ITAR Registration Code: M49438 / Cage Code: 94U86

CMMC COMPLIANCE

Five Foundational Documents Every CMMC Level 2 Company Needs

Table of Contents

If you handle Controlled Unclassified Information (CUI) and hold a DoW contract, CMMC Level 2 compliance is not optional. It is a condition of doing business. But for many small and mid-size defense contractors, the path to compliance feels overwhelming. Where do you start?

Start with your documentation.

Before an assessor ever steps into your environment, they will review your documentation and support evidence to understand how your organization protects CUI. That evidence spans written policies, interviews with staff, technical demonstrations, and system records. Organizations that treat compliance as a documentation exercise alone are rarely prepared for what a formal assessment requires.

Here are five foundational documents every CMMC Level 2 company must have in place, and what each one needs to contain.

Briefly

DocumentCMMC RequirementPurpose
System Security Plan (SSP)CA.L2-3.12.4Describe security implementation
Plan of Action & Milestones (POA&M)CA.L2-3.12.2Track remediation
Incident Response PlanIR.L2-3.6Respond to cyber incidents
Access Control PolicyAC.L2-3.1Control user access
Configuration Management PlanCM.L2-3.4Maintain secure baselines

1. System Security Plan (SSP) — CA.L2-3.12.4

The SSP is the cornerstone of your entire compliance posture. It is the single document that describes your organization’s information system, the security environment in which it operates, and how each applicable NIST SP 800-171 security requirement is implemented.

Think of the SSP as your compliance story. It tells an assessor who you are, which assets are in scope, what data you process, and how your security controls work together to protect that data.

What your SSP must include:

  • System boundary definition, with supporting network and data flow diagrams where appropriate
  • Description of the operating environment (on-premises, cloud, hybrid)
  • Identification and categorization of CUI
  • Description of how each applicable NIST SP 800-171 security requirement is implemented
  • References to supporting policies, procedures, and tools
  • System interconnections and third-party dependencies

The DoW CIO publishes guidance describing the minimum content expected in an SSP, but organizations are free to choose their own format. Many mature SSPs range from 75 to over 150 pages, depending on system complexity.

Pro tip: Your SSP must be tailored to your actual environment. A copy-paste SSP from a template, without customization, will be identified immediately during a CMMC Third-Party Assessment Organization (C3PAO) assessment and will put your certification at risk.

2. Plan of Action & Milestones (POA&M) — CA.L2-3.12.2

No organization achieves perfect compliance overnight. The POA&M is your documented acknowledgment of that reality and your structured plan to close the gaps.

Under DFARS 252.204-7012 and the CMMC framework, organizations that perform a NIST SP 800-171 self-assessment may document unmet security requirements in a POA&M. During a CMMC Level 2 certification assessment, only a limited subset of eligible requirements may remain on a POA&M while receiving a Conditional Level 2 Status. Not every unmet control qualifies. Understanding which requirements are eligible is critical before you enter an assessment.

What a credible POA&M must include:

  • Each unimplemented or partially implemented control, referenced by its NIST SP 800-171 practice number
  • A description of the gap and its root cause
  • The planned remediation action
  • Assigned owner and responsible party
  • Realistic milestone dates and completion targets
  • Resources required (budget, personnel, tools)

The Office of the Under Secretary of War for Acquisition and Sustainment (OUSW A&S) has been clear: POA&Ms are not a permanent workaround. They represent a time-limited window to close known deficiencies. Assessors will scrutinize whether your POA&M items are aging without progress.

Critical note: Unimplemented requirements documented in your POA&M will affect your NIST SP 800-171 assessment score that is submitted to SPRS. The NIST SP 800-171 DoW Assessment Methodology assigns deductions ranging from -1 to -5 points per requirement depending on its criticality. Your self-assessment score must be accurately reported.

Not sure where your organization stands with CMMC, ITAR, or federal cybersecurity requirements? The fastest way to get clarity is to talk with an expert. Book a call with our team to review your current environment, identify compliance risks, and determine the steps required to move forward. A short conversation can help you avoid costly mistakes and focus on what matters for contract eligibility and security.

SCHEDULE YOUR FREE CONSULTATION!

3. Incident Response Plan (IRP) — IR.L2-3.6

A breach, or even a suspected breach, involving CUI triggers a regulatory clock. Under DFARS 252.204-7012(c), contractors have 72 hours to report a cyber incident to the Department of War via the DIBNet portal. That window closes fast. If you are scrambling to figure out what to do when an incident occurs, you have already failed.

Your Incident Response Plan documents exactly what happens, and who does what, when something goes wrong.

What your IRP must cover:

  • Defined incident categories (CUI exposure, ransomware, unauthorized access, etc.)
  • Incident identification, triage, and severity classification procedures
  • Roles and Responsibilities of the Incident Response Team
  • Escalation paths and communication protocols
  • Evidence preservation and forensic procedures
  • The 72-hour reporting requirement and DIBNet submission process
  • Post-incident review and lessons learned process
  • Contact list for legal counsel, cyber insurance, and key personnel

These maps directly to NIST SP 800-171 practices IR.L2-3.6.1, IR.L2-3.6.2, and IR.L2-3.6.3. Each of those practices requires documented, tested procedures. A general awareness that incidents should be reported is not sufficient.

Don’t skip tabletop exercises. CMMC assessors will ask whether your IRP has been tested. A plan that has never been exercised won’t work under pressure.

4. User Access Control Policy & Access Management Records — AC.L2-3.1

One of the most common sources of CUI exposure is not an external attacker. It is internal over-provisioning: employees with access to far more systems and data than their role requires, contractors who were never offboarded, and admin accounts shared across multiple users.

Your Access Control Policy, paired with active access management records, directly addresses NIST SP 800-171 Domain 3.1, AC.L2-3.1. The Access Control family contains more security requirements than any other family in NIST SP 800-171.

What must this document include:

  • A formal Access Control Policy defining least privilege, need-to-know, and separation of duties
  • User provisioning and de-provisioning procedures
  • Multi-Factor Authentication (MFA) requirements for CUI systems
  • Privileged account management procedures
  • Remote access authorization and monitoring requirements
  • Role-based access definitions tied to specific job functions
  • Current access logs and account audit records

Under CMMC Level 2, assessors will request evidence, not just policy. Expect to produce user access lists, account audit logs, and records showing timely removal of terminated user access. Policy alone is insufficient.

5. Configuration Management Plan (CMP) & Baseline Documentation — CM.L2-3.4

Your IT environment changes constantly. New software gets installed, settings drift, patches are applied inconsistently, and shadow IT creeps in. Without a documented configuration management process, you have no reliable baseline against which to measure security risk.

The Configuration Management Plan maps to NIST SP 800-171 Domain 3.4, CM.L2-3.4, and requires contractors to establish and maintain baseline configurations for their information systems.

What your CMP must include:

  • Defined scope of systems subject to configuration management
  • Baseline configuration standards for operating systems, hardware, network devices, virtual machines, cloud resources, and security appliances
  • Change control procedures, including review, approval, testing, and documentation of changes
  • Software inventory and unauthorized software prevention controls
  • Security configuration benchmarks (referencing DISA STIGs or CIS Benchmarks where applicable)
  • Records of configuration changes with associated approvals

Assessors will look for evidence that your baseline exists, that changes are tracked, and that unauthorized changes are detected and addressed. A verbal description of your change control process is not sufficient. It must be in writing, and the records must exist.

Putting It All Together

These five documents do not exist in isolation. They are interconnected:

  • Your SSP references your policies and describes your controls.
  • Your POA&M tracks where those controls fall short.
  • Your IRP defines how you respond when control fails.
  • Your Access Control Policy governs who can touch CUI systems.
  • Your CMP ensures those systems stay in a known, secure state.

Together, they form the foundational documentation of a defensible CMMC Level 2 compliance program. Keep in mind that a complete compliance program will require additional documentation beyond these five, including security awareness training records, risk assessments, audit logging policies, vulnerability management procedures, and vendor management controls. These five are where you start, not where you stop.

If you are preparing for a third-party assessment with a C3PAO, these documents will be among the first items reviewed. Gaps here signal to assessors that your program is immature, and immature programs rarely pass without significant findings.

Frequently Asked Questions

Do I need all five documents before a CMMC assessment?

Yes. An assessor will look for each of these during their evidence review. Missing or incomplete documentation is one of the most common reasons organizations receive findings during a CMMC assessment. Having drafts is not enough; documents must be complete, up to date, and reflective of your actual environment.

Can I use an SSP template?

You can use a template as a starting point, but the DoW publishes guidance on minimum SSP content rather than a single required format. What matters is that the SSP accurately describes your specific system, environment, and control implementations. A generic template submitted without customization will be identified immediately by a C3PAO assessor.

What happens if my SSP is incomplete during an assessment?

An incomplete SSP is a finding. Depending on the severity, it could result in a deficiency against CA.L2-3.12.4, which may affect your ability to achieve CMMC Level 2 certification or result in a Conditional status requiring a POA&M closure timeline.

How often should an SSP be updated?

Your SSP should be treated as a living document. It must be reviewed and updated whenever there is a significant change to your system, environment, or personnel, and at a minimum, annually. Assessors will ask when it was last reviewed and by whom.

Need Help Getting Your Documentation in Order?

At CMMCCompliance. We work exclusively with small and mid-size defense contractors navigating the CMMC certification process. We help you build documentation that meets the standard, not just checks a box.

Contact us today to schedule a complimentary discovery call and learn where your program stands.

Note: Although NIST SP 800-171 Revision 3 has been published, the current CMMC Level 2 program continues to assess against the requirements specified in the applicable DoW rule and contract requirements. Contractors should verify the applicable revision with their contracting officer.

This article references requirements from NIST SP 800-171 Rev 2, DFARS 252.204-7012, and the CMMC Model. Contractors should consult with a qualified CMMC Registered Practitioner or C3PAO for guidance specific to their environment.

If your organization supports defense contracts and is unsure how CMMC timelines, SPRS requirements, or assessment readiness apply to you, now is the time to get clarity.

Download the CMMC Level 2 Audit Checklist to understand what assessors look for, what evidence is required, and where organizations most commonly fall short.

About Brea Networks

Brea Networks is a cybersecurity and compliance-focused IT partner dedicated to supporting Defense Industrial Base (DIB) contractors. We help organizations understand and implement the security requirements outlined in FAR 52.204-21, DFARS 252.204-7012, and the CMMC framework. From Level 1 self-assessments to Level 2 readiness and certification preparation, our team works alongside contractors to strengthen system security, define scope, prepare documentation, and build sustainable compliance programs that protect FCI and CUI.

What Changes: The Affirmation Requirement. The annual affirmation requirement applies at Level 3 just as it does at Level 2. Under 32 CFR § 170.22, a senior company official must submit an annual affirmation in SPRS confirming continued compliance within the CMMC Assessment Scope. Given that Level 3 status also satisfies Level 1 and Level 2 status requirements for the same scope, the annual affirmation at Level 3 covers the full body of requirements across all three levels.