CT · NY · NJ · Stamford HQ

A System Security Plan (SSP) is the document that describes your information system and how you implement required security controls. In NIST SP 800-171 and CMMC Level 2 conversations, the SSP is not optional paperwork—it is the narrative map of your security program.

What a useful SSP contains

  • System name, purpose, and boundaries (what is in scope)
  • System components: cloud services, endpoints, servers, apps, locations
  • Data types (for example FCI or CUI) and data flows
  • Roles and responsibilities
  • Control-by-control implementation statements
  • Related policies, diagrams, and evidence references

Weak vs strong implementation statements

Weak: “We use multi-factor authentication.”

Stronger: “All interactive user and admin access to the Microsoft 365 tenant and remote access VPN requires phishing-resistant or app-based MFA via Entra ID Conditional Access policy CA-01; break-glass accounts are excluded, monitored, and stored offline per procedure IR-BG-01.”

Specificity is what makes an SSP assessable.

How SSPs relate to POA&Ms

If a control is not fully implemented, the SSP should not pretend it is. Capture the gap in a POA&M with owners and dates. Honesty early is cheaper than contradictions during assessment.

Need a clear baseline for your environment?

Start with a free 15-minute review. When a structured assessment is the right next step, ImpetraInsights™ can provide multi-framework scoring and an executive-ready report—including CMMC and HIPAA readiness paths.