ITAR Registration Code: M49438 / Cage Code: 94U86

How to Build a System Security Plan (SSP) for CMMC Level 2 That Makes Your Assessment Easier

Table of Contents

A System Security Plan (SSP) is one of the most important documents your organization will create when preparing for a CMMC Level 2 assessment. It explains how your organization protects Controlled Unclassified Information (CUI), defines the assessment boundary, and documents how the security requirements of NIST SP 800-171 Revision 2 are implemented.

Although many organizations treat the SSP as a compliance document, assessors use it as the primary reference for understanding your environment. A well-written SSP helps validate scope, explains your security architecture, and makes it easier to locate supporting evidence during the assessment.

Technical Note: NIST SP 800-171 Revision 3 has been published; however, current CMMC Level 2 assessments remain based on NIST SP 800-171 Revision 2 until the Department of Defense updates the CMMC program through future rulemaking.

Why the SSP Matters

The SSP is evaluated under CA.L2-3.12.4, which requires organizations to develop, document, and periodically update a System Security Plan describing:

  • System boundaries
  • Operational environment
  • Implementation of security requirements
  • Relationships with or connections to other systems

Before testing individual security requirements, assessors typically review the SSP to understand the environment, validate the assessment scope, identify systems that process, store, or transmit CUI, and determine what evidence will be needed during the assessment.

An accurate SSP often reduces follow-up questions because assessors have a clear understanding of your environment before interviews and technical demonstrations begin.

Why the SSP Matters

While organizations may use different formats, every effective SSP should clearly describe the environment being assessed.

1. System Overview

Provide a concise description of the organization and the assessed environment, including:

  • Business purpose
  • Users
  • Information processed
  • Mission of the system

This establishes the context for the assessment.

2. Assessment Scope

Clearly identify the assets included within the assessment, such as:

  • CUI Assets
  • Security Protection Assets (SPAs)
  • Contractor Risk Managed Assets (CRMAs)
  • Specialized Assets
  • Out-of-Scope Assets

Accurate scoping helps prevent unnecessary assessment delays and ensures only the appropriate assets are evaluated. For detailed guidance on categorizing assets, see the CMMC Level 2 Scoping Guide.

3. System Boundaries

Clearly define where the assessed environment begins and ends.

Document items such as:

  • Assessment boundary
  • Data flows
  • External connections
  • Cloud Service Providers (CSPs)
  • External Service Providers (ESPs)
  • Trust boundaries
  • CUI entry and exit points

Well-defined boundaries help assessors understand exactly what is included within the assessment.

Not sure where your organization stands with CMMC, ITAR, or federal cybersecurity requirements? The fastest way to get clarity is to talk with an expert. Book a call with our team to review your current environment, identify compliance risks, and understand what steps are required to move forward. A short conversation can help you avoid costly mistakes and focus on what matters for contract eligibility and security.

SCHEDULE YOUR FREE CONSULTATION!

4. Architecture Documentation

Include current documentation that accurately reflects the production environment, such as:

  • Network diagrams
  • Logical architecture
  • CUI data flow diagrams
  • Identity infrastructure
  • Remote access architecture
  • Cloud environments
  • Major security technologies

Architecture documentation should always match the environment being assessed.

5. Security Control Implementation

For each applicable NIST SP 800-171 requirement, explain how your organization implements the control.

Reference supporting documentation when appropriate, including:

  • Policies
  • Procedures
  • Technical configurations
  • Security technologies
  • Supporting evidence

Avoid simply copying the requirement. Instead, describe how the control operates within your environment. Assessors will validate implementation using the procedures in NIST SP 800-171A and the CMMC Assessment Guide Level 2.

6. Roles, Assets, and External Connections

Your SSP should also identify:

  • Security and administrative responsibilities
  • Hardware and software supporting CUI
  • External vendors and service providers
  • Shared responsibilities with MSPs, MSSPs, or CSPs

Together, these elements provide assessors with a complete understanding of the assessed environment.

Common Documentation Problems

Many assessment findings occur because documentation does not accurately reflect the implemented environment.

Common issues include:

  • Outdated SSPs that do not reflect infrastructure changes such as new cloud services, firewalls, MFA platforms, or remote access solutions.
  • Incomplete asset inventories that omit virtual machines, cloud resources, remote devices, or security appliances.
  • Generic control descriptions that restate requirements instead of explaining how controls are implemented.
  • Outdated network diagrams that no longer represent the production environment.
  • Missing references to supporting documentation such as policies, procedures, risk assessments, or configuration standards.

Keeping documentation current helps assessors verify security controls more efficiently and reduces unnecessary clarification requests.

Organizing Assessment Evidence

One of the easiest ways to simplify a CMMC assessment is to organize supporting evidence before the assessment begins.

For each implemented security requirement, reference supporting artifacts such as:

  • Policies
  • Procedures
  • Technical configurations
  • Reports
  • Screenshots
  • Log evidence

Many organizations also maintain an Evidence Traceability Matrix that links each NIST SP 800-171 requirement to supporting documentation. While not required by CMMC, it can make responding to assessor requests significantly easier.

Maintaining an Audit-Ready SSP

Your SSP should be treated as a living document rather than something updated only before an assessment.

Review and update the document whenever you:

  • Add or remove CUI assets
  • Modify network architecture
  • Deploy new security technologies
  • Change cloud environments
  • Update security policies
  • Complete risk assessments
  • Make significant infrastructure changes

Routine maintenance helps ensure your documentation remains accurate and reduces last-minute remediation efforts.

Final Thoughts

A well-developed System Security Plan is one of the strongest indicators that an organization understands and manages its CMMC assessment scope. Beyond satisfying CA.L2-3.12.4, the SSP documents your system boundaries, security architecture, control implementation, and supporting evidence in a single location.

Organizations that maintain current documentation, clearly define assessment boundaries, and organize supporting evidence are generally better prepared for CMMC assessments and spend less time responding to documentation requests.

Treat your SSP as an operational document that evolves with your environment. Doing so not only supports CMMC readiness but also strengthens your organization’s overall cybersecurity program.

Need Help Developing Your SSP?

Brea Networks helps defense contractors develop System Security Plans that align with current CMMC Level 2 assessment requirements based on NIST SP 800-171 Revision 2.

Whether you need assistance defining your assessment boundary, documenting system architecture, or preparing assessment evidence, our team can help you build an audit-ready SSP that supports a more efficient CMMC assessment.

Government References

If your organization supports defense contracts and is unsure how CMMC timelines, SPRS requirements, or assessment readiness apply to you, now is the time to get clarity.

Download the CMMC Level 2 Audit Checklist to understand what assessors look for, what evidence is r…

About Brea Networks

Brea Networks is a cybersecurity and compliance-focused IT partner dedicated to supporting Defense Industrial Base (DIB) contractors. We help organizations understand and implement the security requirements outlined in FAR 52.204-21, DFARS 252.204-7012, and the CMMC framework. From Level 1 self-assessments to Level 2 readiness and certification preparation, our team works alongside contractors to strengthen system security, define scope, prepare documentation, and build sustainable compliance programs that protect FCI and CUI.

What Changes: The Affirmation Requirement. The annual affirmation requirement applies at Level 3 just as it does at Level 2. Under 32 CFR § 170.22, a senior company official must submit an annual affirmation in SPRS confirming continued compliance within the CMMC Assessment Scope. Given that Level 3 status also satisfies Level 1 and Level 2 status requirements for the same scope, the annual affirmation at Level 3 covers the full body of requirements across all three levels.