ARTICLE
24 October 2025

Preparing For A CMMC Audit: The System Security Plan

GT
Greenberg Traurig, LLP

Contributor

Greenberg Traurig, LLP logo
Greenberg Traurig, LLP has more than 3000 attorneys across 51 locations in the United States, Europe, the Middle East, Latin America, and Asia. The firm’s broad geographic and practice range enables the delivery of innovative and strategic legal services across borders and industries. Recognized as a 2025 BTI “Best of the Best Recommended Law Firm” by general counsel for trust and relationship management, Greenberg Traurig is consistently ranked among the top firms on the Am Law Global 100, NLJ 500, and Law360 400. Greenberg Traurig is also known for its philanthropic giving, culture, innovation, and pro bono work. Web: www.gtlaw.com.
Explore Firm Details
In September, DoD finalized the CMMC Program, along with the accompanying contract clauses, with an effective date of Nov. 10, 2025.
United States Government, Public Sector
Eleanor M. Ross,Cassidy Kim, and Olivia Bellini
Eleanor M. Ross’s articles from Greenberg Traurig, LLP are most popular:
  • in United States
  • with readers working within the Pharmaceuticals & BioTech industries
Greenberg Traurig, LLP are most popular:
  • within Insurance and Transport topic(s)
Go-To Guide:
  • The Department of Defense's (DoD) Cybersecurity Maturity Model Certification (CMMC) Program requires contractors to have a comprehensive System Security Plan (SSP), which cannot be substituted with a Plan of Action and Milestones (POAM).
  • SSPs must clearly document boundaries between in-scope and out-of-scope assets, explain security strategies, and reflect actual operational practices.
  • SSPs demonstrate ongoing processes and compliance with the CMMC Program and ensure internal personnel are familiar with documented policies and procedures to have the best chances for successful audits.
  • Contractors without a proper SSP risk failure to pre-assess or complete a third-party assessment at the requisite CMMC level.

In September, DoD finalized the CMMC Program, along with the accompanying contract clauses, with an effective date of Nov. 10, 2025. As we discussed in previous GT Alerts, defense contractors will be expected to conduct self-assessments or third party assessments in accordance with requirements in NIST SP 800-171 and NIST SP 800-172. A key element of those assessments will be the SSP, which is a required document under NIST SP 800-171 rev. 2, control 3.12.4, and is one of the first review items in a Level 2 pre-assessment. Critically, recent reports from third-party assessors estimate that 25% of the companies seeking certification have experienced false starts due to a failed pre-assessment, meaning they were unable to validate the contractors' readiness to advance to the actual assessment.

The consequences of a failed pre-assessment may be significant, given that the third-party assessor must still report an adverse readiness determination in the Enterprise Mission Assurance Support Service (eMASS). Contractors also cannot rely on a POAM to meet the SSP requirement – it must be fully implemented at the time of assessment for a CMMC status to be granted. The regulations require that a SSP must be "in place at the time of assessment to describe each information system within the CMMC Assessment Scope." 89 Fed. Reg. 83237 (Oct. 15, 2024). The absence of an updated SSP at the time of an assessment will result in a finding that "an assessment could not be completed due to incomplete information and noncompliance with 48 CFR 252.204-7012." Id.

This GT Alert covers what constitutes an SSP and how contractors might meet this threshold requirement for CMMC compliance.

Components of the SSP

The SSP is a document that outlines the security requirements for a covered information system and describes how an organization implements the controls to meet those requirements. For contractors seeking Level 2 CMMC status, the relevant controls are found in NIST 800-171 rev. 2. NIST and the CMMC assessment methodology also provide guidance on the minimum elements of an SSP:

  • Identification of the assets that are within the CMMC assessment scope (e.g., a high-level description of the information system assets that are store, process, transmit, or receive CUI);
  • List of applicable security requirements that are derived from applicable laws, executive orders, directives, policies, standards, instructions, regulations, procedures, or organizational mission/business case needs to ensure the confidentiality, integrity, and availability of the information being processed, stored, or transmitted on the information systems;
  • Description of how the identified and approved security requirements are implemented within the covered system or environment; and
  • Explanation and description of any systems that are related to, dependent on, or interconnected with the covered system.

SSPs may also contain general information about the information system and system components, such as technical and functional operations; design philosophies regarding security strategies, allowed interfaces, and network protocols; and roles and responsibilities for key personnel, system custodians/owners, authorizing officials, and stakeholders.

There must be a defined frequency for updating the SSP, which must occur no less than annually, and the timing for such updates must be documented in the SSP.

Developing Documentation

A robust SSP might have supporting policies and procedures that reflect how the organization has determined to implement and enhance ongoing compliance with each of the NIST SP 800-171 controls. The primary audience for such documentation should be the employees, vendors, and contractors of a company that need access to the company's covered systems. Ultimately, the documentation should be useful for such internal users to align security practices and promote a proactive culture of security.

Documentation should be subject to continuous improvement based on the organization's changing security postures, including in response to contract or program requirements, and should be regularly updated to reflect actual operational practices and procedures. Companies may take several approaches to managing and updating their documentation, depending on the size and scope of the company. Companies may wish to:

  • Establish procedures for regular audits and updates to existing policies and procedures. This may include creating change control documentation processes to ensure that any revisions to policies and/or practices are documented.
  • Integrate documentation into daily workflows to capture revisions to practices and ensure that policies are updated.
  • Use a governance, risk, and compliance (GRC) tool to unify documentation into a single, integrated platform. GRC tools centralize documentation storage, establish libraries to organize templates and link evidence, and automate audit trails and revisions logs to limit manual intervention. There are several options for GRC tools, and some are specifically focused on CMMC documentation management.

There is no one way to address the CMMC requirements for documentation, but the goal is to have traceable, auditable policies and procedures that evidence implementation of required controls across the system or environment. Companies may benefit from developing sustainable practices.

Takeaways

As companies prepare for their CMMC assessments, they should consider the documentation that supports their implementation of security controls. Documentation is essential for meeting and maintaining a security program that meets the CMMC Program's objectives. The SSP is the foundational document for mapping data flows, identifying in-scope and out-of-scope assets, and documenting the implementation of security controls. Ultimately, documentation should be integrated into regular workflows to avoid scrambles to create documentation that matches a company's practices only in response to an upcoming audit. As companies prepare for their CMMC audits, they should consider:

  1. Drafting a complete SSP. This is a pre-requisite for even a pre-assessment under Level 2, and an incomplete SSP may preclude completion of a third-party assessment.
  2. Identifying the in-scope and out-of-scope assets for the assessment and documenting any decisions to exclude assets from the scope of an assessment when those assets may receive, transmit, process, or store CUI.
  3. Confirming the consistency between the documentation and actual practice. Assessors will be looking for any disconnect between what the documentation says and the company's actual practice. Prior to the audit, it is important to confirm that documentation is up to date and accurately reflects current company practice.
  4. Ensuring policies and procedures have been shared with and reviewed by relevant employees. Assessors may choose random participants in an audit to explain the implementation of a control. It is important that participants in an assessment have a clear understanding of the documentation being used to support the assessment.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Eleanor M. Ross
Eleanor M. Ross
Photo of Cassidy Kim
Cassidy Kim
Photo of Olivia Bellini
Olivia Bellini
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More