BD Emerson joins
Andersen Consulting
as a Collaborating Firm

READ THE PRESS RELEASE

Home

Consulting Services

Audit Services

Industries

Cases

About

Clients

Blog

Trust center

Contact

OfficesGet a quoteEmail us
LinkedIn
In this article:
Heading

If you're a small or medium business pursuing DoD contracts, your SSP is the document that proves you can be trusted with sensitive federal information. Without a complete, accurate SSP, you won't pass your CMMC Level 2 assessment, and you won't win contracts that require certifications.

What is a System Security Plan (SSP)?

According to NIST, an SSP document is a “formal document that provides an overview of the security requirements for an information system and describes the security controls in place or planned for meeting those requirements.”

In other words, an SSP provides a roadmap of your organization’s cybersecurity practices and controls, ensuring the confidentiality, integrity, and availability of sensitive data. An effective SSP demonstrates your organization’s commitment to strong cybersecurity practices and establishes accountability for managing risk.

A CMMC System Security Plan must also specify the exact systems, technologies, and responsible personnel covered. In fact, during a CMMC Level 2 assessment, a Certified Third-Party Assessor Organization (C3PAO) will typically request your SSP first to evaluate your compliance posture.

What Your SSP Needs for CMMC 2.0:

As your organization’s SSP needs to be extremely specific, it can be difficult to ensure that all CMMC requirements have been met. That’s why our CMMC compliance experts have compiled this helpful guide:

Key Requirements by CMMC Level

1) Documentation of all 110 Practices

CMMC Level 2 certification requires implementing a large array of security controls/practices across multiple areas.

  • Level 1: While you’ll need to focus on the 17 basic practices (FAR 52.204-21), no formal SSP or required documentation controls are mandated, though documenting your posture is recommended. 
  • Level 2: SSP must document implementation of 110 practices (from NIST 800-171 Rev. 2).

The documentation must answer the following questions about the controls: 

  • Who is responsible for implementation and maintenance? 
  • How is this achieved? 
  • What tools/systems are involved?
  • Where does this practice apply?

2) Maturity Requirements Documentation

CMMC 2.0 removed formal maturity levels, but assessors still expect proof your program is implemented and sustained.

For Level 2, show evidence of:

  • Establishing practices (policies & procedures)
  • Maintaining practices over time
  • Resourcing practices appropriately

3) Policy and Procedure Pairing

For each practice area, your organization must provide both a policy (the “what” and “why”) and procedures (the “how”). Every policy and procedures document must be version-controlled and review-dated. 

  • Level 1: No formal policies or procedures required; show consistent practices. 
  • Level 2: Policies and procedures must be formal and documented

4) Assessment Evidence Requirements

While preparing for CMMC Level 2 certification, know that your SSP will become the roadmap for C3PAO assessors. 

What that means:

  • Your SSP needs to be specific enough that an assessor can verify implementation
  • It must include evidence artifacts (logs, screenshots, configuration files, etc.)
  • Using vague statements like "we follow best practices" won't be enough

5) POA&M Integration

For CMMC Level 2, your POA&M is a required document that tracks remediation efforts for known security weaknesses and control deficiencies.

  • If gaps exist at assessment, your POA&M must be formally linked to the SSP (control IDs, current/target state)
  • Your POA&M must show risk-based prioritization (impact/likelihood), owners, milestones, and due dates
  • Show remediation timelines and interim mitigations and close items only with evidence

Level 1 has no POA&M requirement.

6) Scope Boundary Precision

Level 2 assessments are much stricter about scope definition than Level 1 Assessments. 

At Level 2, you must: 

  • Clearly delineate the Assessment Scope vs. CUI environment
  • Include data flow diagrams 
  • Document ALL systems that process, store, or transmit CUI

Level 1: No formal boundary docs required, but scope still means all systems that process/store/transmit FCI plus the security-protection assets that defend them.

(Reserve the data-flow diagrams and detailed boundary definition for Level 2/CUI.)

Why is an SSP Important?

An SSP document serves as both a compliance artifact and a strategic security roadmap. It provides auditors and stakeholders with a clear view of your cybersecurity posture and planned improvements. You can’t be CMMC Level 2 certified without it.

Compliance Requirements: At Level 2, defense contractors must maintain and submit an SSP under DFARS 252.204-7012 to document implementation of NIST SP 800-171 security controls. For FedRAMP, cloud providers must provide an SSP to obtain Authorization to Operate (ATO).

Risk Management and Reduction: The SSP helps identify vulnerabilities and prioritize remediation to strengthen your organization’s overall cybersecurity resilience.

Audit Preparation: During compliance audits such as CMMC or FedRAMP, an SSP is a key document used to demonstrate adherence to required controls.

Client and Stakeholder Trust: A robust SSP communicates to customers and partners that your organization can protect sensitive data and maintain compliance.

Business Stability and Success: A current, accurate SSP ensures readiness to respond to incidents while minimizing disruption and risk.

What Organizations Need an SSP?

Organizations that handle regulated data or government contracts must maintain a compliant SSP.

U.S. Federal Contractors and Subcontractors: By November 10, 2025, companies in the Defense Industrial Base (DIB) handling CUI must comply with CMMC 2.0, which requires an SSP.

Cloud Service Providers (CSPs): Any CSP pursuing a FedRAMP ATO must submit a complete FedRAMP System Security Plan based on NIST SP 800-53 controls as part of its authorization package.

Federal Agencies and Government Entities: FISMA mandates that all U.S. agencies maintain system security plans supporting their security controls.

Private-Sector Vendors Handling Sensitive Data: Private-sector organizations need to document their security controls to meet contractual or regulatory requirements. For defense contractors handling CUI, this documentation takes the form of an SSP, which is explicitly required for CMMC Level 2 and supports compliance with DFARS 252.204-7012.

Steps to Creating a Compliant SSP

While developing an SSP can seem daunting, BD Emerson’s compliance experts guide your security team through documentation, control mapping, and framework alignment, ensuring you meet SSP compliance requirements before they impact business opportunities.

Step 1: Perform a Gap Assessment

Assess your current controls and policies against NIST 800-171 to identify missing or incomplete measures.

Step 2: Define the Scope

Outline system boundaries and data flows to ensure your System Security Plan accurately covers all relevant assets and environments.

Step 3: Gather Documentation

Compile all necessary artifacts such as policies, diagrams, and response plans that support each control in your SSP.

Step 4: Identify In-Scope Security Controls

Map your controls to your chosen framework, noting which are fully or partially implemented.

Step 5: Address Plans of Action and Milestones (POA&Ms)

Document remediation steps, assign responsibilities, and track progress toward full SSP compliance.

Step 6: Document Plans for Continuous Improvement

Keep your SSP up to date with ongoing reviews and assessments to adapt to evolving threats and compliance changes.

Step 7: Incorporate Automation or SSP Templates

Use automation tools or standardized templates to streamline CMMC System Security Plan maintenance and improve accuracy.

BD Emerson’s Approach to SSPs & Compliance

Partnering with BD Emerson gives your team hands-on guidance from experienced compliance professionals who specialize in frameworks like CMMC, NIST 800-171, NIST 800-53, FedRAMP, and ISO 27001. We help organizations develop, implement, and maintain compliant System Security Plans (SSPs) while strengthening their overall cybersecurity posture.

Need help with your SSP? Schedule a consultation today.

A Guide to System Security Plans (SSP) for NIST SP 800-171, Rev. 2 & CMMC

About the author

Name

Danielle Mason

Role

Marketing Manager

About

As Marketing Manager at BD Emerson, Danielle drives revenue growth through strategic marketing initiatives that amplify brand visibility, attract high-value clients, and strengthen partnerships. She oversees the planning, research, and creation of compelling content—including blog articles, social media campaigns, website optimization, and digital/print collateral—that not only engage audiences but also convert leads into long-term clients.

Contact us

FAQs

How often should an SSP be updated?

At least annually or when major system or policy changes occur to maintain SSP compliance and accuracy.

What happens if my organization doesn’t have an SSP?

You risk noncompliance with CMMC Level 2, which can affect contracts.

How long does it take to create a compliant SSP?

Depending on complexity, a System Security Plan can take weeks or months. BD Emerson helps accelerate the process through expert guidance.

Can small or mid-sized businesses create an SSP without a full security team?

Yes. BD Emerson assists smaller organizations in building complete, compliant SSPs without overextending internal resources.

A Guide to System Security Plans (SSP) for NIST & CMMC

System Security Plans are required under NIST 800-171, CMMC, FedRAMP, and FISMA, and also align with ISO 27001 and SOC 2.

How can BD Emerson help with SSP development?

BD Emerson’s compliance consultants help create and maintain your SSP, ensuring your organization meets all regulatory and cybersecurity requirements.

You may like

We strive to deliver high-quality articles and news

ISO/IEC 42001 AI Security Implementation Guide

ISO/IEC 42001 AI Security Implementation Guide

SO/IEC 42001 is the first global AI management standard. This guide explains its security requirements, controls, and implementation steps to help organizations achieve compliance and trust.

Read

CMMC Compliance Deadlines Are Coming: How to Get Certified Before You Lose DoD Contracts

CMMC Compliance Deadlines Are Coming: How to Get Certified Before You Lose DoD Contracts

Learn about upcoming CMMC compliance deadlines, 48 CFR final rule updates, and how defense contractors can get certified in time to keep valuable DoD contracts.

Read

Working on ISO 27001? It’s Time to Add ISO 42001 to Your Strategic Plan

Working on ISO 27001? It’s Time to Add ISO 42001 to Your Strategic Plan

Learn why pairing ISO 27001 with ISO 42001 strengthens AI governance, streamlines audits, and ensures robust security compliance for organizations adopting artificial intelligence.

Read

All articles

HomeConsulting ServicesAudit ServicesIndustriesCase Studies
AboutBlogClientsTrust centerContact

© 2024 BD Emerson

Privacy PolicyTerms of Service
Website made by Foursets