What Is an SSP (System Security Plan) — and How to Write One

If you're working toward CMMC or NIST SP 800-171 compliance, you'll hear "SSP" constantly. It's the single most important document in the whole process — and the one that stops the most small contractors in their tracks. This guide explains what it is, what goes in it, and how to actually produce one without paying a consultant $10,000+ to write it.

What is a System Security Plan (SSP)?

A System Security Plan (SSP) is the document that describes your system that handles Controlled Unclassified Information (CUI) and explains, requirement by requirement, how you meet each of the 110 security controls in NIST SP 800-171. Think of it as the master record an assessor reads to understand your environment and judge whether you actually do what you claim.

Why the SSP matters more than your score

Your SPRS score gets the attention, but the SSP is what's actually examined. In fact, NIST SP 800-171 requirement 3.12.4 specifically requires you to "develop, document, and periodically update" an SSP. It carries no point value — but without it, a DoD assessment cannot be completed at all, and you can't legitimately submit a score to SPRS. No SSP, no assessment. That's why it's priority zero.

A common, expensive mistake: chasing SPRS points while putting off the SSP. If you don't have a current SSP, write it first — even a rough one beats none, because it's the prerequisite that unlocks the entire assessment.

What actually goes in an SSP

A compliant SSP isn't a mystery. For your CUI system, it documents:

System description & boundary — what the system is, what it does, and where the line is (which assets store, process, or transmit CUI).
System environment — the operating environment, key components, and connections to other systems.
How each requirement is met — a narrative for every applicable 800-171 requirement describing your actual implementation. This is the bulk of the document.
Implementation status — for each requirement: implemented, planned (with a POA&M), not applicable, or inherited from a provider.
Responsible roles — who owns each control.

The narrative should map to the NIST SP 800-171A assessment objectives — the specific determination statements an assessor checks. Writing to those objectives is what separates a defensible SSP from one that gets picked apart.

The POA&M: your SSP's companion

You won't have everything implemented on day one, and that's expected. For each gap, a Plan of Action & Milestones (POA&M) documents what you'll fix, how, and by when. The SSP says where you stand; the POA&M says how you'll close the gaps. Assessors expect both.

Don't write 110 narratives from scratch

Our free SSP Section Generator interviews you in plain English and produces assessor-ready narrative for each requirement — plus draft POA&M entries for your gaps. Starting with Access Control and Identification & Authentication.

Draft your SSP free →

How to write your SSP, step by step

Define your boundary first. You can't document a system you haven't scoped. Identify exactly what's in and out.
Know your starting point. Run a SPRS self-assessment so you know which requirements are met and which aren't before you write.
Write a narrative per requirement, mapped to the 800-171A objectives, stating your implementation, status, and responsible role.
Build a POA&M for everything not yet implemented, with realistic dates.
Keep it current. 3.12.4 requires periodic updates — your SSP is a living document, not a one-time deliverable.

A note for 2026

NIST SP 800-171 Revision 2 remains the basis for SPRS scoring and CMMC assessment — the Department of War has not moved scoring to Revision 3. Your SSP should reflect the Rev 2 requirements your assessment will actually use.

Start with your score, then document it

The fastest path: calculate your SPRS score to see exactly where you stand, then use the SSP Section Generator to turn those requirements into a documented plan. Both are free, both run in your browser.