Document how you meet every requirement — the SSP is mandatory, and without it you can't be assessed.
What it actually means
Develop, document, and periodically update a System Security Plan (SSP) that describes your system boundaries, operating environment, how each security requirement is implemented, and connections to other systems. The SSP is the backbone of your whole assessment: it's worth zero points, but without it an assessment can't even be completed — and the absence of an SSP is itself non-compliance with DFARS 252.204-7012.
Pass or fail — an assessor needs a "yes" to each
- Do you have a current SSP describing your system boundary and operating environment?
- Does it describe how each of the 110 requirements is implemented?
- Is it reviewed and updated periodically and after major changes?
What to have ready
- The System Security Plan itself
- Revision history showing periodic updates
Where teams trip up
- No SSP — which makes the entire assessment non-compliant regardless of other controls
- An SSP that's a template with blanks, not a real description of your environment
- Never updating it after changes
This requirement carries no point value, but it is mandatory: it is not POA&M-eligible, and without an SSP no SPRS score can be reported. Treat it as the first thing you build, not the last. Our free SSP generator gives you a starting draft.
See where this control puts your score
Run all 110 requirements free in about 10 minutes.
Calculate your SPRS score →