Hero Background
March 23, 2023

Navigating CMMC 2.0 and NIST SP 800-171: Your Comprehensive System Security Plan (SSP) Guide

Kevin Hancock
Topics: Aerospace & DefenseCMMC ComplianceCompliance & Risk Management

What’s New (Updated for Active CMMC Enforcement)

This blog reflects the CMMC Final Rule (32 CFR Part 170) and the DFARS acquisition rule that took effect on November 10, 2025. As a result, assessors now actively review System Security Plans (SSPs) as part of CMMC Level 1 and Level 2 assessments and SPRS validation. This post updates references to CMMC planning or future enforcement and reflects current requirements.

Why the System Security Plan Matters Now

In today’s increasingly complex cybersecurity landscape, protecting sensitive data is paramount for all businesses, especially those in the Defense Industrial Base (DIB). Specifically, the Cybersecurity Maturity Model Certification (CMMC 2.0) and NIST SP 800-171 frameworks are crucial for ensuring adequate protection of Controlled Unclassified Information (CUI).

To help, this guide provides an updated, practical approach to developing your System Security Plan (SSP), a cornerstone of your compliance strategy. Bookmark this resource to stay ahead of evolving cybersecurity requirements and leverage Exostar’s cybersecurity solutions to simplify your journey.

If you would like to see what Exostar can do to help you with SSP, contact our team today.

Understanding the Essentials: CMMC 2.0 and NIST SP 800-171

CMMC 2.0 and NIST SP 800-171: Protecting CUI in a Dynamic Threat Environment

Specifically, CMMC 2.0 is designed to safeguard CUI within the DIB, offering a tiered approach to cybersecurity maturity. NIST SP 800-171, published by the National Institute of Standards and Technology, provides the foundational security requirements for protecting CUI in non-federal systems. As a result, these frameworks are more closely aligned than ever, creating a cohesive approach to cybersecurity. Accordingly, your SSP must reflect current CMMC and NIST SP 800-171 requirements that DoD contracts now enforce.

  • CMMC 2.0 Refinements: Understand the streamlined levels and updated assessment requirements.
  • NIST SP 800-171 Evolution: Recognize the ongoing refinements to address emerging threats and technology.
  • Threat Landscape: Stay aware of the rising sophistication of cyberattacks and the importance of proactive defense.

What Is a System Security Plan?

The SSP: Your Cybersecurity Blueprint for CMMC 2.0 Compliance

At its core, a System Security Plan is a formal document that describes how your organization protects its information systems and data. Think of it as a blueprint for your cybersecurity program. It maps out your security controls, policies, and procedures in one comprehensive document. The SSP explains the security measures, the responsible parties, and their maintenance.

Importantly, for defense contractors, an SSP is particularly important because it demonstrates compliance with NIST 800-171 and CMMC requirements. It shows your customers and auditors that you understand security requirements and have implemented cybersecurity controls to protect CUI.

Who Needs an SSP?

A System Security Plan (SSP) is a formal document that outlines how your organization protects its information systems and sensitive data. This document provides a comprehensive blueprint for your cybersecurity program and outlines security controls, policies, and procedures. For DIB contractors, the SSP is critical for demonstrating compliance with NIST SP 800-171 and CMMC 2.0 requirements.

  • First, the SSP documents implemented security measures.
  • Second, It identifies responsible parties.
  • Finally, it explains how security controls are maintained.

Therefore, even small subcontractors should consider developing an SSP to demonstrate their commitment to cybersecurity and enhance their competitiveness.

1. Developing Your System Security Plan: A Step-by-Step Guide

SSP Development: A Practical Guide to Meeting CMMC 2.0 and NIST SP 800-171 Requirements

Develop and Implement Your System Security Plan

To start, begin by addressing key questions:

  • Where does information enter your system?
  • Where is data stored (on-premises, cloud, backups)?
  • Who interacts with the data?
  • How is data used, stored, processed, and transmitted?
  • Who supports the systems?
  • Where are users located?

Identify and Categorize Information Systems

  • Conduct a thorough inventory of all systems handling CUI.
  • Categorize systems based on CMMC 2.0 level and data sensitivity.

Assess Current Security Controls

  • Evaluate existing controls against NIST SP 800-171 requirements.
  • Identify and document gaps in compliance.
  • Remember CMMC 2.0 is cumulative, so all lower level requirements must be met.

Document Your SSP

  • Include an overview of security policies.
  • Provide detailed descriptions of information systems and environments.
  • Describe implemented security controls.
  • Develop a Plan of Action and Milestones (POA&M) for addressing gaps.
  • Include a Data Flow Diagram, Asset Inventory, and User Roles.

2. Conduct Regular Assessments

  • Perform periodic assessments to ensure SSP accuracy and readiness for Level 1 or Level 2 CMMC assessment or SPRS review.
  • Document findings in a Basic Assessment Report (BAR).
  • Upload BAR to the Supplier Performance Risk System (SPRS) as required.
    • Utilize internal assessments and, where required by contract, third-party assessments conducted by authorized C3PAOs

Train Your Workforce

  • Provide regular cybersecurity training.
  • Emphasize CUI protection responsibilities.

3. Maintain and Update Your SSP

  • Treat the SSP as a living document.
  • Regularly review and update it to reflect changes.
  • Ensure that all changes are documented.
  • Perform periodic reviews of all aspects of the SSP.

Note About Third Party Providers

Third-Party Security: Ensuring FedRAMP Compliance for Cloud Services

Additionally, when using third-party services, especially cloud service providers (CSPs), adhere to DFARS 7012 requirements. Confirm that CSPs meet FedRAMP Moderate baseline security standards and comply with cyber incident reporting, malicious software, media preservation, and forensic analysis requirements.

Leveraging Exostar’s® Cybersecurity Solutions

Simplify CMMC 2.0 Compliance with Exostar’s® Expert Solutions

In practice, Exostar’s® cybersecurity solutions streamline CMMC 2.0 compliance, saving resources and time. Utilize Exostar’s Policy Pro™ and Certification Assistant™ for efficient SSP development and management.

  • Automated assessment tools.
  • Real-time reporting and SPRS integration.
  • Expert guidance and support.
  • Up to date information on changing standards.

Developing a Robust SSP is Crucial

Developing and maintaining a robust SSP is essential for CMMC 2.0 and NIST SP 800-171 compliance. By following this guide and leveraging Exostar’s® solutions, you can effectively protect sensitive data and meet evolving cybersecurity challenges. Contact Exostar® today to learn more about achieving and maintaining compliance.

Given current enforcement, if your SSP has not been reviewed since CMMC enforcement began, now is the time to reassess it. Structured tools and guided workflows can help contractors validate SSP accuracy, align documentation with SPRS scores, and prepare for Level 1 or Level 2 assessment requirements under the Final Rule.

You’re invited to learn more in the on-demand webinar below.

Now You Should Do the Following

Organizations handling FCI or CUI should validate that their System Security Plan accurately reflects implemented NIST SP 800-171 controls, clearly defines the CUI boundary, and aligns with reported SPRS scores. Review SSPs for completeness, confirm POA&M items meet current limitations, and ensure documentation is assessment-ready before contract award. CMMC Level 1 and Level 2 compliance now requires a current, accurate SSP.