Skip to content
LEVEL 2Compliance Solutions
CMMC

Your SSP and POA&M: evidence, not paperwork

L2CS · March 12, 2026

Ask ten contractors what their System Security Plan is and most will point to a document someone wrote once, saved to a shared drive, and has not opened since. That document will not pass an assessment — not because it is poorly written, but because it is not true anymore.

The SSP and its companion, the Plan of Action & Milestones (POA&M), are the backbone of a CMMC Level 2 program. Treat them as living evidence and the assessment becomes a confirmation. Treat them as paperwork and it becomes an interrogation.

What the SSP is actually for

The System Security Plan describes your environment and how each of the 110 controls is met within it. For every control it should answer three questions plainly:

  • What is the requirement in the context of your boundary?
  • How is it implemented — the specific configuration, tool, or procedure?
  • Where is the evidence that it works the way you say?

That last question is where most SSPs fall apart. An assessor does not grade your prose; they sample your claims and ask to see proof. "We enforce multifactor authentication" is a sentence. The configuration export, the access log, and the screenshot that show it enforced are evidence. The SSP's job is to connect every claim to where that evidence lives.

The POA&M is a feature, not a confession

Teams treat the POA&M as an admission of failure. It is the opposite — it is the mechanism that lets you operate while you close remaining gaps. A clean program uses it deliberately:

  • Only eligible gaps go on it — the framework excludes the highest-weighted controls, which must be met outright.
  • Every item has an owner, a milestone, and a date, not a vague "in progress."
  • It is closed on schedule. A conditional certification comes with a fixed window; an open POA&M past that window is a problem, not a plan.

A POA&M full of honest, dated, owned items reads as a program in control. A POA&M that is empty on a program that clearly has gaps reads as a program that is not looking.

Living, not laminated

The practical test is simple: could you regenerate today's evidence in an hour? If the answer is "we would have to go ask three people and hope," the SSP is a snapshot of a moment that has passed. The programs that pass cleanly keep the SSP, the evidence, and reality in sync continuously — usually through a managed GRC routine rather than a once-a-year scramble.

That is the difference between certification as an event and compliance as a posture. One ends the day the assessor leaves. The other is still true the next morning — which is the only kind that survives the next assessment.

Want a read on whether your SSP would hold up to sampling? That is what a readiness assessment is for. Start with a discovery call.

Related

Case StudyCMMC·May 21, 2026

Many programs, one posture: CMMC at an enterprise plastics supplier

Plastics injection molding supplier · ~$400M revenue · ~1,500 employees

A ~$400M injection-molding supplier with multiple programs and a mature IT org didn't lack security — it lacked an audit-ready, repeatable way to prove it. How a GRC operating model tied it together.

Read →
CMMC·May 14, 2026

GCC High, on-prem enclave, or hybrid? Choosing your CUI boundary

Where your CUI lives shapes cost, effort, and how many controls you inherit. A plain-English guide to the three common boundary models — and how to choose.

Read →

Want this for your program?

Start with a discovery call. We'll tell you where you actually stand on CMMC — and what it takes to get audit-ready.

Book a Discovery Call