What an SSP Is — and Why Your Assessor Reads It First
A System Security Plan, or SSP, is the document that describes how your organization implements every one of the 110 NIST 800-171 security controls. It's not a policy document. It's not a security checklist. It's a comprehensive narrative that answers one question for each control: what specifically does your organization do, with what systems, using what configurations, to satisfy this requirement?
When a C3PAO (Certified Third-Party Assessment Organization) schedules your CMMC Level 2 assessment, the first thing their assessors do is read your SSP. They use it to understand your environment before they start asking questions and testing controls. An SSP that's vague, incomplete, or doesn't match your actual environment tells the assessor that you're not ready — before they've looked at a single firewall rule.
Think of it this way: the SSP is your case for why you're compliant. The assessors are trying to verify that case. If your case is weak on paper, they're going to probe harder in person.
A well-written SSP doesn't just describe your security posture — it makes an assessor's job easier. It answers their questions before they ask them. Assessors have seen thousands of SSPs. They can tell within 10 pages whether yours is real or a template someone filled in over a weekend.
What's Actually in an SSP
An SSP isn't a free-form document. There's a standard structure that experienced assessors expect to see. Here's what a complete SSP for a small to mid-size defense contractor typically includes:
A plain-English overview of your organization, what you do, and why you have CUI. Includes the types of CUI you handle, the business purpose for handling it, and who owns the systems involved.
Exactly which systems, networks, and locations are in scope for this SSP. This is critical — an overly broad boundary inflates your compliance workload. This section is where you document your CUI enclave if you have one.
A diagram showing every system in your CUI environment, how they're connected, where data flows, and where your boundary is relative to the internet and external systems. Not optional — assessors verify this against what they find during the assessment.
Shows how CUI enters your environment, where it's stored, how it moves between systems, and how it exits. Assessors use this to verify that your access controls and encryption implementations actually cover the paths where CUI flows.
This is the meat of the SSP — and why it's so long. For each of the 110 NIST 800-171 controls, you write a narrative explaining: (a) what the control requires, (b) how your organization implements it, (c) what specific systems and configurations are involved, and (d) what evidence you have. This section alone can be 80–150 pages.
Who in your organization is responsible for security functions. System owner, security officer, IT administrator, data custodians. Not titles — names and what they specifically do for security.
Any controls you're not yet fully implementing, with a realistic timeline for achieving them. An honest POA&M is better than pretending you've implemented something you haven't. Assessors check.
References to your security policies — access control policy, incident response plan, configuration management plan, media protection procedures. The policies don't go in the SSP, but the SSP references them and they need to exist.
Why Consultants Charge $12K–$60K to Write One
If you've gotten a quote from a CMMC consultant for SSP writing, you may have had a small heart attack. Quotes of $15,000 to $60,000 for documentation alone are common. Some larger firms charge more.
Here's why it costs that much when consultants do it:
- It takes a lot of hours. Writing a complete SSP requires deeply understanding your environment, then writing 110 detailed control narratives. At $150–$300/hour consulting rates, 200 hours of work gets expensive fast.
- They do a gap assessment first. Most consultants won't write an SSP without first doing a gap assessment — finding out which controls you already meet and which you don't. That's another 40–80 hours.
- They need to understand your specific environment. A good SSP isn't generic. Writing accurate control narratives requires understanding your specific network, software, configurations, and processes. That takes time to learn.
- The POA&M is included. Documenting your gaps and a realistic remediation plan is part of the package.
For SSP writing alone. Gap assessment is additional. Timeline: 3–6 months. Requires extensive interviews and site visits.
AI-assisted SSP generation built around your actual answers, reviewed by a Registered Practitioner. Same deliverable, fraction of the timeline.
MyCMMC produces your SSP, policies, and evidence guide using your actual environment — reviewed and signed off by a certified Registered Practitioner. Starting at $7,500.
See If You Qualify →How Long an SSP Actually Is
There's no minimum or maximum page count for an SSP. But in practice:
- 10–30 person company with a focused CUI enclave: 60–100 pages
- 50–150 person contractor with a moderately complex environment: 100–175 pages
- Large contractor with multiple sites and complex integrations: 200–400 pages
The length comes primarily from the control narrative section. There are 110 controls organized into 14 families (Access Control, Audit and Accountability, Configuration Management, etc.). Some controls need a half page. Some need three pages. Add up 110 controls and you get a significant document.
Don't try to compress the control narratives to make the document shorter. Assessors don't give points for brevity — they give points for specificity. A vague two-sentence control narrative is worse than a detailed two-page one. The question an assessor is always asking is: "Does this tell me exactly what they're doing?" If the answer is "kind of," you're in trouble.
Common SSP Mistakes That Kill Assessments
These are the SSP mistakes that show up most often when small contractors come to us after a rough mock assessment or assessment failure:
Mistake 1: Using a Generic Template Without Customizing It
You can find NIST 800-171 SSP templates online. Some are decent starting points. But contractors who download a template and fill in their company name — without rewriting the control narratives to reflect their actual environment — end up with an SSP that doesn't pass a basic sniff test.
Assessors have seen the same template content in dozens of SSPs. They'll ask questions your template can't answer. "What specific Group Policy Object enforces your password length?" is a question your template doesn't know.
Mistake 2: The SSP Doesn't Match the Network
During your assessment, assessors will compare your SSP to your actual environment. If your SSP says you have multi-factor authentication on all remote access and the assessors find a VPN connection without MFA, that's a finding — and it's worse than if you'd disclosed the gap in your POA&M. Assessors treat undisclosed gaps as more serious than acknowledged ones.
Your SSP must reflect your current environment — not what you're planning to implement, not what your environment looked like a year ago. If something in your SSP isn't true today, it needs to be in your POA&M. An SSP that overstates your security posture can expose you to False Claims Act liability.
Mistake 3: Skipping the Network Diagram
Some small contractors think a network diagram is only for enterprises with complex networks. It's not. A 10-person shop with five computers still needs a diagram that shows how those systems are connected, where the internet connection comes in, and what boundary controls are in place. A hand-drawn diagram is better than no diagram.
Mistake 4: Writing Policies Instead of Implementation Descriptions
Your SSP should describe what you do, not what you require. "Employees must use strong passwords" is a policy statement. "We enforce a 15-character minimum password length via Group Policy on all systems in the CUI domain, and this is verified monthly through automated reports" is an SSP control narrative. The distinction matters enormously.
Template SSP vs. One Built for Your Operation
Here's the practical difference between a template SSP and one that's customized to your environment:
A template SSP describes a hypothetical company. It uses placeholder language. It says "the organization shall" and "the system owner reviews" without naming specific people, systems, or configurations. It might satisfy a checkbox review by someone who doesn't look closely, but it won't satisfy a CMMC Level 2 assessor who's been doing this for years.
A customized SSP names your IT systems, your network topology, your specific software configurations, your actual staff roles. It describes how your 12-person machine shop implements multi-factor authentication — specifically what system you use, which accounts it applies to, and how you verify it's working. That specificity is what passes an assessment.
The good news: building a customized SSP doesn't mean you have to start from a blank page. It means answering questions about your environment in enough detail that the narratives can be written accurately. That's exactly what our Assessment-Ready Package does — it asks you the right questions and produces narratives that reflect your actual operation.
Our 2-minute quiz maps your environment and gives you a clear picture of where you stand. Then we'll tell you exactly what your Assessment-Ready Package would include.
Take the Free Readiness Check →Frequently Asked Questions
There's no required length, but a credible SSP for a small contractor typically runs 50 to 150 pages. Larger or more complex environments can hit 200+ pages. The length comes from having to document all 110 NIST 800-171 controls in detail — what the control requires, how your organization implements it, what systems it applies to, and what evidence demonstrates you meet it. A five-page SSP won't hold up to a C3PAO review.
You don't have to start from scratch, but the template has to reflect your actual environment — not a generic company. The dangerous shortcut is downloading an SSP template and filling in your company name without customizing the control narratives. Assessors can tell. They'll ask follow-up questions that your generic template can't answer. The SSP has to describe what your systems actually do, how your people actually work, and what controls you've actually implemented.
Policies describe what you require people to do — "employees must use strong passwords." An SSP describes how each specific NIST 800-171 control is implemented in your specific environment — "we enforce 15-character minimum passwords through Group Policy Object X on our Active Directory domain, applied to all workstations in our CUI boundary." Your policies are supporting documents that feed into your SSP, but the SSP is the master document your assessor uses.
Technically yes, but it's genuinely hard work. You need to understand all 110 NIST 800-171 controls well enough to explain exactly how your environment addresses each one. You also need to understand what evidence demonstrates each control. Most small business owners can do this with the right guidance and tools — but "I'll figure it out as I go" is not a strategy that holds up under a C3PAO assessment. If you use a documentation platform designed for small contractors, you're in better shape than trying to build from a blank Word document.
Your SSP should be updated whenever your environment materially changes — new systems added, old ones retired, significant configuration changes, personnel changes in key roles. NIST recommends reviewing it at least annually. C3PAOs also want to see that your SSP reflects your current environment, not what your network looked like two years ago when you hired a consultant. For CMMC Level 2, the SSP is a living document.
Get your SSP done right, at a price that makes sense.
Our Assessment-Ready Package gives you a customized SSP, policies, and evidence guide — built for your operation, not a generic template.
Start Free Readiness Check →Takes 2 minutes. See your readiness picture before you commit to anything.
Or see pricing & packages →