What is a System Security Plan (SSP)?

A System Security Plan (SSP) is the document that describes your system boundary, its environment of operation, and exactly how you implement each of the 110 NIST SP 800-171 requirements. It is required by NIST SP 800-171 requirement 3.12.4 (CMMC practice CA.L2-3.12.4) and is the authoritative reference a C3PAO assessor tests against.

What is a POA&M (Plan of Action and Milestones)?

A Plan of Action and Milestones (POA&M) documents each requirement you have not yet met, the specific steps to remediate it, the resources required, and target completion dates. It is required by NIST SP 800-171 requirement 3.12.2 and demonstrates a credible, dated plan to close your gaps.

Is an SSP required for CMMC, and what happens without one?

Yes. While the SSP requirement itself carries no point value in the DoD Assessment Methodology, the methodology cannot produce an SPRS score without an SSP — so no SSP effectively means no score, which blocks contract eligibility. The SSP is mandatory, not optional.

Can I get CMMC certified with open items on a POA&M?

Only within strict limits. Under 32 CFR 170.21, Conditional CMMC Level 2 status requires an assessment score of at least 88 of 110 (80%), and only certain lower-weight (1-point) requirements may sit on the POA&M, with named exclusions; the FIPS-encryption requirement may ride a POA&M under a narrow condition. Open items must be closed within 180 days to reach final status. High-value requirements must be fully met — they cannot be POA&M’d.

SSPPOA&MCMMC Documentation

SSP and POA&M Explained: The Two Documents CMMC Hinges On

By Glenn Ballard·CMMC Registered Practitioner·June 19, 2026·9 min read

Most of CMMC is about your systems — your firewalls, your access controls, your encryption. But two documents sit at the center of the whole thing, and they decide whether you can even report a score: the System Security Plan (SSP) and the Plan of Action & Milestones (POA&M). Get them right and you have a defensible, fundable compliance posture. Get them wrong — or skip the SSP — and you can't produce an SPRS score at all. Here is exactly what each one is and how they work together.

The SSP: Your System's Source of Truth

The System Security Plan describes your environment and how you meet each security requirement. It is mandated by NIST SP 800-171 requirement 3.12.4 (CMMC practice CA.L2-3.12.4). A complete SSP covers:

System boundary and scope — what's in the assessment, what isn't, and where CUI lives
Environment of operation — on-prem, cloud, hybrid, and any enclave
How each of the 110 requirements is implemented — control by control, in specifics
Roles, responsibilities, and connections to other systems and service providers

When a C3PAO assesses you, the SSP is the document they test against. It is the difference between “we think we're secure” and “here is precisely how we are, and here is the evidence.” A vague or out-of-date SSP is one of the most common reasons assessments stumble.

No SSP, no score. The SSP requirement carries no point value of its own in the DoD Assessment Methodology — but the methodology cannot generate an SPRS score without one. An organization with no System Security Plan effectively has no reportable score, which means it can't satisfy the DFARS 252.204-7019/7020 posting requirement and can't compete. The SSP is the price of entry.

The POA&M: Your Credible Plan to Close Gaps

Almost no organization meets all 110 requirements on day one. The Plan of Action & Milestones — required by NIST SP 800-171 requirement 3.12.2— is where you document every gap honestly and lay out how you'll close it. A real POA&M line item includes:

The specific requirement not yet met
The weakness or deficiency, stated plainly
The remediation steps and resources required
A milestone schedule and a target completion date

A well-built POA&M is not an admission of failure — it's evidence of good faith and control. It shows the government (and an assessor) that you know exactly where you stand and have a dated plan to get the rest of the way.

What a POA&M Can — and Can't — Cover

Under CMMC, you can't POA&M your way to certification on the big items. The rules in 32 CFR 170.21 are deliberately strict:

Score floor: you must hit at least 88 of 110 (80%) to be eligible for Conditional status with open POA&M items.
Only lower-weight gaps: generally only certain 1-point requirements may sit on the POA&M, and specific requirements are excluded entirely — they must be fully met.
One narrow exception: the FIPS-validated encryption requirement (SC.L2-3.13.11) may ride a POA&M at its 3-point weight when encryption is employed but not yet FIPS-validated.
180-day clock: open POA&M items must be closed within 180 days to convert Conditional status to Final.

The practical takeaway: a POA&M is a bridge for small, well-understood gaps — not a parking lot for your hardest problems. The high-value controls (multi-factor authentication, the 5-point requirements) have to be genuinely in place.

How They Work Together

Think of it this way: the SSP says “here is how we meet each requirement” and the POA&M says “here is what we haven't met yet, and exactly when we will.” Together they tell the complete, honest story of your posture. They're also living documents: as you close a POA&M item, you update the SSP to reflect the now-implemented control, and your SPRS score rises. Treating them as write-once paperwork is how organizations drift out of compliance between assessments.

Build the SSP and POA&M from a single, honest assessment of all 110 requirements — not as separate afterthoughts. When both trace back to the same control-by-control review, they stay consistent, and your reported SPRS score is one you can actually defend.

Get Both, Drafted From Your Real Answers

Writing an SSP and POA&M from a blank page is where most CMMC efforts stall — and where traditional consultants bill for weeks. The Dragonfli Group CMMC Accelerator generates a draft SSP and draft POA&Mdirectly from your control-by-control answers, with an estimated SPRS score and gap analysis — every statement traceable to your own responses, no invented facts. A CMMC Registered Practitioner reviews the drafts before they carry the review stamp. You start with real documents, not a template.

SEE WHAT YOU'D GET

Start with a real SSP and POA&M.

The free Pulse Check takes about 15 minutes and shows where you stand on your highest-risk CMMC requirements — no credit card, no sales call.

Start Free Pulse Check →

RELATED GUIDES

How to Calculate Your SPRS Score

The methodology that turns your SSP into a number →

What Is CUI? CMMC Scoping

Define the boundary your SSP describes →