CMMC System Security Plan
Get Started with This SkillOverview
Draft and validate the CMMC SSP for Level 1 or Level 2: system description, boundary, and implementation narratives for each NIST 800-171 practice with evidence pointers.
Getting Started
Add your source materials to the project workspace, then activate the CMMC System Security Plan skill. The agent will guide you through the process step by step.
Example Conversation
You: We need to draft our CMMC Level 2 SSP. We’ve already defined scope and asset inventory in other docs. Can you start with the system description and then Access Control (3.1) and Audit (3.3)?
Agent: I’ll pull in your scope and asset list and draft the SSP. First I’ll add the system description and authorization boundary section, then implement 3.1 and 3.3 with status, narrative, and evidence pointers for each practice.
Agent: I’ve created
ssp.mdwith: (1) System name and description — Acme Contract Management Environment; (2) Authorization boundary — as per your scoping doc; (3) Access Control 3.1.1–3.1.9: each has implementation status (Implemented or Partially Implemented), narrative (e.g. 3.1.5 least privilege via AD groups and role-based access in the contract app), and evidence (policy title, procedure, config evidence). Same structure for Audit 3.3.1–3.3.9. Should I run the completeness check now?You: Yes. We’re targeting Level 2 and want to see if we’re missing any practices.
Agent: [Runs cmmc_ssp_completeness_check] Result: PASS for Level 2. Practice coverage and implementation status keywords are present; authorization boundary and system description are documented. I’ve added a note that 3.12.4 (SSP) is satisfied by this document. Want me to continue with the remaining domains (3.2, 3.4–3.13)?
Sample Output Excerpt
Below is a representative excerpt from a CMMC System Security Plan.
3.1 Access Control
| Practice | Status | Implementation | Evidence |
|---|---|---|---|
| 3.1.1 | Implemented | Access limited to authorized users via AD authentication and application SSO. Only provisioned users can access the contract management app and file share. | Access Control Policy v2.1; account provisioning procedure; AD/SSO config. |
| 3.1.5 | Implemented | Least privilege enforced: role-based access in contract app (Viewer, Editor, Admin); file share permissions by security group; no local admin on workstations. | RBAC matrix; group policy; quarterly access review. |
| 3.1.8 | Implemented | Unsuccessful logon limited: account lockout after 5 attempts (AD); contract app enforces lockout per application policy. | GPO; application security config. |
3.12.4 System Security Plan
Status: Implemented.
Implementation: This document constitutes the organization’s System Security Plan for the CMMC assessment scope. It is maintained by the Security Officer, reviewed annually, and updated when system or scope changes.
Evidence: SSP review log; version control.
Built-in Scripts and Validation
The skill includes a completeness check the agent runs against the SSP.
Validation tools
| Tool | Purpose |
|---|---|
| cmmc_ssp_completeness_check | Validates the SSP file or directory for the target CMMC level. Checks: (1) practice coverage — presence of NIST 800-171 practice IDs (3.x.y); for Level 2, flags if fewer than 100 distinct practices are referenced; (2) implementation status — at least one of Implemented, Partially Implemented, Planned, Not Applicable, or Alternative Implementation; (3) authorization or assessment boundary; (4) system description or system name. Returns PASS or FAIL with a list of issues and warnings. Run after each major SSP update. |