How to Write a System Security Plan (SSP)

If your organization handles Controlled Unclassified Information (CUI) or works within the Defense Industrial Base (DIB), you've likely come across the term System Security Plan (SSP). But what is it—and more importantly, how do you write a system security plan that actually passes an audit?

This guide walks you through exactly that. Whether you're pursuing NIST SP 800-171 or preparing for CMMC certification, understanding and documenting your SSP is a crucial step toward compliance and operational security.

What Is a System Security Plan?

A System Security Plan is a formal document that outlines your organization’s information system, including:

  • Its purpose and functionality
  • The security measures in place (or planned)
  • How those measures protect data like CUI
“Think of your SSP as the instruction manual for your cybersecurity program,” said a CMMC Registered Practitioner we spoke with. “If you can’t explain what your system is and how it’s secured, an auditor won’t take your word for it.”

Why It Matters

The CMMC framework and NIST SP 800-171 both require a documented SSP to prove your cybersecurity practices. And with CMMC 2.0, SSPs are no longer internal checklists—they’re reviewed by independent third-party assessors.

So writing your SSP isn’t optional—it’s foundational.

How to Write a System Security Plan (SSP)

Here’s a breakdown of the key components every SSP should include:

1. Information System Overview

This section describes your system at a high level:

  • What does it do?
  • Who uses it?
  • How does it store or process CUI?

This sets the stage for the rest of the document. Be clear and concise.

2. Network Diagram

Include a visual map of your network. This helps internal teams and auditors understand:

  • How systems communicate
  • Where sensitive data flows
  • What devices are part of the environment

Tip: Don’t overcomplicate this. Use isometric diagrams if possible—they’re clean and easy to follow.

3. System Boundary Diagram

This diagram defines what’s in scope and what’s out of scope.

For example, if only your finance and engineering departments handle CUI, then HR systems might be out of scope. Clarity here ensures you’re not trying to secure the entire organization unnecessarily.

4. System Interconnections

List all IP addresses, ports, services, and protocols used between systems.

Auditors want to see how traffic flows—especially when it involves external vendors, cloud services, or remote access tools.

5. Security Practices and Controls

For each control required by NIST SP 800-171, document:

  • Whether it’s implemented
  • How it’s implemented
  • Any supporting tools or configurations

For example:

AC.L1-3.1.1 - Limit System Access:
“All users authenticate with Azure AD. Conditional Access enforces MFA for all logins outside our defined corporate IP ranges.”

This level of detail shows that you don’t just know the control—you’ve operationalized it.

6. Plan of Action and Milestones (POAM)

If a control isn’t fully implemented, that’s okay—as long as you acknowledge it.

Use a POAM to show:

  • What’s missing
  • What steps are being taken
  • Who’s responsible
  • The estimated completion date

POAMs demonstrate that you’re actively closing gaps, not ignoring them.

Key Takeaways

  • Your SSP should clearly describe what your system does and how it's secured.
  • Include diagrams to make your scope and architecture easy to understand.
  • Focus on how each security control is implemented—not just whether it is.
  • Use POAMs to address gaps honestly and strategically.

Final Thoughts: Start Your SSP Today

If your business handles CUI or is preparing for a CMMC Level 2 assessment, don’t wait. A well-documented System Security Plan is more than a compliance checkbox—it’s a reflection of your security maturity.

Review your current SSP—or start drafting one today. The sooner you begin, the more control you’ll have over your compliance timeline and posture.

Need help writing or reviewing your SSP? Our team at Vega Systems Consulting works with manufacturers and small businesses navigating CMMC requirements. [Reach out for a consultation.