Your SSP and POA&M are the two documents a CMMC assessor opens before they look at anything else. The System Security Plan (SSP) tells the story of what you've built; the Plan of Action and Milestones (POA&M)tells the story of what you haven't finished. Together they frame the entire assessment — and they're where small shops most often either save themselves weeks or sink the whole effort.
What the SSP Has to Contain
The SSP is required by NIST SP 800-171itself (control 3.12.4). It's not a marketing document — it's a precise description of your in-scope system and how each control is met:
What an Assessor Expects in Your SSP
- Your system boundary — exactly which systems are in scope (and which aren't)
- The CUI you handle and where it lives, enters, and leaves
- Network diagrams and data-flow descriptions for the in-scope environment
- A control-by-control account of how each of the 110 controls is met
- Roles and responsibilities, including who owns the security program
- References to the policies, procedures, and tools that back each control
Accuracy Beats Page Count
The most common SSP mistake is buying a giant template and filling it with language that describes an environment you don't actually run. An assessor tests the SSP against reality — they'll ask to see the MFAthe document claims, the logs it references, the access reviews it promises. Every sentence that doesn't match what they see is a finding. A short, true SSP describing a tight CUI enclave beats a long, aspirational one every time. This is another argument for keeping your scope small — see our guide to a CUI enclave vs. full scope.
What a POA&M Is For
No small shop reaches assessment day with all 110 controls perfectly closed. The POA&M is how you show the remaining gaps are managed, not ignored: each open item gets a specific remediation step, an owner, and a target date. A clean POA&M demonstrates control of the program; a missing or vague one signals you don't know where you stand.
What CMMC Will — and Won't — Let You Defer
Here's the part that catches people. CMMC allows a conditional certificationwith some controls still on a POA&M — but only if you clear a minimum score threshold and close those items within 180 days. And critically, the highest-weighted controls — your most fundamental protections — generally can't go on a POA&M at all. They have to be fully met at assessment.
The practical lesson: a POA&M is a narrow, time-boxed allowance for the lighter items, not a parking lot for the hard ones. If your plan is to defer MFA or core access control to a POA&M, the plan won't work. Move the heavy, non-deferrable controls first — the same controls that move your SPRS score the most.
Where This Fits in the Bigger Picture
The SSP and POA&M aren't paperwork you bolt on at the end — they're the running record of the work itself. Build them as you remediate, keep them honest, and they become the spine of a smooth assessment. If you're still mapping out the whole path, start with our CMMC 2.0 explainer and our guide to preparing for a C3PAO assessment.
Track your controls with the CMMC self-assessment worksheet.
A fillable worksheet to record where each NIST SP 800-171 control stands — the raw material for an honest SSP and a clean POA&M.
Get the free worksheetAn SSP That Matches Reality
We help small manufacturers build an accurate SSP and a managed POA&M around a tight CUI enclave — documentation that holds up because it describes controls we actually operate for you.
See CMMC Readiness Support