Learn about the SSP, POA&M, Security Policies, Evidence Documentation, Customer Responsibility Matrix, and more through the Frequently Asked Questions (FAQs) below. If you are looking for certified CMMC Professionals and a customised solution for your organization, please schedule a free consultation.
Table of Contents
What is a System Security Plan (SSP) and why is it required for CMMC?
Summary: A System Security Plan is the foundational compliance document for CMMC, a comprehensive written plan that describes the information system boundary, the environment of operation, how each of the 110 NIST SP 800-171 Rev 2 security requirements is implemented, and the relationships between the system and any external service providers, as required by NIST SP 800-171 Rev 2 Security Assessment (CA) domain control 3.12.4.
The SSP serves multiple simultaneous functions: it is the primary evidence artifact that a C3PAO reviews during assessment to understand the organization’s security posture; it defines the assessment scope and boundary; it is the reference that employees, system administrators, and auditors use to understand how controls are implemented; and it is the living record that must be updated whenever systems, controls, personnel, or processes change.
Without a complete, accurate SSP, a C3PAO cannot begin a CMMC assessment, the assessment will be delayed or canceled. An SSP must describe not just what controls are in place but how they are implemented, who is responsible for each control, how they are monitored, and any residual gaps documented in associated POA&Ms.
What must be included in a CMMC-compliant SSP?
Summary: A CMMC-compliant SSP must address the information system boundary, all 110 NIST SP 800-171 Rev 2 controls and their implementation status, system architecture, data flows, and responsible parties, serving as the complete technical and administrative record of the organization’s security posture.
A CMMC-compliant SSP must include: a system overview describing the purpose and function of the information system, the types of information processed (FCI/CUI categories), the system boundary, and the operating environment; a system inventory listing all hardware, software, and cloud components within scope; network architecture diagrams and CUI data flow diagrams; the assessment scope including all asset categories; for each of the 110 controls, a statement of implementation status (implemented, partially implemented, planned, not applicable) with a narrative description of how the control is implemented; responsible parties for each control; external service provider relationships and their applicable controls; references to supporting policies, procedures, and evidence documents; and a summary of any open POA&M items.
The SSP must be current, it must reflect the actual environment at the time of assessment. databrackets provides SSP templates and SSP development support as part of CMMC compliance engagements.
What is a Plan of Action and Milestones (POA&M) in the context of CMMC compliance?
Summary: A Plan of Action and Milestones is a formal written document identifying deficiencies in an organization’s implementation of NIST SP 800-171 Rev 2 security controls, documenting the specific remediation actions planned to address each deficiency, assigning responsible parties, and specifying target completion dates for each remediation milestone.
Under CMMC Level 2, a POA&M serves two distinct purposes depending on when it is used. Before a formal assessment, a pre-assessment POA&M is used to track and manage the remediation of identified compliance gaps as the organization prepares for certification, it is a planning and management tool with no fixed deadline imposed by the program.
After a formal C3PAO assessment, a post-assessment POA&M documents deficiencies found during the assessment that qualify for conditional certification. This post-assessment POA&M carries strict conditions: the organization must achieve a minimum SPRS score of 88 out of 110 with all deficiencies limited to 1-point controls, and all POA&M items must be closed within 180 days of the Final Findings briefing. Both types of POA&Ms must be included in or attached to the SSP and updated as remediation progresses.
Is a POA&M permitted at CMMC Level 1?
Plans of Action and Milestones are not permitted at CMMC Level 1. CMMC Level 1 is a pass/fail assessment: all 17 safeguarding requirements from FAR clause 52.204-21 must receive a MET determination across all corresponding assessment objectives for the self-assessment to be considered compliant.
A single NOT MET finding at Level 1 means the entire self-assessment fails. There is no mechanism to accept partial compliance at Level 1 in exchange for a remediation commitment. The DoD’s rationale is that Level 1 requirements represent basic, foundational cybersecurity practices that any contractor handling federal information should be able to implement completely.
Contractors who discover a Level 1 gap during their self-assessment must remediate the deficiency before submitting their SPRS entry and affirmation. Submitting a Level 1 self-assessment result claiming compliance when one or more requirements are not actually met constitutes a false statement that triggers False Claims Act exposure.
What are the conditions under which a POA&M is permitted at CMMC Level 2?
Summary: A POA&M is permitted at CMMC Level 2 only when specific conditions are met: the organization must achieve a minimum SPRS score of 88 out of 110 on their C3PAO assessment, all open POA&M items must apply only to controls weighted at 1 point, and no open POA&M item may involve a control that the DoD has designated as high-priority.
When these conditions are met, the C3PAO may issue a Conditional Level 2 certification status, which is valid for 180 days from the date of the Final Findings briefing. During this window, the organization must implement all POA&M items and have the C3PAO verify closure before the Conditional status expires.
Upon successful closure of all POA&M items, the certification transitions to Final Level 2 status, valid for three years. If the organization fails to close all POA&M items within 180 days, the Conditional certification lapses and the organization must undergo a new assessment. For Level 2 self-assessments, organizations can submit with an SPRS score below 110 using a pre-assessment POA&M, but the self-assessment POA&M conditions differ from the C3PAO certification POA&M conditions.
Which high-value controls (3-point and 5-point) are excluded from POA&M eligibility?
Summary: Controls weighted at 3 points or 5 points in the SPRS scoring methodology are generally excluded from POA&M eligibility under CMMC Level 2, because these controls carry higher weight precisely because their absence represents a more severe security risk, contractors cannot receive any certification status while leaving high-impact controls unimplemented.
In the SPRS scoring system, the 110 NIST SP 800-171 Rev 2 controls are weighted as follows: most controls are worth 1 point; controls with more significant security impact are worth 3 points; controls whose absence could directly enable major network exploitation or CUI theft are worth 5 points.
Examples of high-weight controls include: multi-factor authentication for privileged accounts (IA domain, 3 or 5 points depending on scope); FIPS-validated cryptography (SC domain, 5 points); and certain audit logging controls (AU domain). If any of these higher-weighted controls are NOT MET during a C3PAO assessment, the organization fails to achieve even Conditional certification. The organization must implement these controls, pass remediation verification, and resubmit before any certification can be issued.
What policies and procedures are required to support CMMC Level 2 compliance?
Summary: CMMC Level 2 requires contractors to have formal written policies and procedures covering each of the 14 security domains in NIST SP 800-171 Rev 2, because documented policies are both a direct assessment requirement (Security Assessment domain control 3.12.4) and the governance foundation demonstrating intentional, systematic security program management.
Required policy areas include: access control policy; information security awareness and training policy; audit and accountability policy; configuration management policy; incident response policy and plan; media protection policy; personnel security policy; physical protection policy; risk assessment policy; system security plan maintenance policy; system and communications protection policy; and system and information integrity policy.
All policies must be formally approved by organizational leadership, communicated to relevant personnel, and reviewed and updated on a defined schedule. Policies referencing tools or processes that are not actually implemented are a common source of NOT MET findings, the policy must reflect actual practice.
What types of evidence must be maintained to demonstrate CMMC compliance?
Summary: CMMC compliance requires maintaining a comprehensive body of evidence, documentary proof that each of the 110 NIST SP 800-171 Rev 2 controls is actually implemented and operating as intended, that can withstand scrutiny from a C3PAO conducting an Examine, Interview, and Test assessment methodology.
Evidence categories include: documented policies and procedures for all 14 security domains; the current complete SSP and any associated POA&Ms; system configuration screenshots demonstrating baseline settings; access control lists, user account listings, and role-based access group assignments; MFA enrollment records and authentication logs; audit log samples demonstrating logging is enabled across in-scope systems; vulnerability scan reports and associated remediation tracking; patch management reports; security awareness training completion records by employee and date; incident response plan and exercise records; media sanitization and disposal records; physical access logs and visitor logs; network architecture diagrams and firewall rule exports; cloud service FedRAMP authorization documentation and Shared Responsibility Matrices.
Evidence must be current, screenshots and reports that are months old do not demonstrate ongoing compliance. Maintaining an always-current evidence library is an ongoing operational responsibility, not a pre-assessment sprint.
What is a Customer Responsibility Matrix (CRM) and when is one used?
Summary: A Customer Responsibility Matrix, functionally equivalent to a Shared Responsibility Matrix (SRM), is a document produced by a cloud service provider or managed service provider that maps each of the 110 NIST SP 800-171 Rev 2 controls to one of three responsibility categories: controls fully managed by the provider (inherited), controls fully managed by the customer, or controls shared between provider and customer.
CRMs are used whenever a contractor relies on an external platform or service as part of their CMMC compliance environment. All major cloud providers offering FedRAMP-authorized government cloud platforms, including Microsoft for GCC and GCC High, and AWS for GovCloud, publish CRMs for their environments.
The contractor uses the provider’s CRM to understand which controls are covered by the platform subscription, and which controls remain the contractor’s responsibility to implement independently. Controls listed as customer-owned in the CRM must be fully implemented and documented by the contractor, they cannot be assumed to be covered simply because the platform is FedRAMP authorized. The CRM is a required evidence artifact in the SSP and will be reviewed by a C3PAO during the assessment.
How do I document CMMC controls implemented by a third-party service provider?
Summary: CMMC controls implemented by a third-party service provider must be documented in the contractor’s SSP through a combination of narrative control descriptions, Shared Responsibility Matrices (SRMs), and third-party evidence artifacts collectively demonstrating the control is implemented, operating correctly, and meeting the CMMC assessment objectives.
For each control that a third-party provider implements, the SSP should: identify the specific control and describe how it is implemented by the provider; name the provider and the service or product used; reference the applicable Shared Responsibility Matrix showing the control is provider-managed; and reference supporting documentation such as FedRAMP authorization reports, SOC 2 Type II reports, or provider-specific configuration guides.
The contractor must also have contractual arrangements with the provider ensuring the control will continue to be maintained and that the provider will cooperate with C3PAO assessments if needed. Provider implementations are not automatically accepted at face value, assessors may request direct evidence from the provider or interviews with provider personnel. Contractors should confirm with third-party providers before assessment that they are willing and able to participate in the assessment process.
Explore Blogs, Webinars and other Resources
Trusted by Reputed Companies
What Our Clients Say
We used databrackets (formerly EHR 2.0) in our small medical practice for our risk analysis assessment to be in compliance with meaningful use. Their response was fast, the final report is detailed but simple and easy to follow. They were always available to answer our questions.
E. Compres
Pulmonary and Sleep Center of the Valley
I never miss the opportunity to learn something new …that’s why I am always registering to all free seminars offered on the web. databrackets (formerly EHR 2.0) happened to be the friendliest, comprehensive and up-to- date source of HIPAA Privacy and Security updates.
Alexandra V.
Community Healthcare Network
Today’s presentation was great! Thank you for sending the slides. My only feedback is that it would be fabulous to have the slides ahead of time so I could print them and take notes on the slides.Thanks for your time and knowledge today!
T.B., PM
Community Health Network
Particularly interesting was the flow chart on Administrative Simplification. I utilize all of the Security subcategories you list under the Security tile and appreciate knowing that I am hitting all of the relevant topics during my employee training.
Jessica B.
JD, CHC
I have re-worked our original risk assessment….We are using databrackets' (formerly EHR 2.0) Meaningful Use Security Risk Analysis Toolkit and it meets our needs. It was easy to use and I believe that it very beneficial to our meeting meaningful use.
Bill Curtis
Neurosurgical Associates Of Texarkana, TX
Information (webinars) presented by databrackets (formerly EHR 2.0) highlights some of today’s most demanding healthcare topics. The webinars help to direct those operating in today’s rapidly changing environment in the right direction.
Candace M.
Privacy and Security Officer, Springhill Medical Center
Our Growing List of Credentials
0
+
Assessments
0
+
Clients
0
+
Assessment Libraries
0
+
Years of Experience
0
+
No. of Staff Trained
0
+
HIPAA
0
+
SOC 2 Readiness
0
+
Pen Testing
0
+
ISO 27001 Certifications
0
+
Dollars Saved in Compliance Penalties