# CMMC System Security Plan > Draft and validate the CMMC SSP for Level 1 or Level 2: system description, boundary, and implementation narratives for each NIST 800-171 practice with evidence pointers. Tags: CMMC, CMMC 2.0, NIST, DoD, Compliance, SSP ## Example Prompts - Draft our CMMC Level 2 SSP control implementations for Access Control - Update our System Security Plan with implementation narratives for audit and accountability - Validate our CMMC SSP for completeness before the assessment URL: https://rakenne.app/skills/cmmc-ssp/index.md Try this skill: https://rakenne.app/a/?skill=cmmc-ssp ## Overview Draft and validate the CMMC SSP for Level 1 or Level 2: system description, boundary, and implementation narratives for each NIST 800-171 practice with evidence pointers. ## Getting Started Add your source materials to the project workspace, then activate the *CMMC System Security Plan* skill. The agent will guide you through the process step by step. ## Example Conversation > **You:** We need to draft our CMMC Level 2 SSP. We've already defined scope and asset inventory in other docs. Can you start with the system description and then Access Control (3.1) and Audit (3.3)? > > **Agent:** I'll pull in your scope and asset list and draft the SSP. First I'll add the system description and authorization boundary section, then implement 3.1 and 3.3 with status, narrative, and evidence pointers for each practice. > > **Agent:** I've created `ssp.md` with: (1) System name and description — Acme Contract Management Environment; (2) Authorization boundary — as per your scoping doc; (3) Access Control 3.1.1–3.1.9: each has implementation status (Implemented or Partially Implemented), narrative (e.g. 3.1.5 least privilege via AD groups and role-based access in the contract app), and evidence (policy title, procedure, config evidence). Same structure for Audit 3.3.1–3.3.9. Should I run the completeness check now? > > **You:** Yes. We're targeting Level 2 and want to see if we're missing any practices. > > **Agent:** *[Runs cmmc_ssp_completeness_check]* Result: PASS for Level 2. Practice coverage and implementation status keywords are present; authorization boundary and system description are documented. I've added a note that 3.12.4 (SSP) is satisfied by this document. Want me to continue with the remaining domains (3.2, 3.4–3.13)? ## Sample Output Excerpt Below is a representative excerpt from a CMMC System Security Plan. --- ### 3.1 Access Control | Practice | Status | Implementation | Evidence | |----------|--------|----------------|----------| | 3.1.1 | Implemented | Access limited to authorized users via AD authentication and application SSO. Only provisioned users can access the contract management app and file share. | Access Control Policy v2.1; account provisioning procedure; AD/SSO config. | | 3.1.5 | Implemented | Least privilege enforced: role-based access in contract app (Viewer, Editor, Admin); file share permissions by security group; no local admin on workstations. | RBAC matrix; group policy; quarterly access review. | | 3.1.8 | Implemented | Unsuccessful logon limited: account lockout after 5 attempts (AD); contract app enforces lockout per application policy. | GPO; application security config. | ### 3.12.4 System Security Plan **Status:** Implemented. **Implementation:** This document constitutes the organization's System Security Plan for the CMMC assessment scope. It is maintained by the Security Officer, reviewed annually, and updated when system or scope changes. **Evidence:** SSP review log; version control. ## Built-in Scripts and Validation The skill includes a completeness check the agent runs against the SSP. ### Validation tools | Tool | Purpose | |------|---------| | **cmmc_ssp_completeness_check** | Validates the SSP file or directory for the target CMMC level. Checks: (1) practice coverage — presence of NIST 800-171 practice IDs (3.x.y); for Level 2, flags if fewer than 100 distinct practices are referenced; (2) implementation status — at least one of Implemented, Partially Implemented, Planned, Not Applicable, or Alternative Implementation; (3) authorization or assessment boundary; (4) system description or system name. Returns PASS or FAIL with a list of issues and warnings. Run after each major SSP update. | --- Back to [Skill Library](https://rakenne.app/skills/index.md)