If you've started looking into CMMC, one acronym shows up before all the others: SSP. Every consultant mentions it, every assessor asks for it, and the whole process seems to revolve around it. But almost nobody explains, in plain English, what an SSP actually is or why it matters so much.

Here's the short version: the System Security Plan is the master document of your entire CMMC effort. It's the thing a C3PAO assessor reads first, and it's the document that determines whether the rest of your evidence even makes sense. Get it right and everything else has a place to hang. Skip it and you literally cannot be assessed.

What Is a System Security Plan?

An SSP is a written document that does two things:

  1. Defines your system boundary — what's "in scope." Which computers, servers, cloud services, and people handle your sensitive government information (CUI), and where that information lives, moves, and is stored.
  2. Describes how you meet each security control — for CMMC Level 2, that's all 110 controls from NIST SP 800-171. For each one, the SSP explains how it's implemented in your specific environment.

Think of it as the owner's manual for how your company protects defense information. It's not a policy ("we will use strong passwords"). It's a description of reality ("password policy is enforced through Microsoft Entra ID with a 14-character minimum, applied to all 12 user accounts").

ℹ️ This isn't new. The SSP requirement didn't arrive with CMMC. It's been mandatory under NIST SP 800-171 and DFARS 252.204-7012 since 2017. CMMC just adds a third party who verifies the SSP is real and accurate instead of taking your word for it.

Do You Actually Need One?

If either of these is true, the answer is yes:

There's no way around it. An assessor cannot give you a score without an SSP, because the SSP is what defines what is being scored. No SSP means there's nothing to assess — the engagement stops before it starts.

A missing or inadequate SSP is one of the most common reasons small contractors fail or stall their CMMC assessment — not because the security is bad, but because nobody wrote down what they actually do.

Even if you only handle FCI and need Level 1 rather than Level 2, documenting your environment is still good practice — but the formal, control-by-control SSP is specifically a Level 2 requirement.

What Goes Into an SSP?

A complete CMMC SSP covers far more than a list of controls. At minimum, assessors expect to see:

Section What It Describes
System boundary A diagram and description of everything in scope — endpoints, servers, cloud apps, network segments, and how CUI enters and leaves.
Data flow Where CUI is received, processed, stored, and transmitted, and which systems touch it along the way.
Roles & responsibilities Who is responsible for security, who has administrative access, and who maintains the plan.
Control implementation For each of the 110 NIST 800-171 controls: how it's met, what tool or process enforces it, and whether it's fully implemented or on the POA&M.
Connected services & CRM/MSP External providers (Microsoft 365 GCC High, your MSP, cloud backup) and how responsibility is shared with them.

The level of detail matters. "We do backups" is not an SSP entry. "Daily incremental backups to an encrypted, access-controlled repository, retained 90 days, tested quarterly" is.

⚠️ The boundary is where small contractors lose control. Draw your system boundary too wide and you've just signed up to secure your entire company. Draw it too narrow and you've left CUI outside the protected zone. Defining a tight, accurate boundary is the single highest-leverage decision in the whole document.

SSP vs. POA&M: What's the Difference?

These two documents are always mentioned together, and people constantly mix them up. The distinction is simple:

Document Answers the question…
SSP "How is each control implemented right now?"
POA&M "For the controls I haven't met yet, what's my plan and deadline to fix them?"

The SSP is the as-built picture. The POA&M is the punch list. You need both for a Level 2 assessment — and not every control is even allowed on a POA&M. (We cover the POA&M rules in a separate guide.)

Don't start your SSP from a blank page

CMMC Map walks you through all 110 controls in plain English and assembles your System Security Plan from your answers — so the master document writes itself as you go.

Start Your Free 14-Day Trial

Why the SSP Is Worth Getting Right First

Everything downstream depends on it. Your evidence, your policies, your assessment scope, even the price a C3PAO quotes you — all of it keys off the SSP. A clear, accurate plan with a tight boundary can cut assessment cost and time dramatically. A vague one invites findings, scope creep, and a more expensive engagement.

It's also a living document. Add a new cloud app, change MSPs, or onboard staff, and the SSP needs to reflect it. Treat it as something you maintain, not something you write once and file away.

The good news: writing it forces you to actually understand your own environment — and that understanding is most of what real security is anyway.