO assessors use to evaluate whether your organization has properly implemented all 110 CMMC practices and 320 assessment objectives. Without a complete and accurate CMMC SSP, an assessment cannot proceed successfully.
An important part of the requirements for companies in the Defense Industrial Base (DIB) seeking Cybersecurity Maturity Model Certification (CMMC) is writing an effective CMMC System Security Plan. Federal Information Processing Standards (FIPS) 200 and numerous National Institute of Standards and Technology (NIST) Special Publications (SPs) define the System Security Plan as a "Formal document that provides an overview of the security requirements for an information system and describes the security controls in place or planned for meeting those requirements."
The concept of an SSP is not new to CMMC. For example, the SSP requirement for CMMC is rooted, in part, in the NIST SP 800-18 rev1 Guide for Developing Security Plans for Federal Information Systems. This document was written in 2006, and as its name implies it was written for Federal Information Systems. Therefore, the major emphasis is meeting the minimum security requirements of FIPS 200 via implementation of NIST SP 800-53 Security and Privacy Controls for Federal Information Systems and Organizations. However, CMMC was designed to support non-federal companies in completing federal work and the system boundary guidance associated with 800-18 was not designed for commercial or non-federal systems.
While numerous publications exist that can guide you in writing an SSP, no previous guidance was written specifically to satisfy the requirements of CMMC, including the NIST 800-171 SSP template. The NIST 800-171 SSP template is a useful starting point, but on its own it is insufficient for achieving CMMC compliance and certification.
DFARS clause 252.204-7019 and the CMMC Final Rule, effective December 2024, both require DIB contractors to conduct and document an annual NIST SP 800-171 self-assessment and load the results to the Department of Defense's Supplier Performance Risk System (SPRS). As part of this requirement, contractors must develop a CMMC System Security Plan detailing the policies and procedures their organization has implemented. This is the reason why many Organizations Seeking Certification (OSCs) have used the NIST 800-171 SSP template to complete an SSP as part of meeting compliance requirements. The temptation then exists to simply recycle this document or SSPs written for other frameworks used within the organization such as Payment Card Industry Data Security Standard (PCI DSS) or System Organization Controls (SOC) for the purpose of CMMC compliance.
The CMMC Level 2 Assessment Guide states “Prior to conducting a CMMC assessment, the contractor must specify the CMMC Assessment Scope. The CMMC Assessment Scope informs which assets within the contractor’s environment will be assessed and the details of the assessment. To specify the CMMC Assessment Scope, contractors will map their assets into one of the following five categories: CUI Assets, Security Protection Assets, Contractor Risk Managed Assets, Specialized Assets, and Out-of-Scope Assets.” Additionally, these assets (except for Out-of-Scope Assets), must be documented in the asset inventory and SSP.
The CMMC Final Rule states that the SSP will outline the roles and responsibilities of security personnel to ensure that CUI is appropriately protected. The only roles identified in the SSP template are the Information Owner, System Owner, and System Security Officer. Simply following the SSP template may lead to shortcomings in this area since most organizations will need to list numerous additional or even a different set of personnel filling those roles according to the way security responsibilities are assigned and accomplished.
However, those undergoing a CMMC assessment will need to provide an information flow diagram to show the flow and boundaries of CUI within their networks. As part of the CMMC Assessment Process (CAP), the lead assessor will validate the CMMC Assessment Scope, which is initially determined by the OSC and then confirmed by the C3PAO. A proper information flow diagram is not only essential for meeting this requirement but is crucial for properly scoping the CUI boundary. A network diagram or topology alone is not enough to determine the proper assessment scope for a CMMC SSP. Not getting it right can literally tank your assessment before it even starts. Additionally, several CMMC practices require the proper understanding, safeguarding, and documentation of the CUI information flow for compliance.
A CMMC Level 2 assessment consists of 110 practices and 320 assessment objectives. From the Level 2 Assessment Guide, "Assessment objectives are provided for each practice and are based on existing criteria from NIST SP 800-171A. The criteria are authoritative and provide a basis for a CMMC Certified Assessor to conduct an assessment of a practice." The biggest problem with relying solely on the NIST 800-171 SSP TEMPLATE, even the "CUI version," is the absence of the assessment objectives.
For an assessor to verify and validate that the contractor has properly implemented the practices, they must also examine how the corresponding objectives are met. If this cannot be done, organizations being assessed will not achieve the desired outcomes. Although no requirement exists for the assessment objectives to be addressed in the CMMC SSP, they must be addressed somewhere. Documenting the practices and objectives in the SSP should be done at a high level, complemented by detailed references documented in a comprehensive set of policies and procedures. These policies should be further broken down by practice family to organize the material in a logical and effective manner. The goal is to present a compelling, easy to follow set of evidence rather than expecting an assessor to go on a treasure hunt to find answers. Thorough but concise, logically organized documentation is the key.
Coalfire Federal's certified CMMC advisors are all trained as assessors and accordingly, they know what good looks like when it comes to CMMC preparedness. Building a compliant CMMC SSP is one of the most critical and commonly underestimated steps in the certification process. Our team has guided organizations across the Defense Industrial Base through every phase of SSP development and CMMC compliance, and we know exactly what C3PAO assessors will be looking for.
Our advisors are prepared to conduct a comprehensive CUI boundary and gap analysis that benefits clients in numerous ways. A CUI boundary analysis will deliver important and often overlooked requirements that may be missing from your CMMC SSP. A properly scoped CUI boundary will provide an accurate and detailed list of CUI assets, making sure no stone is left unturned. Determining the flow of CUI through your organization will also ensure the correct technology, information, personnel, and facilities that handle and secure CUI are identified and documented.
Following the CUI boundary analysis, a gap analysis will walk your team through each of the 110 CMMC practices and 320 objectives, ensuring you not only have a comprehensive understanding of the requirements and where your organization's level of compliance stands, but are also provided a roadmap to compliance to achieve your certification goals.
Whether you are starting your CMMC SSP from scratch, revising an existing NIST 800-171 SSP template, or preparing for an upcoming C3PAO assessment, Coalfire Federal is your trusted compliance partner. Contact us to learn more about how we can support your CMMC compliance journey.
A System Security Plan (SSP) provides an overview of an organization’s security requirements and describes the controls in place or planned to meet them. For CMMC Level 2 compliance, the SSP documents how the organization protects Controlled Unclassified Information (CUI) across its environment, including assets, personnel, and data flows.
The NIST 800-171 SSP template was designed for federal information systems, not for commercial or non-federal environments under CMMC. It does not include CMMC-specific elements such as asset categorization, personnel roles, information flow diagrams, or assessment objectives required for a successful CMMC Level 2 assessment.
Common SSP gaps include missing asset categories that define the CMMC assessment scope, a lack of detailed security personnel roles, and the absence of an information flow diagram showing how CUI moves through the network. These missing elements can cause scoping errors that jeopardize certification readiness.
Each CMMC Level 2 practice is supported by specific assessment objectives that define how assessors verify implementation. While objectives are not required to appear in the SSP, they must be addressed elsewhere. A well-structured SSP should map high-level practices and link to detailed documentation that satisfies all objectives.
A CUI boundary analysis identifies all assets, systems, and personnel that handle Controlled Unclassified Information. This ensures that the SSP includes every in-scope asset and properly defines where CUI is stored, processed, or transmitted, a key requirement for CMMC Level 2 assessments.
Yes. Any organization seeking CMMC Level 2 certification is required to maintain a current and complete CMMC System Security Plan. The CMMC Final Rule and DFARS clause 252.204-7012 both require DIB contractors to develop an SSP as part of their annual NIST SP 800-171 self-assessment. Without a compliant SSP, your organization cannot successfully complete a C3PAO assessment.
Jason Puleri is an experienced Senior Security Analyst at Coalfire Federal. During the week you can find Jason providing NIST 800-171 and CMMC advisory and assessment services and responding to various customer support inquiries.
