If you're pursuing compliance with the Cybersecurity Maturity Model Certification (CMMC), creating a System Security Plan (SSP) is one of the most important steps in preparing for an assessment. But what exactly goes into an SSP, and how do you write one? This guide will break it down for you, explaining this critical document’s purpose, key components, and the steps needed to draft a compliant SSP. We’ll also provide practical tips and a downloadable template full of examples to get you started and make the whole process easier.

Let’s dive in!

What is a System Security Plan?

A system security plan (SSP) is like a detailed blueprint that outlines how your organization protects sensitive data — in the case of CMMC, specifically, information related to government contracts, such as Controlled Unclassified Information (CUI) and/or Federal Contract Information (FCI).

Maintaining an SSP is required for CMMC 2.0 compliance at Levels 2 and 3. It shows you’ve carefully considered and documented how you keep your systems secure and satisfy each of the framework’s cybersecurity requirements.

Here’s a general overview of what an SSP covers:

• What you’re safeguarding: It outlines which parts of your systems (hardware, software, networks, etc.) are in scope and how they interact, like a map of your digital environment.
• How you protect it: The SSP spells out the specific security measures and processes you’ve put in place to meet requirements, such as data encryption and access controls.
• Who’s responsible: It identifies who’s in charge of each part of your security efforts, so there’s no confusion about roles and responsibilities.
• How you connect to external systems: The SSP also explains how you connect to any outside systems, such as a cloud service provider, and how you make sure those connections are secure.

The SSP is critical because when you’re going through a CMMC assessment, it’s one of the first documents the assessors will look at. It’s your chance to show them, in detail, how you’ve met security requirements.

What to include in a CMMC System Security Plan

An SSP typically includes sixteen sections, building a comprehensive view of your system’s security architecture, risk management practices, and operational procedures.

By understanding what goes into an SSP, you’ll be better equipped to create one that satisfies CMMC compliance requirements and helps you strengthen your overall security posture. Here’s an outline of the key sections, their purpose, and what information to include in each.

1. Introduction and overview

The first section sets the stage by explaining why the SSP exists and what it covers, emphasizing your organization’s commitment to protecting CUI and complying with CMMC 2.0 requirements. It provides stakeholders and assessors with a clear understanding of the document’s purpose, its relevance to CMMC 2.0, and the scope of the system being assessed.

2. System boundaries

The next section defines what is included in the scope of the SSP. A well-defined system boundary identifies all system components that handle CUI and/or FCI. This includes physical devices like servers, workstations, and network equipment, as well as logical components such as software applications, databases, and cloud environments. It also explains how data flows between these components and how it interfaces with external systems or third-party service providers.

What to include:

• A description of the physical and logical boundaries of the system
• A list of all components (e.g., servers, applications, cloud environments, networks)
• Diagrams showing how the system interacts with external entities

3. System description

This section describes the system’s purpose, functionality, and operational environment in detail, giving assessors and stakeholders a clear understanding of how the system fits into the organization’s broader operations.

A well-written system description helps assessors and stakeholders understand not just what the system is, but also how it operates and where potential security risks might exist — essential for evaluating how well the organization has implemented security controls and how those controls align with the overall goals of CMMC compliance.

What to include:

• Overview of the system architecture
• Operating environment (e.g., on-premises, cloud, hybrid)
• Key functionalities and intended uses of the system

4. Roles and responsibilities

The Roles and responsibilities section ensures accountability by assigning specific responsibilities for implementing, managing, and maintaining security controls. It also clarifies the chain of command and escalation paths for any security issues, ensuring that everyone involved understands their role for efficient decision-making and response.

This section is crucial because it provides assessors with evidence that your organization has a structured and strategic approach to managing its security obligations. By assigning specific duties, your organization demonstrates its commitment to ensuring that critical security and compliance tasks are performed reliably and consistently.

What to include:

• List of key roles (e.g., System Owner, Security Officer, IT Administrator)
• Responsibilities for each role related to security controls and configuration management

5. Security requirements implementation

This section is typically the longest in an SSP. It demonstrates your level of compliance by explaining how you’ve implemented each CMMC 2.0 security requirement, providing a roadmap for assessors and internal teams to verify that all necessary controls are in place. For Level 2 compliance, this means addressing all 110 controls outlined in NIST SP 800-171, and for Level 3, the additional controls from NIST SP 800-172.

Each control must be described in detail, including the specific policies, procedures, technologies, and practices in place to meet the requirement. For example, explaining access control might involve describing multi-factor authentication, role-based access controls, and periodic access reviews.

What to include:

• A table or detailed description of each requirement (aligned with NIST SP 800-171 rev 2 for CMMC Level 2 and NIST 800-171 and NIST 800-172 for CMMC Level 3)
• The specific policies, procedures, and controls in place to satisfy each requirement

6. Interconnections

This next section documents the points where your system connects to any external systems, such as cloud service providers, partner organizations, third-party vendors, or external applications. Each connection should be documented in detail, including the nature of the interaction, the type of data exchanged, and the security controls in place to protect these exchanges.

This level of detail shows assessors that your organization has carefully evaluated third-party risks and taken the appropriate steps to reduce exposure to external threats.

What to include:

• Details of how data flows between your system and external entities
• The security measures in place for each connection, such as firewalls or encryption
• How third-party vendors are assessed for compliance with security requirements
• How service-level agreements (SLAs) are enforced to uphold these standards

7. Risk management

The Risk management section explains how your organization identifies and addresses potential risks. The process begins with a risk assessment, where potential vulnerabilities, threats, and impacts are identified and documented. This includes analyzing the likelihood of threats like data breaches or system failures and the potential impact of those events.

Mitigation strategies are also outlined for each risk, including implementing technical controls, such as firewalls or encryption, and administrative controls, such as access policies or employee training programs. This section may also describe how risks are continually monitored and reassessed to recognize new threats and adapt to any changes in your organization’s environment.

What to include:

• Risk assessment findings
• Mitigation strategies for identified risks
• Risk register

8. Access control

The Access control section describes the policies and procedures your organization has in place to ensure that only authorized users can access sensitive data, such as multi-factor authentication and role-based access controls.

This section also explains how access is monitored and reviewed. For example, it may describe processes for regularly auditing user permissions, promptly revoking access when employees leave or change roles, and identifying unusual login activities that might signal unauthorized access attempts.

What to include:

• Policies for granting, reviewing, and revoking access
• Authentication and authorization mechanisms (MFA, role-based access controls, etc.)

9. Audit and accountability

This section describes the tools and processes used to monitor system activities, detect potential threats, and ensure that security controls are functioning as intended. This proactive approach helps you address issues before they escalate into problems, reducing the likelihood of breaches or other disruptions.

This section also outlines how logs are securely stored, protected from tampering, and regularly reviewed by designated personnel. The ability to produce reliable records of system activities demonstrates accountability and highlights your organization’s proactive approach to maintaining system integrity and transparency.

What to include:

• Monitoring tools and services used
• Procedures for handling alerts and anomalies
• Log management and review processes
• Details of auditing tools and procedures

10. Maintenance

This section outlines how you conduct maintenance activities to ensure the ongoing security and integrity of your firmware and hardware of systems, including applying security updates and maintaining hardware components. This ongoing maintenance reduces the risk of vulnerabilities that could be exploited by malicious actors and ensures that all components remain aligned with CMMC compliance requirements over time.

This section also details how maintenance is conducted in a secure way. For example, how administrative privileges are restricted during maintenance tasks to prevent unauthorized changes, or how critical systems are backed up before updates are applied.

What to include:

• Maintenance tools used
• Maintenance personnel authorized
• Nonlocal maintenance procedures
• Roles responsible for maintenance activities

11. Training and awareness

This section explains how you conduct training programs to educate employees on best practices, organizational policies, and specific compliance requirements. Encouraging security awareness can minimize the risks associated with human error, social engineering attacks, or mishandling sensitive information.

The section also outlines how security awareness training is tracked, documented, and updated to ensure ongoing effectiveness. By providing this level of detail, the Training and Awareness section demonstrates your organization’s commitment to creating a workforce that actively contributes to a strong security posture and knows how to comply with CMMC requirements.

What to include:

• Security training programs including CUI training
• Requirements for training frequency and tracking completion

12. Contingency planning

Contingency planning is critical for ensuring your organization is prepared to handle unexpected disruptions and disasters. This section outlines strategies and procedures designed to maintain business continuity in the event of events like natural disasters, cyberattacks, or system failures. This includes plans for data backup and restoration, identifying critical systems, and prioritizing resources during recovery efforts. This section may also detail how these plans are tested and updated regularly to account for new risks or changes in your organization’s environment.

By detailing these plans, your organization can ensure that essential operations continue with minimal downtime, reducing the impact on both internal workflows and external obligations to customers.

What to include:

• Business continuity and disaster recovery plans
• Data backup and restoration processes

13. Appendices and references

The final section of your SSP is for supporting documents and reference materials, such as system diagrams, glossaries, and relevant policies and procedures. Beyond simply offering supplemental information, this Appendices and References section improves the usability and accessibility of the SSP. For example, diagrams can visualize system boundaries or data flows, making complex concepts easier to grasp.

What to include:

• Glossary of terms
• Related policies and procedures
• System diagrams, tables, and additional documentation

Other required CMMC documentation 

In addition to the System Security Plan, CMMC compliance requires several other critical documents that support your overall security strategy. These include a detailed Incident Response Plan and a Plan of Action & Milestones (POA&M). Together, these documents demonstrate a strong understanding of existing risks and your ability to respond effectively to unexpected threats. 

Incident response plan 

CMMC requires a comprehensive incident response plan. This plan should include procedures for detecting and reporting incidents, assigning roles and responsibilities, and escalating issues as necessary. For example, it might describe how suspicious activities are identified through continuous monitoring tools and the process for notifying the appropriate personnel or teams. It also establishes clear communication protocols, both internally among stakeholders and externally to regulators, customers, or other affected parties.

For assessors, this document demonstrates your organization's ability to effectively respond to cybersecurity risks. It showcases a clear commitment to maintaining the integrity and confidentiality of sensitive data, which is crucial for CMMC compliance. 

Incident response plan can be included within the SSP as an appendix, or it can be a standalone document with the SSP covering incident response controls and requirements. 

What to include:

• Incident response plan overview
• Contact information for the incident response team
• Steps for escalation and reporting

Plan of Action & Milestones (POA&M)

The Plan of Action & Milestones is another critical document for CMMC compliance. It serves as a roadmap for remediation, providing a clear plan to resolve issues that might prevent your organization from meeting compliance requirements. By documenting these plans, you can demonstrate that you’re aware of any shortcomings in your security posture and actively working toward improving it.

Each gap or deficiency is documented in detail, including a description of the issue, the associated risks, and the steps required to remediate it. The POA&M prioritizes these actions based on the severity of the risks, ensuring that the most critical issues are addressed first. It also includes timelines for completing each action and assigns specific responsibilities to individuals or teams, establishing accountability and ensuring that remediation efforts are systematically tracked and managed.

What to include:

• Description of identified gaps
• Actions to remediate the gaps
• Timelines and responsible parties for completion

How to write a CMMC system security plan

Writing an SSP for your CMMC 2.0 certification can seem overwhelming, but breaking it down into manageable steps can make the process easier and more straightforward. Here's a step-by-step guide to help you get started, along with recommendations for who should be involved at each stage.

Step 1: Define the scope of the SSP

Before diving into writing your SSP, clearly define the scope of your system. Be specific about the system's components, including hardware, software, networks, and external connections. A well-defined scope prevents unnecessary confusion and keeps your document focused on what matters.

Use visual aids such as system diagrams and charts to map out boundaries. This not only clarifies the scope for internal teams but also makes it easier for assessors to understand how your system is structured.

Work with IT and network administrators to get technical insights and ensure that all components are accurately captured. Compliance officers or security leads can also help ensure that your scope aligns with CMMC requirements.

Step 2: Gather existing documentation

Next, collect all relevant existing documentation to build a foundation for your SSP. This includes policies, procedures, network diagrams, system inventories, and any previous compliance reports or risk assessments. These documents will provide valuable starting points for many sections of your SSP and help you identify areas that might already meet compliance requirements.

Review these materials carefully to pinpoint any gaps or outdated information. This step ensures that you’re not duplicating efforts and that your SSP accurately reflects current practices. Administrative staff can help locate and organize these materials, while compliance officers can review them to identify any inconsistencies or missing elements.

Step 3: Conduct a gap analysis

After gathering your documentation, perform a gap analysis to compare your current practices against CMMC 2.0 requirements. This is particularly important if you are pursuing Level 2 compliance, which aligns with NIST SP 800-171, or Level 3, which aligns with NIST 800-171 and NIST 800-172. The goal is to pinpoint which controls you already meet, partially meet, or need to implement from scratch.

This analysis will give you a clear idea of next steps, help prioritize tasks, and allocate resources effectively.

If you lack internal expertise, you can engage a third-party consultant or a Managed Security Service Provider (MSSP) with CMMC expertise to conduct your gap analysis. Security officers and IT staff should also contribute their insights into existing implementations. Automation platforms that integrate with your existing tech stack can automatically compare your existing controls with CMMC requirements, assess your compliance status, and flag any missing or non-compliant controls to expedite the gap analysis and remediation process.

Step 4: Close any gaps

Create or update your security policies and procedures to align with CMMC 2.0 requirements. These should cover critical areas such as access control, incident response, system monitoring, and data protection. Ensure that these policies are not only comprehensive but also practical and enforceable within your organization.

Well-documented and actionable policies are key to ensuring that your organization consistently applies security measures. HR teams can contribute to policies related to training and personnel management, while IT teams can develop technical procedures. Executive leadership should approve all policies to ensure organizational alignment and effective rollout.

Step 5: Draft the SSP

With the groundwork laid, begin drafting your SSP. Start with sections that describe the system, its boundaries, and its architecture. Then move on to roles and responsibilities, the implementation of security requirements, and other key sections. Use clear and concise language to make the document accessible to both technical and non-technical stakeholders.

Compliance and documentation specialists can help structure and draft the content. IT staff should ensure technical accuracy, while legal or compliance officers should verify regulatory alignment.

Step 6: Review and validate your SSP

Before finalizing the SSP, conduct an internal review to ensure its accuracy and completeness. Validate that all described security controls are implemented and functioning as intended. This review process ensures that the SSP is both thorough and reflective of your actual security posture.

Security officers can verify the implementation details, and compliance officers can ensure alignment with CMMC requirements. Company leadership should provide a final review and approval. It’s good to keep a version, review, and approval history over time as well so personnel when the last review and approval was and when it’s time for the next one in the future. 

Step 7: Train your team

Once the SSP is finalized, train your employees on their roles and responsibilities as outlined in the document. Have them review the SSP & provide specific training on key security practices, incident response procedures, and any new policies introduced.

HR and training coordinators should organize training sessions, while security officers should deliver the content. All employees should participate in the training.

Step 8: Maintain and update the SSP

Your SSP is not a static document — it needs to evolve with your organization. Whenever there are updates to your system, policies, or security program, the SSP must be updated accordingly. Schedule regular reviews to keep it aligned with emerging CMMC requirements and relevant to your organization.

IT and security teams and responsible control owners should handle technical updates. Compliance officers can monitor regulatory changes, and leadership should approve all updates to the SSP document.