CMMC Step 4: SSP Documentation–What’s Your CMMC Compliance Evidence?

If you’ve already found and corrected security flaws through a CMMC gap analysis, your next move as a Department of Defense (DoD) contractor or subcontractor needing CMMC certification is the “prove it” stage.

This is where your System Security Plan, or SSP, comes in.

As a business within the DoD’s Defense Industrial Base (DIB) supply chain, what’s your current security posture?

What specific security controls have you implemented to satisfy the CMMC regulatory requirements for your level?

Who’s responsible for ensuring that the security defenses you’ve adopted to protect the sensitive federal information you handle are being followed within your organization?

A system security plan is your answer to all of these questions and more.

In this article, we’ll define what an SSP is, outline the main components of an SSP, and explain why it’s a mandatory, core part of your CMMC certification journey.

With this information, you’ll understand the important role this essential documentation plays in ensuring that you’re not only prepared, but that you also have evidence to back it up.

What Is A Systems Security Plan (SSP)?

A system security plan (SSP) is a comprehensive document that spells out the exact security tools, systems, policies, procedures, and personnel, your business has put in place to ensure the ongoing safety and integrity of the sensitive federal data you’re responsible for protecting.

An SSP allows you to show exactly how you’re protecting federal contract information (FCI) and controlled unclassified information (CUI) to satisfy CMMC security requirements.

Think of it as your organization’s CMMC readiness catalog. Within it is a comprehensive accounting of all of the physical and technical security controls your business has put in place to mitigate risks.

Related Article: CMMC Step 2: How A Gap Analysis Can Help You Find Your Security Risks

It represents an accurate snapshot of your company’s real-time security posture to prevent, detect, respond to, and recover from security threats that could endanger FCI or CUI—whether those threats originate from within or outside your organization.

This step will help you verify compliance during your CMMC assessment to streamline the certification approval process.

That’s why developing a comprehensive SSP is not optional. In fact, the DoD has made it a requirement to obtain CMMC certification.

What Are The Three Main Components Of A System Security Plan?

An SSP maps out the CUI boundary within your organization that you’ve previously set.

It also clearly identifies in-scope assets—including your systems, processes, and data—along with the specific security controls you’ve implemented. This will allow the CMMC assessor to easily understand your compliance strategy.

Related Article: How To Find CUI Within Your Environment & Set A CUI Boundary For CMMC

At this point, you’re probably aware that CMMC 2.0 splits DoD primes and their subcontractors into three levels, each requiring different cybersecurity and assessment compliance mandates.

Level 1 businesses are required to follow basic cyber hygiene controls to meet compliance. These organizations will be allowed to conduct a self-assessment to get certified.

While a few, select Level 2 businesses will be able to self-assess, most will need to get audited by a certified third-party assessor organization (C3PAO). Level 2 assessments, which are required every three years, must meet NIST SP 800-171 compliance standards.

Level 3 companies handle the most sensitive CUI, and therefore, must meet the toughest security requirements of the three levels, which includes satisfying controls from NIST SP 800-172.

These businesses must first get assessed by a C3PAO to obtain Level 2 certification. Then, they must get assessed by federal auditors through the performed by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).

Keep in mind that businesses at each of the three levels must annually self-attest (or re-affirm) that they’ve maintained CMMC compliance in order to keep their certification.

Related Article: 5 Questions To Pinpoint Your Required CMMC Level

Your SSP consists of three major sections.

Let’s break each section down:

1. System Boundary and Description

• Your SSP will contain a detailed description of the identified in-scope assets within your environment—your systems, applications, networks, and data archives that store, process, or transmit CUI.
  
  
• It will outline the defined system boundaries and interconnections, showing how each system communicates and where data flows within your IT environment.
  
  
• It will also state the physical environments on premises where CUI is stored or accessed.

Related Article: Step 1 For CMMC Certification: Understanding Your CUI & CMMC Level

2. Roles and Responsibilities

• Your SSP will identify the individuals within your organization with access to CUI, specifying their roles, privileges, and job responsibilities as it relates to handling CUI.
  
  
• Your plan will spell out access controls you’ve implemented to authenticate user identity and restrict CUI data access to only authorized individuals.
  
  
• Your SSP will also list the key stakeholders within your business who have taken ownership of your overall CMMC compliance strategy. These individuals may be interviewed during your audit to explain or demonstrate specific security controls to prove compliance.

3. Security Requirements Implementation

• Your SSP will include an exhaustive list of all the security controls you’ve implemented to meet the CMMC requirements for your level.
  
  
• It will detail the risk mitigation strategies, including your tools, processes, policies, and systems, that were implemented to fix security flaws identified in your gap analysis.

Related Article: Do I Need A Managed IT Service Provider To Meet CMMC Requirements?

Why Does Developing An SSP Matter?

Your system security plan isn’t just documentation: it’s your proof of CMMC compliance and certification readiness.

Remember, your SSP is the single source of truth that ties everything together—the people (internal or external support), policies, and technologies within your identified CUI boundary responsible for protecting CUI from malicious actors looking to steal or compromise the sensitive federal information you handle.

• An SSP is required for CMMC certification—and without it, you won’t pass your assessment. Think of it as a final project that represents a significant portion of your overall grade.
  
  
• It validates your remediation work to correct CMMC security flaws and provides proof of the specific security controls you implemented to close those gaps.

What Results Can You Expect From This Phase?

As we stated, the DoD is requiring DIB businesses to create an SSP in order to get certified. It's one thing to say you've met the required security standards, it's another to show it. Your SSP allows you to do both. 

By the end of this step, you’ll have:

• A completed SSP: a comprehensive document that fully outlines your security posture, systems, controls, and compliance efforts within your identified assessment boundary
  
  
• Policies and procedures development/evaluation: A thorough review of your existing policies designed to meet CMMC requirements in key areas like access control, incident response, and data protection, or the development of such policies
  
  
• Audit-ready documentation: Everything you need to move confidently into the final phase of your CMMC journey, knowing that your environment is well-documented and aligned to your CMMC level

The Bottom Line With Developing An SSP For CMMC Certification

Now you know what an SSP is and why it’s an essential step in getting CMMC certified.

This is the step where all of your efforts are crystallized into a well-documented record—the tangible proof that you’re doing all you can to keep the FCI and CUI you handle out of the wrong hands.

The SSP shows assessors that you’ve done the work, and it offers hard evidence that you’ve built a secure environment to ensure the ongoing safety of the FCI and CUI data you store, process, or transmit.

Along with interviewing your key staff and having you demonstrate some of your security measures in action, assessors will look for your SSP as another essential element proving you’ve met the necessary compliance requirements to obtain certification.

Accomplishing this critical step is vital to your ability to continue doing business with the DoD or win new contracts going forward.

If you have any CMMC compliance readiness questions, need help developing an incident response plan or other documents, or want expert guidance to help you create your SSP, we’re here to help.