Skip to content
"VC3 has made it easier than ever before for our local government to serve our citizens by providing us with modern web tools and a team
of talented and courteous professionals.
City of Valdosta, GA

Find All the Resources You Need

Our resources & insights includes case studies, client testimonials, guides, checklists, blog articles and more!

 

8 min read

CMMC System Security Plan: What Exactly Does the DoD Want?

When you’re trying to understand what you’re supposed to do to follow Cybersecurity Maturity Model (CMMC) regulations, there’s a lot of information to digest. A lot. Interpreting requirements and how exactly your company will meet them is still new territory for most executives and their IT managers. 

Unless you want to make CMMC compliance your full-time job, it would be nice to have all that information boiled down so that you get to the point where you can act. 

You must act because, if you haven’t, you’re already late. The Final Rule went into effect on December 16, 2024 and, despite a phased rollout over the next three years, several requirements are already mandatory. 

At VC3, we’ve not only taken the time to understand the intricacies of CMMC compliance but we’ve also been trained to help companies plan and do what they need to do to successfully attain and maintain compliance. 

Here’s your boiled-down version of what the CMMC Self-Assessment is and what you need to do. 

The DoD Wants Your System Security Plan (SSP)

Your System Security Plan (SSP) is what you’re going to submit to the DoD. Think of your SSP as the gathering place for all the information that you’re going to collect to communicate what you’re doing now to secure Controlled Unclassified Information (CUI) and what you’re going to do to achieve full compliance. If assessors find missing details in your SSP, it could lead to a lower CMMC Gap Analysis score, delays in certification, and additional remediation efforts. 

The SSP must provide detailed documentation on how controls are implemented, including: 

  • Policies and procedures 
  • Technical configurations (such as for firewalls, access controls, logging, etc.) 
  • Evidence of implementation (such as screenshots, reports, logs, etc.) 
  • Roles and responsibilities (such as who manages your security) 

The SSP is comprised of: 

  • Names and contact information of company representatives 
  • Types of CUI that you store and transmit 
  • Information about people who handle CUI 
  • A description of your network, listing all hardware andsoftware 
  • Relationshipswith or connections to other systems 
  • How security requirements in NIST 800-171are implemented 

Some of the information, like lists of hardware and software, you’re going to gather. However, you will need to draft some of the information such as an up-to-date diagram of your network. You also should expect to do some investigation. 

That’s where a Gap Analysis comes in. 

What is a CMMC / NIST Gap Analysis?

A Gap Analysis is required to discover how closely you’re currently following security requirements detailed in NIST 800-171. 

What is NIST 800-171? 

This is the publication by the National Institute of Standards and Technology titled “Protecting CUI in Nonfederal Systems and Organizations." In effect, these are the security rules that are the foundation of CMMC requirements. 

NIST 800-171 includes 110 controls in 14 families or categories. A Gap Analysis will use the NIST 800-171 DoD Assessment Methodology and go through all of these to find out what you’re already doing that fulfills requirements, and where you’re lacking. Your CMMC Gap Analysis Score is also based on this methodology. If your SSP is incomplete or lacks evidence of control implementation, you will lose points during the assessment. 

  • Fully documented and implemented controls result in no deductions and a full score. 
  • Partial documentation or unclear implementation can result in deductions (minus 1 to minus 5 points per undocumented or unimplemented control). 
  • No documentation or evidence of implementation for a specific control results in a full deduction for that control. 

It’s possible to get a negative score on your Gap Analysis if the controls that you’re lacking are weighted. For example, you’ll get a +1 if you fulfill Basic Security Requirement 3.1.1, which is “Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems)” in place, but a -5 if you don’t. 

It’s common for companies to receive a negative score on an initial Gap Analysis. 

The CMMC Gap Analysis Process

Before you start your gap analysis, keep in mind that NIST 800-171 is made up of both technical and non-technical controls. (If this is a surprise to you, you should read Cybersecurity Is a Shared Responsibility.) Becoming CMMC-compliant is not just about technology—it’s about people, processes, and procedures. In addition to IT-driven investigations, your employee handbook may have some of the documentation you need, and your HR manager may need to become involved when it comes to employee training on security protocols. 

Step 1: Initial Consultation and Data Collection 

The first step in a Gap Analysis is to find out exactly where you store your CUI. This can be very difficult to figure out if your customer didn’t identify the CUI in the first place. The only thing you can do is to start going back through the supply chain until you get to the link with the CUI markings. 

Identifying or scoping the location of the CUI is very important. Not only do you need to know how controls are being applied to the data, knowing what you’re working with can help you isolate it in your network. A data flow diagram is helpful in these cases. This not only makes it easier to manage compliance, but it can save on costs when it comes time for your audit. 

It’s not good enough to just say that you’re following a security control. You have to prove it. So an early step in drafting your SSP is going to be to gather documentation. This includes diagrams and descriptions of your network and connections. It also includes documentation for the evidence that shows you have practices and processes in place to support requirements in NIST 800-171. 

If you’re working with a Registered Practitioner (RP), this will be a task that they facilitate. As they walk you through a Gap Analysis, RPs will help you gather documentation and give you recommendations for different ways that you can provide evidence for what you’re doing. Their job also includes assessing your security architecture, technologies in use, and any existing compliance reports or audits. 

🔎 Related: 5 Ways Consulting with a Registered Practitioner Can Help You Become CMMC Compliant 

Step 2: Interviews with Key Personnel  

In addition to data collection, your RP will also conduct interviews with IT staff, executive management, and any other relevant stakeholders to uncover security needs, concerns, expectations, and qualitative data about your security culture. 

Step 3: Technical and Process Evaluation 

After gathering both quantitative and qualitative data, the RP will evaluate and assess your ability to comply with CMMC along with how security practices are integrated within your organization. This evaluation uncovers gaps that need addressing. 

Step 4: Gap Analysis Execution 

At this point, your RP will share an analysis of their findings including a detailed checklist showing how much you are aligned with CMMC standards, a gap analysis, and recommendations for moving forward. 

Step 5: Gap Assessment Deliverables 

At the end of the gap analysis, you should receive the following deliverables: 

  • System Security Plan (SSP): As mentioned above, this report outlines any discrepancies between your current security controls and CMMC requirements. 
  • Plan of Actions & Milestones (POA&M): This is an actionable plan prioritizing gaps to address and giving you a roadmap.  
  • Supplier Performance Risk System (SPRS) Score: Prime contractors need to see an SPRS score along with your POA&M to give them confidence that you are working toward compliance.

Remediation Plan: How You’ll Close the Gaps 

Your POA&M will form the basis of your Remediation Plan. When you submit your Self-Assessment, you’ll have to detail exactly how you’re going to close any gaps in security and about how long it will take. 

There’s no one-size-fits-all when it comes to following CMMC or NIST. There will likely be more than one way that you can meet a requirement. If you’re working with an RP, they’ll bring you recommendations that will help you to make good decisions for what’s attainable and manageable. 

Submitting Your SSPmul

When your SSP is complete and you’ve gathered all of the documentation that goes with it, you’re ready to submit it to the DoD. 

At this point, companies need a score and an estimated date that they plan to be compliant. However, some contractors are asking for more details from their subcontractors to show how far along they are on their journey to compliance. 

Note that some deficiencies can be temporarily mitigated with a POA&M, but critical gaps (such as missing Multifactor Authentication) may block your certification. If an SSP clearly outlines a path to compliance with a strong POA&M, it can help justify higher scores. 

You can improve your score by: 

  • Ensuring your SSP is complete and up to date.  
  • Documenting all 110 NIST 800-171 controls with implementation details. 
  • Using a POA&M to track progress on missing controls.  
  • Providing evidence (such as policies, logs, screenshots, etc.) to support each control.  
  • Conducting internal audits and updating your SSP regularly. 

Remember, your SSP serves as the foundation for scoring and compliance. A well-documented SSP supports a higher CMMC Gap Analysis Score by proving implementation. If your SSP is weak or missing details, your score will drop due to non-compliance deductions. A strong POA&M can help you recover points but won’t guarantee compliance for all missing controls.

How a Registered Practitioner Can Help You Prepare for Your CMMC Self-Assessment

The DoD knew that CMMC compliance would require expertise that manufacturers may not have internally, so they sanctioned the creation of Registered Practitioner Organizations (RPOs) and the training of consultants, called Registered Practitioners (RPs), to help. 

VC3 is a CMMC RPO with RP consultants on staff. Learn how we can help, or get in touch to talk to one of our CMMC consultants. 

Note: This article was originally published in April 2021. It was updated in December 2021 and again in May 2025. 

Let's talk about how VC3 can help you AIM higher.