Under NIST SP 800-171, which forms the foundation for CMMC Level 2, the SSP is a required document. It must describe the current state of each of the 110 security controls across 14 control families—explaining not just what the control is, but how it is implemented in your environment.
Think of the SSP as your blueprint for compliance and cybersecurity. It helps assessors, auditors, and internal stakeholders understand how your organization protects sensitive data and where your responsibilities begin and end.
If you are a contractor or subcontractor working with the Department of Defense (DoD), having an accurate and up-to-date SSP is not optional; it’s mandatory.
Here’s why your SSP matters:
| SPRS scoring: You cannot submit a valid Supplier Performance Risk System (SPRS) score without a documented SSP and Plan of Action and Milestones (POA&M). | |
| DFARS compliance: The DFARS 252.204-7012 clause requires contractors to implement NIST SP 800-171 and document how each control is handled. | |
| CMMC Level 2 assessments: A complete SSP is one of the first things a C3PAO assessor will review. If it’s vague, incomplete, or outdated, your certification is at risk. | |
| Legal risk: Misrepresenting your cybersecurity posture, such as claiming compliance without a real SSP, can result in serious penalties under the False Claims Act. |
Put simply, if you’re handling CUI and don’t have a living, detailed SSP, your organization is out of compliance and exposed to both contractual and cybersecurity risk.
If your organization creates, receives, stores, processes, or transmits CUI on behalf of the DoD or another federal agency, you need an SSP. This includes:
Even if your team outsources cybersecurity to an MSSP like MAD Security, the responsibility for documentation and compliance still belongs to you. That’s why it's essential to understand what goes into the SSP and how to maintain it.
At MAD Security, we help defense contractors turn this requirement into an opportunity. A well-written SSP can simplify audits and strengthen your cybersecurity posture. That starts with understanding the four qualities every SSP must have.
A successful SSP must meet four key standards. If any of these are missing, your plan will likely be flagged during a CMMC assessment.
|
ClearUse straightforward language. Avoid vague terms like “handled appropriately” or “in accordance with policy” unless you explain what that means. An assessor should be able to read about your implementation and understand exactly how the control is applied in your environment. |
|
ConciseStay focused. Each control should explain only what’s necessary: who does what, how it’s done, when it happens, and with what tools or processes. Long-winded descriptions or policy copy-paste sections are red flags for assessors. |
|
ConsistentUse the same terminology throughout. If you refer to “XYZ System” in one place, don’t call it “production environment” or “network A” elsewhere. Keep role names, control statuses, and system identifiers consistent across all controls and references. |
|
CompleteEvery single control and its related assessment objectives (from NIST SP 800-171A) must be answered. If a control includes parts A, B, and C, you must describe each part. Leave no blank sections. If you must use “N/A,” back it up with a detailed, risk-based justification. |
Think of your SSP as a narrative. It’s not enough to say that a control is “in place.” You need to show that it’s implemented by explaining:
| Who is responsible for the action (for example, IT manager or SOC analyst) | |
| What is being done (such as reviewing logs or encrypting backups) | |
| When and how often it happens (weekly, monthly, or in real time) | |
| How it’s done (with specific tools, procedures, or platforms) |
This storytelling model isn’t just helpful. It is required. NIST SP 800-171A and CMMC assessment guides emphasize that controls must be described in a way that makes them testable and traceable to evidence.
A vague or generic SSP may look like progress, but it won’t hold up under a real CMMC Level 2 assessment. That’s why MAD Security encourages you to build your SSP with the same mindset you bring to engineering, quality assurance, or operations: clarity, precision, and accountability.
At MAD Security, we recommend building your SSP using a format that draws from the NIST SP 800-18 framework. This structure should be adapted specifically for NIST SP 800-171 and the related CMMC Level 2 assessment requirements.
To meet CMMC expectations, your SSP should contain the following core elements. These define the scope, ownership, and supporting documentation that make your plan defensible during an audit.
System Name and Unique IdentifierUse a consistent name throughout the document. If your environment includes more than one enclave or isolated network, identify each one clearly and use the same terms in every control description. |
Operational StatusIndicate whether the system is in production, under development, or upgraded. This helps assessors understand what is implemented today and what is still in progress. |
Authorization BoundaryDefine the physical and logical boundaries of your system. Describe where CUI is processed, stored, or transmitted. Include segmentation details and clarify what is inside and outside the boundaries. |
System Architecture and Data Flow DiagramsInclude clear visuals that show how data moves across your network. Diagrams should identify firewalls, interconnection points, cloud services, and the flow of CUI between system components. |
System Components InventoryList all relevant hardware, software, virtual systems, cloud resources, and third-party services that play a role in CUI protection. This list defines what assets are in scope. |
Role-Based Access and Points of ContactIdentify key personnel and their responsibilities. Include system owners, security managers, IT administrators, and anyone who implements or oversees control execution. |
Referenced Policies and ArtifactsEvery time your SSP mentions a policy or procedure, include the document name, version, publication date, and section or page number. This makes it easy for assessors to trace your implementation statements back to evidence. |
|
CMMC assessments are based not only on technical implementations but also on how well your documentation supports compliance. The content of your SSP must align with how your systems operate in real life and how they are governed under your contract.
| Security Categorization Most DIB organizations that handle CUI fall under a FIPS 199 moderate baseline. You should state this explicitly and explain how you determined the categorization. |
|
| System Environment Description Describe the hosting model of your environment. Clarify whether your systems are on-premises, in the cloud, or part of a hybrid architecture. Be specific about what your organization manages directly versus what is managed by a provider. |
|
| External Dependencies and Interconnections Identify any third-party services that contribute to your system’s security. This includes MSSPs like MAD Security. Describe what they do, what systems they support, and how responsibilities are divided. |
|
| System Lifecycle and Change Management Explain how changes are managed in your environment. This includes how patches are applied, how configuration changes are reviewed, and how your organization ensures the system continues to meet compliance requirements over time. |
When your SSP includes all of these elements and uses clear language to describe your system's architecture, responsibilities, and scope, you are building a document that can stand up to scrutiny. A strong structure makes your control implementations easier to write, easier to verify, and easier to maintain.
Each control must be documented in a way that allows an assessor to understand what you do, how you do it, and who is responsible. MAD Security uses a simple but powerful framework to help clients build implementation descriptions that meet these expectations:
| Start with the control description and intent. Restate the control briefly in your own words to clarify the scope. |
|
| Break it down by assessment objective. Each control has one or more specific objectives in NIST SP 800-171. Treat each one as a requirement to answer. |
|
Answer the following questions for each objective:
|
Example: Writing an Effective Response for AC. L2-3.1.1
Control: Limit system access to authorized users, processes acting on behalf of authorized users and devices (including other systems).
A weak response: “User access is controlled based on policy.”
A strong response: “The system administrator provisions user accounts through Active Directory after written approval from department managers. Access requests are submitted through our IT ticketing system, which tracks requestor, justification, and approver. Access is granted only to users with a business need, based on the least privilege. The security team reviews account activity quarterly. Evidence includes account request forms, Active Directory group listings, and quarterly access review reports.”
This type of response is what assessors expect. It is testable, verifiable, and linked to real-world procedures and artifacts.
Each control in your SSP should include a status label and a clear explanation of who is responsible. Use the following labels consistently:
| Implemented: Fully deployed and operational | |
| Planned: Not yet in place, but implementation is scheduled and tracked in your POA&M | |
| Inherited: Provided entirely by a third party or cloud provider | |
| Hybrid: Shared responsibility between your organization and a third party |
If a control is hybrid or inherited, your SSP must explain the division of responsibility. Use a simple table or Shared Responsibility Matrix if needed. Assessors will want to know who does what they do.
Every control implementation should be written with two goals:
Do not document an ideal future. Your SSP must reflect on what is being implemented now.
Your implementation descriptions should naturally lead to evidence, such as policies, screenshots, logs, or system settings.
Ask yourself: If someone asked me to prove this control is in place, could I hand them something right now?
When each control is treated as a mini case study of how your security program works, your SSP becomes a powerful tool. It is no longer just a requirement. It becomes documentation that supports audit readiness, internal training, and ongoing system improvement.
In a CMMC assessment, it is not enough to say that a third party “handles security.” Your SSP must explain exactly which parts of each control are your responsibility and which are managed by others.
Most SSPs in the DIB environment include hybrid controls. These are controls where implementation is split between your organization and one or more external providers.
For example, MAD Security might handle 24/7 log monitoring and threat detection for your systems. But your internal IT team is still responsible for user account creation, role assignment, and onboarding. That’s a hybrid model, and the SSP needs to spell it out clearly.
Every control that involves outside support should include:
If a control is fully inherited from a provider, such as through a FedRAMP-authorized cloud service, your SSP should include references to documentation from that provider. You are still responsible for understanding what they cover and showing how it supports your compliance.
One of the most effective ways to clarify hybrid implementations is by including a Shared Responsibility Matrix in your SSP or as an appendix. This table helps assessors quickly see how responsibilities are divided across all relevant controls.
Your matrix should include:
This type of clarity builds confidence with assessors. It also helps your internal teams and vendors stay aligned on who is doing what and when.
When you rely on a third party for any part of your security implementation, your SSP must do more than just name the provider. You should also:
If MAD Security is part of your cybersecurity program, your SSP should reflect the operational reality of that relationship. That includes how our tools are deployed, what roles we play in control implementation, and how you track the effectiveness of our support.
Clear documentation of shared responsibilities helps you pass your audit. But more importantly, it helps ensure that your cybersecurity program is not just functional. It is accountable, measurable, and resilient.
When describing how a control is implemented, avoid vague or passive statements. Use an active voice and focus on what your organization does.
Instead of saying, "Access is granted based on need."
Write: "The IT administrator grants access only after receiving written approval through the access request workflow. Requests are logged and retained in the ticketing system for 90 days."
Avoid these common mistakes:
Each control should read a brief, focused summary of your real implementation, what it does, when it happens, how it happens, and where the evidence can be found.
Your SSP must reflect how your systems and teams work. Assessors will check that your documentation lines up with evidence, such as logs, access control records, or user training reports.
To ensure alignment:
If your SSP says a control is “implemented,” be ready to show how and by whom.
CMMC assessments, DFARS audits, and even internal reviews all require that your SSP is current. This means the SSP should be reviewed and updated:
Maintaining a change log within the SSP is recommended. This log should note the date of each update, a summary of what changed, and who approved the revision. This demonstrates to assessors that your SSP is not just a formality. It is an integral part of your cybersecurity program.
Clear, current, and consistent documentation is a major differentiator during assessments. A well-written SSP tells the story of a well-managed system. With MAD Security’s guidance and services, our clients gain not just implementation support but also the documentation and structure needed to prove it.
The SSP should evolve alongside your environment. Systems change. Tools are replaced. Responsibilities shift. A static SSP quickly becomes a liability.
You should review and update your SSP:
Build this into your normal operational rhythm. Schedule periodic reviews and link them to your internal change management process. Include a change log in the SSP that tracks when updates were made, who made them, and what changed.
The more your SSP reflects real operations, the easier it is to maintain. If you are using a managed detection and response (MDR) service, vulnerability management platform, or cloud-based compliance tool, your SSP should reference those tools directly.
You can tie your SSP to:
This shows assessors that your controls are not just documented. They are also active, monitored, and measured.
Many organizations use tools like Microsoft Purview Compliance Manager, GRC platforms, or audit dashboards to track control status and evidence. If you use automation to manage SSP-related tasks, describe them in your documentation.
For example: “User access requests and approvals are logged through the ServiceDesk Plus platform. Reports are generated monthly and reviewed by the IT manager.”
Automation is not required for CMMC, but assessors will want to understand how you maintain consistency and oversight. Even simple automation, such as alerting when policies are overdue for review, can strengthen your SSP’s credibility.
When the SSP is embedded into your organization’s operations, it becomes more than a requirement. It becomes a reflection of a mature cybersecurity program. MAD Security helps clients align people, processes, and tools, so their SSP stays accurate, defensible, and audit-ready always.
Having a structured starting point can make a significant difference. MAD Security provides clients with SSP templates that are built around best practices, clear formatting, and alignment with CMMC requirements.
Templates we recommend include:
| SSP Control Implementation Template A formatted template with one section per control, pre-mapped to NIST SP 800-171A assessment objectives. Includes prompts to help describe who, what, when, how, and supporting evidence. |
|
| Shared Responsibility Matrix A worksheet that helps document hybrid or inherited controls. Identifies which party (you or your provider) is responsible for each aspect of control implementation. |
|
| Policy and Evidence Cross-Reference Table A tool to link each SSP control to supporting policies, procedures, logs, and other evidence sources. Useful during assessments to demonstrate traceability. |
|
| System Inventory and Boundary Worksheet Helps map out systems, components, data flows, and boundaries relevant to CUI protection. |
These templates are designed to simplify SSP development and support consistent documentation across all control families.
Many organizations benefit from basic tooling to maintain their SSP and related documentation. These tools can help you track changes, link controls to evidence, and prepare audits.
Examples include:
If you use automation to track control status or monitor compliance, your SSP should reference that. The goal is to show that your documentation is current, verifiable, and connected to real-world processes.
Use the following resources to ensure your SSP aligns with government expectations and assessment criteria:
NIST SP 800-171The official control set for protecting Controlled Unclassified Information in nonfederal systems. |
NIST SP 800-171AThe assessment guide breaks down each control into testable objectives. This is essential when writing SSP control responses. |
NIST SP 800-18 Revision 1 & Revision 2 (Draft)Updated guidance on SSP structure and required content. Useful for modeling layout and shared responsibility definitions. |
CMMC Assessment Guide for Level 2Published by the DoD, this outlines what assessors will be looking for when reviewing your controls and documentation. |
DFARS Clause 252.204-7012 and Related ClausesThese form the contractual foundation for applying NIST SP 800-171. Your SSP must show how you meet these requirements. |
|
With the right structure, supporting tools, and trusted references, your SSP becomes more than just a compliance document. It becomes a living record of your cybersecurity program’s integrity and maturity. MAD Security helps clients connect these resources into a unified documentation strategy that stands up to scrutiny.
Throughout this guide, we have emphasized one consistent message. A strong SSP reflects how your system operates in real life. It connects technical controls, organizational processes, and third-party support into a clear, accurate, and audit-ready document.
Many SSPs fall short during assessments for the same reasons:
These are avoidable mistakes. With the right structure and support, your SSP can become a competitive advantage. It can reduce audit delays, improve team alignment, and strengthen your cybersecurity skills.
MAD Security helps defense contractors move from guesswork to clarity. We bring deep experience across NIST, DFARS, and CMMC requirements, along with practical insight from supporting Joint Surveillance Voluntary Assessments and CMMC readiness efforts.
We support our clients with:
When you work with MAD Security, you are not just hiring a vendor. You are gaining a long-term partner committed to your success.
Once your SSP is built, the work does not stop. Keep it current. Tie it to real operations. Use it to train your team and guide internal audits. Treat it as a living document that reflects the strength and integrity of your cybersecurity program.
If you need help building, reviewing, or improving your SSP, MAD Security is ready to support you. Our team works alongside yours to simplify compliance, strengthen documentation, and help you achieve CMMC with confidence.
Original Publish Date: July 10, 2025
By: MAD Security