What Is a System Security Plan (SSP)?

A System Security Plan is a formal document that provides an overview of an organization’s security requirements and describes the security controls in place or planned for meeting those requirements. For defense contractors, the SSP documents how each of the 110 NIST SP 800-171 security requirements is implemented within the systems that process, store, or transmit Controlled Unclassified Information (CUI). The SSP is not just a compliance document — it is the operational blueprint that guides how an organization protects sensitive government information.

What to Include in a System Security Plan

A comprehensive SSP for NIST SP 800-171 compliance should include the system boundary definition identifying which networks, systems, and facilities are in scope, a network architecture diagram showing how data flows between systems and to external entities, a description of the operating environment including hardware, software, and cloud services, an inventory of all systems that process, store, or transmit CUI, the organization’s security policies and procedures, and a detailed control-by-control description of how each of the 110 NIST SP 800-171 requirements is implemented.

The SSP and CMMC Assessment

During a CMMC Level 2 assessment, the C3PAO assessment team uses the SSP as their primary reference document. Assessors compare the SSP’s control descriptions against the actual implementation through documentation review, technical testing, and personnel interviews. An SSP that accurately reflects the organization’s security posture makes the assessment process smoother and more predictable. Conversely, significant discrepancies between the SSP and actual implementation can result in practices being scored as NOT MET.

SSP and CMMC Assessment Boundary

The SSP defines the CMMC Assessment Boundary — the set of systems, networks, and processes that will be evaluated during the assessment. Properly scoping this boundary is critical for managing compliance costs. Organizations that implement a CUI enclave strategy can limit the assessment boundary to the enclave systems, reducing the number of endpoints and controls that must be documented and assessed. The SSP must clearly document this boundary, including any connections between in-scope and out-of-scope systems.

SSP Maintenance and Updates

The SSP is a living document that must be updated whenever significant changes occur to the information system, security controls, or operating environment. Common triggers for SSP updates include adding or removing systems from the CUI environment, changing cloud service providers or infrastructure, modifying network architecture or security boundaries, implementing new security tools or controls, and changes in personnel with security responsibilities. Regular SSP reviews (at least annually) ensure the document remains accurate and audit-ready.

SSP Supporting Documents

The SSP is typically accompanied by several supporting documents that together form the complete security documentation package: the Plan of Action and Milestones (POA&M) tracking unimplemented controls, network diagrams and data flow diagrams, hardware and software inventories, security policies and procedures for each control family, incident response plans, configuration management plans, and contingency plans. These documents are referenced by the SSP and may be reviewed during assessments.