White Paper

CMMC 2.0 System Security Plan

Required Components, Structure, and Compliance Obligations

9
Core Sections
110
NIST Controls Covered
3
CMMC Levels Addressed
6
Expert Perspectives
Executive Summary

A System Security Plan (SSP) is the foundational compliance document required of every defense contractor subject to the Cybersecurity Maturity Model Certification (CMMC) 2.0 framework. It is not an administrative formality. An SSP is the primary artifact that assessors examine to determine whether a contractor’s cybersecurity posture meets the standards necessary to handle Controlled Unclassified Information (CUI) on behalf of the Department of Defense.

This white paper details every required component of a CMMC 2.0 SSP, organized by regulatory origin, assessment function, and implementation level. It addresses the specific evidence assessors require, the legal consequences of inaccurate documentation, the obligations of contractors using cloud or managed service providers, and the ongoing maintenance requirements that apply after an SSP is first completed.

Key Findings
  • The SSP mandate originates in DFARS 252.204-7012 and is codified for CMMC 2.0 in 32 CFR Part 170. All contractors subject to CMMC Level 2 or Level 3 must maintain a complete, accurate SSP.
  • An SSP must document the current implemented state of controls — not intended or aspirational states. Describing what a control will do rather than what it does is a primary assessment finding.
  • System boundary definition is the single most consequential SSP component. An understated boundary that excludes assets which process, store, or transmit CUI is both a compliance failure and a source of legal liability.
  • The SSP and Plan of Action and Milestones (POA&M) must be formally cross-referenced. Every control marked partially or not implemented requires a corresponding POA&M entry with remediation timeline.
  • Contractors using external cloud services or managed security providers must document control inheritance formally, including customer responsibility matrices from each provider.
  • Executive attestation of SSP accuracy creates False Claims Act exposure. The DoJ’s Civil Cyber-Fraud Initiative has established that knowingly submitting an inaccurate SSP in connection with a federal contract may constitute fraud.

1.Regulatory Foundation and Mandatory Status

The requirement to maintain a System Security Plan predates the CMMC framework by more than a decade. Understanding the full regulatory lineage is essential to understanding what the SSP must contain and why.

1.1 The DFARS Origin

Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012, titled “Safeguarding Covered Defense Information and Cyber Incident Reporting,” is the primary contractual mechanism requiring defense contractors to implement NIST SP 800-171 controls and maintain documentation of that implementation. This clause has been mandatory in covered DoD contracts since December 2017.

1.2 CMMC 2.0 Codification

CMMC 2.0, codified through 32 CFR Part 170 (interim final rule, 2024), formalizes the SSP requirement into a structured three-level framework:

CMMC LevelControl SetSSP Assessment Context
Level 1 — Foundational15 controls (FAR 52.204-21)Annual self-assessment; SSP documentation expected but not C3PAO-verified; no formal SSP template mandated.
Level 2 — Advanced110 practices (NIST SP 800-171 Rev 2)Triennial C3PAO assessment (critical programs) or annual self-assessment; complete SSP required and is the primary assessment artifact.
Level 3 — ExpertNIST SP 800-172 overlay (130+ practices)Government-led assessment by DCSA; full SSP plus enhanced documentation; heightened evidence standards.
1.3 The NIST SP 800-18 Documentation Standard

While CMMC does not mandate a specific SSP format, NIST SP 800-18, Rev. 1 defines the canonical structure that assessors expect. Contractors deviating significantly from this structure face increased risk of findings related to documentation completeness rather than control implementation.

Regulatory Authority Chain
FAR 52.204-21
Level 1 — 15 controls
DFARS 252.204-7012
CUI safeguarding mandate
NIST SP 800-171 Rev 2
110 security requirements
32 CFR Part 170
CMMC 2.0 codification
NIST SP 800-18
SSP structure standard

2.System Boundary Definition

System boundary definition is the most consequential structural decision in SSP development. The boundary determines which assets, users, networks, and processes are subject to CMMC controls. An incorrectly defined boundary — whether too narrow or insufficiently documented — is the most frequently cited finding in CMMC assessments.

2.1 What the Boundary Must Encompass

The system boundary must include every asset that processes, stores, or transmits CUI. This is not limited to servers and workstations.

  • All hardware that touches CUI: endpoints, servers, networking equipment, removable media, printers, and mobile devices
  • All software: operating systems, applications, collaboration tools, and utilities that process or access CUI
  • All cloud services: SaaS platforms (including email), IaaS environments, and managed services that handle CUI
  • All network segments through which CUI transits, including VPNs and remote access infrastructure
  • All users: employees, contractors, and third-party personnel with access to CUI systems
  • All physical locations from which CUI systems are accessed
2.2 Boundary Scope Errors: Common Assessment Findings
Finding Type 1 — Understated Boundary
Excluding assets that clearly handle CUI because they are perceived as peripheral (e.g., the email system used to receive contract deliverables, the backup server, or the IT administrator’s workstation). Assessors trace CUI flows and will identify excluded assets.
Finding Type 2 — Stale Diagrams
Network topology or data flow diagrams that reflect an architecture from a prior period. Diagrams must reflect the current state at the time of assessment. Stale diagrams are treated as evidence of inadequate SSP maintenance.
Finding Type 3 — Missing Cloud Services
Failure to include SaaS collaboration tools (e.g., email platforms, video conferencing, document storage) that are used to send, receive, or discuss CUI. Cloud services require explicit documentation and inheritance analysis.

3.Required SSP Components

A complete CMMC 2.0 SSP, aligned with NIST SP 800-18 and the CMMC Assessment Process (CAP), contains a defined set of mandatory components. Each component serves a specific evidentiary function in the assessment process.

3.1 Control Implementation Statements

This is the substantive core of the SSP and the section that assessors examine most intensively. For each of the 110 NIST SP 800-171 security requirements (at Level 2), the SSP must contain an implementation statement describing how that specific control is currently implemented.

Critical Requirement
Implementation statements must describe the current, implemented state — not an intended future state. Writing that a control “will be implemented” or “is being configured” documents a gap, not compliance. If a control is not yet implemented, that fact belongs in the POA&M, and the SSP must accurately reflect the partial or non-implemented status.

The three implementation status designations are:

Implemented
The control is fully in place as described. No POA&M entry required.
Partially Implemented
The control exists but covers only some assets, users, or scenarios. A POA&M entry is required documenting what remains and by when it will be completed.
Not Implemented
The control does not exist. A POA&M entry with remediation timeline is required. Permissible at assessment time only for non-critical controls with active remediation plans.
3.2 Roles and Responsibilities
  • System Owner — executive accountability for the system and SSP accuracy
  • Information System Security Officer (ISSO) — day-to-day security management
  • System Administrator(s) — technical implementation and maintenance
  • Authorizing Official — the individual who signs the Plan of Action and accepts residual risk
  • Data Owner — responsibility for the CUI handled by the system

4.Supporting Artifacts and Required Diagrams

The SSP does not stand alone. Assessors expect a defined set of supporting artifacts that substantiate the claims made in the SSP’s control implementation statements. An SSP without supporting artifacts is considered incomplete regardless of the quality of its prose.

4.1 Mandatory Supporting Documents
Supporting DocumentRequired Content
Information Security PolicyThe governing policy establishing the organization’s security objectives, executive commitment, and compliance obligations. Must reference NIST 800-171 and applicable CMMC level.
Configuration Baseline DocumentationDocumented secure configuration standards for each major asset class. Must reference a recognized standard such as CIS Benchmarks or DISA STIGs.
Access Control Policy and ProcedureDescribes how access to CUI systems is granted, reviewed, modified, and revoked. Must address least privilege and separation of duties.
Incident Response PlanA documented procedure for detecting, responding to, and reporting cybersecurity incidents. Must include DFARS 252.204-7012 reporting timelines (72-hour DoD notification).
Contingency / Business Continuity PlanDocumentation of backup procedures, recovery time objectives, and testing cadence for systems handling CUI.
Risk AssessmentA current risk assessment identifying threats, vulnerabilities, and accepted residual risks. Must be updated at minimum annually for Level 2.
Assessor Expectation
Assessors do not accept diagrams that appear to have been created for the SSP rather than maintained as operational documentation. Signs of this include diagrams with no version history, no specific IP or VLAN identifiers, or that cannot be reconciled with the asset inventory.

5.Plan of Action and Milestones (POA&M) Integration

The Plan of Action and Milestones is a companion document to the SSP that is inseparable from it for assessment purposes. The SSP describes what is implemented; the POA&M documents what is not yet implemented, why, and on what timeline remediation will occur.

5.1 The Cross-Reference Requirement

Every POA&M entry must be traceable to a specific SSP section or control statement. Assessors verify this linkage explicitly. An SSP that describes a control as “partially implemented” but has no corresponding POA&M entry is itself a compliance finding.

Assessment Mathematics
CMMC assessments produce a SPRS (Supplier Performance Risk System) score. Each unimplemented or partially implemented control reduces the score from a maximum of 110. The POA&M score determines whether a contractor may begin performance under a contract while remediation is ongoing.

6.External Service Provider and Cloud Inheritance

The widespread use of cloud infrastructure, managed security services, and SaaS platforms has introduced one of the most complex documentation challenges in CMMC compliance: control inheritance. When a third party implements a control on the contractor’s behalf, the SSP must formally document both the inherited control and the boundary of contractor responsibility.

6.1 Customer Responsibility Matrix

Cloud providers operating under FedRAMP publish a Customer Responsibility Matrix (CRM) — a document identifying, for each NIST control, whether the provider, the customer, or both share responsibility. The contractor’s SSP must include or reference the applicable CRM and must explicitly describe how the contractor is fulfilling its share of each shared responsibility.

Common Failure Mode
Contractors frequently claim full inheritance of controls from cloud providers without producing a CRM. “We use Microsoft 365 GCC High, so our controls are inherited” is not a valid SSP statement. The contractor must demonstrate it has reviewed the applicable CRM and is implementing the customer-side obligations for each shared control.

7.SSP Maintenance, Versioning, and Review Cadence

An SSP is not a point-in-time document. It must reflect the current state of the environment at all times. An SSP that accurately described an organization’s controls eighteen months ago but has not been updated since is not a compliant SSP — it is evidence of a maintenance failure.

7.1 Triggering Events for SSP Updates
  • Significant changes to the system architecture, including new systems, decommissioned systems, or changes to network topology
  • Addition or removal of external service providers or cloud services
  • Changes to personnel in key security roles (system owner, ISSO, authorizing official)
  • Implementation of a new security control or modification of an existing one
  • Closure of a POA&M item (requires updating the corresponding control implementation statement)
  • Discovery of a previously undocumented asset within the CUI environment

8.Legal and Attestation Risk

The legal dimensions of SSP documentation represent one of the most significant and underappreciated risk areas in CMMC compliance. The consequences of a materially inaccurate SSP extend beyond failed assessments into federal fraud liability and executive personal exposure.

8.1 The False Claims Act Framework

The False Claims Act (31 U.S.C. § 3729) imposes civil liability on any person or entity that knowingly submits a false claim to the federal government. A contractor that submits an SSP it knows to be inaccurate — and certifies compliance with DFARS cybersecurity requirements — is presenting a potentially false certification in exchange for federal payment. The Department of Justice formalized this enforcement posture with the launch of the Civil Cyber-Fraud Initiative in October 2021.

FCA Exposure in Practice
FCA penalties include treble damages (three times the government’s actual losses) plus per-claim civil penalties. The law also permits qui tam (whistleblower) actions, meaning an employee who knows the SSP is inaccurate can file suit on behalf of the government and receive a share of any recovery.

9.Small and Mid-Size Contractor Considerations

The CMMC SSP requirements were designed with the full range of defense contractors in mind, but the compliance burden falls disproportionately on small businesses — companies with fewer than 50 employees, limited IT staff, and no dedicated cybersecurity function.

9.1 Scoping as a Risk Management Tool

The most practical approach for small contractors is rigorous CUI scoping. If the organization can segregate CUI handling to a defined subset of systems — a dedicated CUI enclave — the SSP scope can be significantly reduced. This is legitimate architectural design that reduces compliance burden while maintaining control effectiveness.

  • Using a dedicated CUI-handling workstation or virtual desktop as the only in-scope endpoint
  • Using a CMMC-compliant cloud enclave (such as Microsoft 365 GCC High) for all CUI processing, limiting in-scope on-premise assets to authentication infrastructure
  • Implementing network segmentation that isolates CUI systems from general business IT

Bibliography

Citations follow Chicago author-date format.

Department of Defense. 2021. “CMMC 2.0 Program.” Office of the Under Secretary of Defense for Acquisition and Sustainment.
Department of Justice. 2021. “Deputy Attorney General Lisa O. Monaco Announces New Civil Cyber-Fraud Initiative.” October 6, 2021.
Department of Defense. 2024. 32 CFR Part 170 — Cybersecurity Maturity Model Certification (CMMC) Program. Interim Final Rule. Federal Register Vol. 89.
Defense Federal Acquisition Regulation Supplement. 2016. DFARS 252.204-7012 — Safeguarding Covered Defense Information and Cyber Incident Reporting.
Federal Acquisition Regulation. FAR 52.204-21 — Basic Safeguarding of Covered Contractor Information Systems.
National Institute of Standards and Technology. 2006. NIST SP 800-18, Revision 1: Guide for Developing Security Plans for Federal Information Systems.
National Institute of Standards and Technology. 2020. NIST SP 800-171, Revision 2: Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.
National Institute of Standards and Technology. 2021. NIST SP 800-172: Enhanced Security Requirements for Protecting Controlled Unclassified Information.
Cyber-AB (CMMC Accreditation Body). 2023. CMMC Assessment Process (CAP) — Version 1.0.
United States Code. 31 U.S.C. § 3729 — False Claims Act.
CMMC 2.0 System Security Plan  |  Crucible Insight
July 2026