What is SSP?
SSP stands for System Security Plan. An SSP is the document describing how an organization implements each required security control across its in-scope environment.
The System Security Plan (SSP) documents your system boundary, the CUI data flows within it, and how each of the 110 NIST 800-171 controls is implemented. It is the central artifact a C3PAO reviews.
Assessors consistently report that documentation gaps — an SSP that does not match the live environment — drive more failed assessments than missing technical controls. SSPs commonly run to hundreds of pages.
Keeping the SSP true to a continuously changing cloud environment is the core challenge; automated evidence generation exists to close the gap between what the SSP claims and what the environment actually does.
- POA&MA POA&M is a tracked plan for remediating security controls that are not yet fully implemented, with owners and target dates.
- NIST SP 800-171NIST SP 800-171 is the federal standard of 110 security controls for protecting CUI in non-federal systems — the technical basis of CMMC Level 2.
- C3PAOA C3PAO is an organization authorized by the Cyber AB to conduct official CMMC Level 2 certification assessments.
See where you actually stand on the 110 controls.
PolicyCortex maps your live cloud against every NIST 800-171 control and generates C3PAO-ready evidence. Start with the free assessment.
