NIST SP 800-171 Rev 2 requirement 3.12.4 mandates that organizations create and maintain a System Security Plan (SSP) for every system that processes, stores, or transmits CUI. The SSP must clearly delineate the system boundary, describe the operational environment in which the system resides, enumerate all applicable security requirements, explain how each requirement is implemented or why it has been approved as non-applicable, and document all connections or dependencies on other systems. The plan is not a one-time artifact; organizations must define a review and update cadence and then actually execute those updates on schedule. The SSP functions as the authoritative authorization document against which CMMC assessors evaluate the organization's security posture, and it establishes the baseline from which Plans of Action and Milestones (POA&M) are derived. Failure to maintain an accurate, current SSP is itself a direct finding during a CMMC Level 2 assessment.
Where it stops · what it isn't
- —The SSP does not replace the Plan of Action and Milestones (POA&M); deficiencies identified are tracked separately in the POA&M under CA.L2-3.12.2.
- —The SSP does not cover physical security plans, continuity of operations plans, or incident response plans as standalone documents, although it may reference them.
- —This practice does not require the SSP to be submitted to or pre-approved by DCSA or any government agency prior to assessment; it must be available for review during the assessment.
- —The SSP does not encompass risk assessment procedures themselves; those are governed by RA.L2-3.11.1, which is a prerequisite practice.
- —The requirement to update the SSP does not mandate continuous real-time editing; it requires updates at a defined frequency and whenever significant changes occur to the system or environment.
Connected concepts in the graph
Every cubelet sits in a knowledge graph. Here's what this one connects to.
PART OFdomain/security-assessment