System Security Plan (SSP)
A System Security Plan (SSP) is a formal document that describes how your company's information systems are set up and what security measures are in place to protect sensitive data. Think of it as the master blueprint of your cybersecurity program — it documents every security control, who is responsible for it, and how it works in your specific environment.
The SSP covers your network architecture, hardware and software inventory, user access policies, data flow diagrams, and the specific steps you take to meet each security requirement. For CMMC, your SSP must address all applicable NIST SP 800-171 requirements and accurately describe your current security posture.
Assessors will use your SSP as their primary reference during a CMMC assessment. If your SSP doesn't match reality — if it says you do something you actually don't — that's a finding that can prevent certification.
Why It Matters
Your SSP is the single most important document in your CMMC journey. It must be accurate, complete, and kept up to date. A poorly written or inaccurate SSP will derail your assessment before it even begins.