PUBLIC-SIGNAL INTELLIGENCE12–24 MONTHS EARLY · EVIDENCE CITED

Reference · Cybersecurity & CMMC

System Security Plan (SSP)

System Security Plan

A System Security Plan (SSP) is the document describing a contractor's information system boundary and how it meets each required security control. Under NIST SP 800-171 it is a mandatory artifact — assessors and the government read the SSP to understand what is protected and how.

What it is

The SSP defines the system boundary and environment, the roles involved, and — control by control — how each NIST SP 800-171 requirement is implemented, or why it is not applicable. It is paired with the POA&M, which covers the requirements not yet met.

Why it exists

NIST SP 800-171 requires organizations to develop, document, and periodically update an SSP. It is the primary evidence a CMMC assessor reviews — without a current SSP there is nothing concrete to assess against.

Who it applies to

Any organization handling CUI under DFARS 252.204-7012. Each covered information system needs its boundary and controls documented in an SSP.

Frequently asked

Is a System Security Plan required for CMMC?

Yes — a current System Security Plan is required. It is a mandatory NIST SP 800-171 artifact and the primary document a CMMC assessor reviews to see how each control is implemented. An assessment cannot be completed without one.

This is the kind of compliance signal Longlead reads to infer which upcoming defense projects will need cleared or compliance-ready scope — delivered as a cited evidence dossier with your confidence and lead time, 12–24 months before it surfaces as a named solicitation. You make the call, from your own channels; nothing leaves the system.

Or just see what Longlead finds for your scope.

Tell us what you sell and what you don't — and see the demand Longlead is inferring for you right now.