CMMC SSP Template for NIST 800-171 (Word + Excel)
The System Security Plan is the first document a C3PAO reads, and the one most small contractors get wrong. Here is what NIST 800-171 control 3.12.4 requires, what an assessor looks for, and the template practitioners use to produce it.
Under CMMC Level 2, your System Security Plan (SSP) is not a formality. It is the document a Certified Third-Party Assessment Organization (C3PAO) opens first, and it is the map the assessor uses to plan and run the entire assessment. NIST SP 800-171 control 3.12.4 requires you to develop, document, and keep current a plan that describes your system boundary, your operating environment, how each of the 110 security requirements is implemented, and how your system connects to others.
A blank template does not do that. The work is the mapping: 110 requirements, each with an implementation narrative specific to your environment. Most free SSP templates are empty shells. They give you headings, not the structure that holds up when an assessor cross-references your plan against the 320 assessment objectives in NIST SP 800-171A.
This page covers what a compliant CMMC SSP contains, what the assessor reads, and the done-for-you template (Word + Excel) that produces one.
What a CMMC SSP actually is (NIST 800-171 control 3.12.4)
The SSP is the single document that describes how your organization meets NIST SP 800-171 Rev 2, the 110-requirement baseline that CMMC Level 2 is assessed against. (Rev 3 was published in 2024 but is not the CMMC assessment standard. See the FAQ.)
Control 3.12.4 requires the plan to describe, at minimum:
- the system boundary (what is in scope, what is not)
- the operational environment (where and how the system runs)
- how each of the 110 requirements is implemented in your environment
- the relationships and connections to other systems
This is not optional paperwork. DFARS clause 252.204-7012 obligates you to safeguard Controlled Unclassified Information per NIST 800-171, and clauses 252.204-7019 and 7020 require a current Supplier Performance Risk System (SPRS) score. You cannot honestly produce that score without an SSP that documents your actual state.
What a C3PAO assessor reads in your SSP
A Level 2 assessment is conducted against NIST SP 800-171A, which breaks the 110 requirements into 320 assessment objectives evaluated by three methods: examine, interview, and test. The assessor uses your SSP to:
- scope the assessment (your documented boundary defines what gets assessed)
- locate the evidence for each objective (your implementation narratives point to it)
- decide MET or NOT MET on each of the 320 objectives
If your SSP claims a control is implemented but the narrative is vague or the evidence does not exist, that objective comes back NOT MET. An SSP that overstates your posture is also the exact gap that creates False Claims Act exposure, because your SPRS score is built from what the SSP claims. As Phase 2 third-party assessments roll out (beginning November 10, 2026 under 32 CFR Part 170), the SSP stops being an internal document and becomes the thing an external assessor grades you on.
Why a free or blank SSP template will not survive an assessment
Search "CMMC SSP template free download" and you will find blank shells. They are not wrong. They are just empty. The difference between a blank template and a passing SSP is the part that takes the time:
- mapping all 110 requirements to your actual systems, not generic boilerplate
- writing implementation narratives an assessor can trace to real evidence
- documenting the boundary and connections precisely enough to scope cleanly
A blank Word doc gives you none of that structure. An enterprise GRC platform gives you far more than a 12-person shop needs, at a price to match. What works for a small contractor is a structured, pre-built template that already maps the 110 requirements and prompts you for the specifics only you can supply.
What a real CMMC SSP entry looks like
A complete SSP documents all 110 requirements in a consistent structure. Here is a single requirement as it appears in a finished plan, one of 110:
Limit system access to authorized users, processes acting on behalf of authorized users, and devices.
Implementation status: Implemented
Responsibility: Contractor
Implementation narrative: Access to the in-scope system is limited to named users provisioned through the organization identity provider. Accounts are role-based, reviewed quarterly, and disabled within a defined window of personnel separation. Device access is restricted to enrolled, compliant endpoints managed through the organization MDM. Service accounts are recorded in the asset inventory and limited to least privilege.
Evidence: identity provider user and role export, quarterly access review records, MDM enrollment report, offboarding tickets.
Now multiply that by 110, in a structure an assessor can move through quickly. That structure is what the template provides.
The CyberZ CMMC SSP Template (Word + Excel)
The CMMC Level 2 System Security Plan (SSP) Template gives you the full structure pre-built: all 110 NIST 800-171 Rev 2 requirements laid out with implementation-status fields, responsibility assignment, narrative prompts, and an evidence column. Word holds the narrative document an assessor reads; Excel holds the tracking view you work from. You supply your environment. The framework is done.
| Free / blank template | CyberZ SSP Template ($77) | Consultant-built | |
|---|---|---|---|
| 110 requirements pre-mapped | No | Yes | Yes |
| Implementation narrative prompts | No | Yes | Varies |
| Evidence tracking (Excel) | No | Yes | Varies |
| You keep control of edits | Yes | Yes | Limited |
| Cost | $0 | $77 | Thousands |
CMMC Level 2 System Security Plan (SSP) Template
All 110 NIST 800-171 Rev 2 requirements pre-mapped, with implementation-status fields, responsibility assignment, narrative prompts, and evidence tracking. Word + Excel.
Get the SSP Template ($77)If you are assembling the whole assessment package before a C3PAO date, not just the SSP, the CMMC Level 2 Readiness Kit: 5 NIST 800-171 Tools ($147) bundles this SSP template with the SPRS score workbook, asset scoping worksheet, evidence tracker, and POA&M tracker. It is the scoped, scored, scheduled, and moving path in one set, for contractors who need the full readiness package rather than a single document.
Frequently asked questions
What is an SSP in CMMC?
A System Security Plan is the document required by NIST SP 800-171 control 3.12.4 that describes your system boundary, your operating environment, and how you implement each of the 110 Level 2 security requirements. It is the primary document a C3PAO assessor reviews.
Is an SSP required for CMMC Level 2?
Yes. The SSP is a required artifact. You cannot produce an accurate SPRS score (required by DFARS 252.204-7019 and 7020) or undergo a Level 2 assessment without one, and a missing SSP is treated as a fundamental gap.
What should a CMMC SSP include?
Your system boundary and scope, the operational environment, an implementation narrative for each of the 110 NIST 800-171 Rev 2 requirements, the responsibility for each, the location of supporting evidence, and the connections to other systems.
Who writes the SSP for CMMC?
The contractor owns and maintains the SSP. It can be drafted internally, with a template, or with a consultant, but the organization is responsible for its accuracy, because both the SPRS score and the C3PAO assessment rely on it.
Can I use a free CMMC SSP template?
A free template can give you the headings, but not the mapped structure or the implementation detail an assessor checks against the 320 objectives in NIST SP 800-171A. The work is the content, not the blank document.
Is the CMMC SSP based on NIST 800-171 Rev 2 or Rev 3?
Rev 2. CMMC Level 2 is assessed against NIST SP 800-171 Rev 2 (110 requirements) under a current DoD class deviation. NIST published Rev 3 in 2024, but it is not yet the CMMC assessment baseline and no transition date has been set.