The Defense Compliance ReportCMMC 2.0 & the Defense Industrial Base

STATUS — Phase II suspended . SSP obligations, self-assessments, and False Claims Act exposure all remain.

The Department suspended the planned Level 2 (C3PAO) transition. Level 1 and Level 2 self-assessments, DFARS 252.204-7012, NIST SP 800-171 Revision 2, and government assessments remain in force. Your SSP is still the document behind the score you affirm. See what changed and what didn’t.

Is My SSP Defensible? A 24-Point CMMC Level 2 Test

By The Defense Compliance Report Editorial Team · Last reviewed · Last verified

Editorial research — not formally reviewed by a CMMC Subject Matter Advisor. Verify scope and applicability with a Registered Practitioner before acting.

Is my SSP defensible? Only if the document matches the system you actually run. That means the CUI boundary is drawn correctly, all eight assessment objectives of the System Security Plan requirement (CA.L2-3.12.4) are satisfied, every requirement you mark “implemented” leads to evidence someone could examine today, and the plan reconciles with the score and affirmation sitting in your SPRS record. A polished template proves none of that. A 120-page binder proves none of that.

Here’s the part most contractors miss: the CMMC Phase II suspension did notmake this question go away. It made it sharper. Level 2 self-assessments, selected government-led assessments, and False Claims Act risk all remain after the pause. Your SSP is still the document behind the score you affirm — and, as the 2025 MORSECORP and 2026 LOGZONE settlements show, the gap between what an SSP claims and what a company can prove is exactly what the government pursues.

Below is the 24-point test we built to tell you where your SSP actually stands — Stop, Conditionally defensible, or ready for independent validation — with the primary sources behind every regulatory claim. You can run the short version in about two minutes.

The Defense Compliance Report is the independent trade publication and decision resource for CMMC and Defense Industrial Base compliance — explaining the CMMC Final Rule with primary-source citation on every claim and mapping a contractor’s level, CUI scope, assessment type, and timeline to the right provider category, so DIB contractors choose the right CMMC path before they spend six figures. We are not affiliated with the Cyber AB, the Department of Defense, or any CMMC assessor, provider, or vendor.

Where things stand right nowverified

Two regulatory events reshaped the landscape in 2026, and you need both to read your own risk correctly.

February 1, 2026 — the deviation changed which clauses contracting officers are directed to use. Under the Revolutionary FAR Overhaul, the Department of Defense issued Class Deviation 2026-O0025, effective February 1, 2026. It directs contracting officers to use a new FAR Part 40 and DFARS Part 240 structure — including DFARS 252.240-7997 for covered government Medium and High assessment requirements. The codified 252.204-7019 and -7020 remain relevant to legacy text and cross-references, and 252.204-7012 and -7021 remain prescribed. Verify the actual clause in your contract.

November 10, 2025 to July 13, 2026 — the phase timeline changed. The original Phase 1 window began November 10, 2025. On , the Department suspended the planned November 10, 2026 Phase II transition and pending and future implementation milestones, pending a 60-day review. Phase I self-assessments continue. Government Medium and High assessments remain available where the applicable clause and requirement authorize them.

The net effect for you: where the applicable solicitation, contract, subcontract, or CMMC requirement calls for it, the assessment and the documentation behind it remain due, self-assessed, and subject to government review. A High assessment includes verification, examination, and demonstration of your SSP.

SSP defensibility signals: defensible direction vs. stop signals
SignalDefensible directionStop signal
DocumentA current SSP, or coordinated document set, for every in-scope systemA draft, a template, or a stale copy
BoundaryMatches actual CUI flow and in-scope asset categoriesMaterial systems or locations omitted
EvidenceClaims lead to examine, interview, or test supportPolicies or screenshots with nothing operating behind them
RepresentationSSP, scope, CAGE codes, SPRS result, and affirmation reconcileDifferent boundaries, or a result you can’t reproduce

Run the SSP Defensibility Check

This is the short version of our 24-point test.Answer each item honestly — yes, no, or not sure. It runs entirely in your head; it collects nothing. Do not enter CUI, drawings, credentials, screenshots, network diagrams, export-controlled data, or contract details anywhere. If you answer “no” or “not sure” to any of the first seven, treat that as a hard stop and read the section it points to.

The seven that stop everything

  1. 1

    Can you produce a controlled, current SSP — or a coordinated set of referenced documents — that describes every information system in your assessment scope?

    If no → the required current plan doesn’t exist yet.

  2. 2

    Does the documented CUI boundary match where CUI actually lives — email, printers, file shares, laptops, the shop floor, home offices?

    If no → your boundary is wrong.

  3. 3

    Does the SSP describe how each applicable requirement is implemented, in your own words — not just restate the requirement?

    If no → you have a table of contents, not a plan.

  4. 4

    Does every requirement you’ve treated as "not applicable" have the designated-authority determination or other support the rule allows?

    If no → “N/A” is hiding “not done.”

  5. 5

    Is every cloud provider and external service that processes CUI or provides an in-scope security function documented, with its responsibilities mapped?

    If no → a required objective may have no supportable owner.

  6. 6

    If you pulled a random "implemented" requirement, could your team point to the examine, interview, or test support that backs it — without digging through an unowned pile?

    If no → your evidence is thinner than your document.

  7. 7

    Do your SSP, CAGE code(s), CMMC Unique Identifier, and posted SPRS result all describe the same system?

    If no → your representation and your reality point at different boundaries.

The rest — where “conditionally defensible” is decided

Is the SSP written to the objective level, not just the requirement level? Does each asset fall into one of the five Level 2 asset categories? Do your network diagrams agree with the SSP? Does sample evidence agree with the narratives? Can the people named in the SSP explain their own processes? Has anything material changed since the last update? Is future-tense work clearly separated from what’s running now? Is the review cadence defined and followed? Does the SSP reconcile to your SPRS result, CAGE codes, and CMMC UID? Version control, change triggers, named ownership — all of it feeds the full 24-point matrix below.

Your result:

  • HARD STOPAny hard stop failed → STOP. Do not rely on this SSP to support a self-assessment, an affirmation, or a government review until you fix the failure. Freeze the current version first.
  • CONDITIONALHard stops pass, but “conditional” items are shaky → CONDITIONALLY DEFENSIBLE. The bones are there; scope, evidence, currency, or governance gaps remain. This is repairable, usually without starting over.
  • READYHard stops pass and no material contradiction surfaced → READY FOR INDEPENDENT VALIDATION. No hard stop was identified by this self-check. That does not establish that the SSP will withstand a Level 2 self-assessment, a government assessment, or a certification assessment — it means it’s strong enough to put in front of one.

Find the failure before you pay anyone to review it. The full interactive version of this check identifies the likely weak layer and the category of work normally required to investigate it.

It can be completed without submitting the contents of your SSP or any CUI.

Run the Full SSP Defensibility Check ↓

What makes an SSP defensible?

A defensible System Security Plan is current, accurate, and complete enough that a knowledgeable outsider can trace every claim to the real system and to evidence. It does not require a particular format or page count. It requires that the boundary, the environment, the implementation of each applicable requirement, the connections to other systems, and the update process are all documented clearly and match what you actually operate. Source: CMMC Assessment Guide – Level 2 v2.13.

Let’s be precise about a word we’re using deliberately. “Defensible” is our editorial shorthand — it is notan official CMMC status, a certification, a score, or a legal conclusion. We use it to mean an SSP that would hold up under the two examinations that actually happen: an assessment that checks whether your implementation matches your plan, and — if your posted score is ever questioned — False Claims Act scrutiny of the representation behind it. Both come down to the same question: can a reviewer trace every claim to the real system and to evidence?

That distinction trips people up, because there’s a difference between a complete SSP and a defensible one.

Complete vs defensible SSP comparison
A complete SSP…A defensible SSP…
Has every section filled inHas every section reconciled to the real environment
Names your toolsExplains where and how each tool is configured, and who runs it
Says a requirement is “in place”Points to the log, config, ticket, or record that proves it
Was updated this yearReflects the system as it exists this week
Looks impressive to leadershipHolds up when a trained assessor pulls one thread

A document can be complete and still be wrong. Defensibility lives in the second column.

The four decisions your SSP may have to support.Your SSP is not a filing exercise. It’s the artifact underneath four separate, consequential representations: a CMMC Level 2 self-assessment and the score it produces (32 CFR 170.16); your annual affirmation of continuing compliance, signed by an Affirming Official (32 CFR 170.22); a potential government-led Medium or High assessment under DFARS 252.240-7997; and False Claims Act exposure if the representation behind your score turns out to be materially unsupported. Each one points back to the same plan.


Is my SSP defensible? Start with the seven hard stops

Some SSP problems are ordinary editing. Seven are not.No current SSP, a materially wrong boundary, requirements that are restated instead of implemented, unsupported “not applicable” claims, hidden service-provider dependencies, live evidence that contradicts the plan, and a mismatch between the SSP and the system you actually reported — any one of these means the document should not currently support a consequential representation.

Source classification: the missing-current-SSP requirement, the eight CA.L2-3.12.4 objectives, CMMC scoping rules, and the SPRS fields come from the cited official sources. The seven-stop grouping, ordering, contradiction tests, and repair sequence are The Defense Compliance Report’s editorial diagnostic method — not seven separately named government “hard stops.”

1

Hard stop 1There’s no controlled, current SSP.

The official Level 2 guidance is blunt: the absence of an up-to-date SSP at the time of assessment results in a finding that the assessment could not be completed, and constitutes noncompliance with DFARS 252.204-7012. And you cannot put “no SSP” on a Plan of Action and Milestones — CA.L2-3.12.4 is expressly ineligible for a CMMC Level 2 POA&M under 32 CFR 170.21. A scattered set of policies, old templates, or draft text in a shared drive is not a controlled, current SSP.

2

Hard stop 2The CUI boundary is materially wrong.

The moment an assessor finds Controlled Unclassified Information living somewhere the SSP doesn’t describe — a shared mailbox, a workstation that was “supposed to be out of scope,” a cloud app nobody listed — every downstream claim is in question. If the boundary is wrong, the requirements built on top of it are wrong too.

3

Hard stop 3The plan restates requirements but never describes implementation.

“The organization employs boundary protection” is not an implementation statement. It’s the requirement, copied. An assessor cannot mark a requirement “Met” from language that could have been pasted from the standard.

4

Hard stop 4“Not applicable” has no defensible basis.

N/A is legitimate — a public-access separation requirement can be N/A if you have no publicly accessible systems. But N/A used as a quiet synonym for “we haven’t done this yet” is a finding waiting to happen. If an authorized DoD CIO representative has adjudicated a requirement as non-applicable or approved an alternative, equally effective security measure, retain that approval and identify the treatment in the SSP so it counts.

5

Hard stop 5A service provider is relied on but not mapped.

“Our MSP handles security” is not documentation. If a cloud provider or other External Service Provider (ESP) that processes CUI performs part of a requirement — or supplies an in-scope security function — the SSP has to say which part is theirs, which part is yours, and where the evidence lives. Otherwise a required objective can end up with no owner, or two owners who each assume the other did it.

6

Hard stop 6Live evidence contradicts the SSP.

The SSP says multifactor authentication is enforced everywhere; one in-scope path bypasses it. That’s not a small discrepancy. It tells the assessor the document can’t be trusted, and it colors every other requirement they look at.

7

Hard stop 7The SSP and the reported system don’t line up.

One enterprise SSP is being used to support a score that was really scoped to a small enclave. When the CAGE codes, the CMMC Unique Identifier, the SPRS record, and the SSP don’t describe the same information system and boundary, your representation and your reality are pointing in different directions — and the representation is the thing the government relies on.

Seven hard stop summary: why it's fatal and the first move
Hard stopWhy it’s fatalFirst move
No current SSPAssessment can’t start; can’t be POA&M’dBuild the SSP before anything else
Wrong boundaryEvery requirement built on it is suspectRe-map CUI flow, then rescope
Requirements restated, not implementedAssessor can’t mark “Met”Rewrite to describe what actually happens
Unsupported N/AHides an unmet requirementJustify or reclassify each N/A
Unmapped providerA required objective has no ownerBuild a shared-responsibility matrix
Evidence contradicts planDestroys document credibilityReconcile the claim to reality before assessment
SSP ≠ reported systemThe representation is unsupportableReconcile SSP, CAGE, UID, and SPRS

Now the honest admission, because you deserve it before we go further: a short SSP can be perfectly defensible, and a 200-page SSP can be indefensible. The official Level 2 guide prescribes no format and rewards no page count. It requires sufficient, current information— enough to make the scope, environment, implementation, connections, and update process understandable and verifiable, and it explicitly allows the plan to be a coordinated collection of referenced documents. Length is not defensibility. Agreement between the document, the system, and the evidence is defensibility. That’s good news: the fix is usually reconciliation, not a rewrite from scratch.

See exactly which hard stop applies to you. The SSP Defensibility Check walks all seven, then the full 24 points, and tells you which layer to repair first.

Run the SSP Defensibility Check ↓

The 24-Point SSP Defensibility Matrix

This is the full test the seven hard stops are drawn from.It has five layers: the official SSP gate, scope and provider fidelity, implementation-to-evidence traceability, operational truth, and the SPRS/affirmation reconciliation. Each check is labeled by source — an official requirement or guidance you can trace to a rule, or a DCR operational test, which is our editorial method for catching contradictions, not an added government requirement. The matrix produces one of three states. It never assigns a number, because a self-reported check cannot produce a score.

Layer A — The official SSP gate (CA.L2-3.12.4)

Source: CMMC Assessment Guide – Level 2 v2.13.

24-point matrix Layer A: official SSP gate
#Defensibility checkSourceWhat “pass” looks like (and the stop signal)Stop / conditionalLikely repair owner
1Current SSP or document set for every in-scope systemOFFICIALOfficial guidanceA controlled, current plan you can produce — not a draft or scattered fragments HARD STOPRP/RPO
2System boundary describedOFFICIALOfficial guidanceBoundary reconciles to CUI flow and diagrams — not a boundary that differs from the real tenant, network, and users HARD STOPScoping lead + technical owner
3Environment of operation describedOFFICIALOfficial guidancePhysical, cloud, remote, and personnel context — not a tool list with no operating context HARD STOPReadiness consultant + IT
4Non-applicable requirements identified with supportOFFICIALOfficial guidanceEach N/A has a defensible basis and any required determination — not “N/A” standing in for “not done” HARD STOPRequirement owner + RP/RPO
5Implementation method described for each applicable requirementOFFICIALOfficial guidanceA specific narrative or incorporated reference — not the requirement copied verbatim HARD STOPDocumentation lead + technical owners
6Relationships and connections to other systems documentedOFFICIALOfficial guidanceInterconnections and providers mapped — not the MSP, cloud, or identity provider omitted HARD STOPArchitect + provider manager
7Update frequency definedOFFICIALOfficial guidanceA stated cadence (at least annually) — not “reviewed periodically” HARD STOPGovernance owner
8SSP actually updated at that frequencyOFFICIALOfficial guidanceVersion history and approval evidence — not a date changed with nothing reconciled HARD STOPSSP owner

Layer B — Scope and provider fidelity

Source: 32 CFR 170.19; CMMC Level 2 Scoping Guide v2.13.

24-point matrix Layer B: scope and provider fidelity
#Defensibility checkSourceWhat “pass” looks like (and the stop signal)Stop / conditionalLikely repair owner
9CUI data flows reconcile to the boundaryDCR TESTDCR testReceipt, creation, use, storage, transmission, printing, backup, and disposition all fit the boundary — not email, printers, mobile, or shop-floor paths left out HARD STOPif materially wrong / if omissions change scope / if relied upon / if a required objective has no owner / if it falsely reduces scopeCUI scoping lead
10The four in-scope asset categories are covered; out-of-scope is justifiedOFFICIALDCR TESTOfficial + DCRAssets categorized and treated consistently — not everything called a “CUI Asset” while security or specialized assets disappear HARD STOPif materially wrong / if omissions change scope / if relied upon / if a required objective has no owner / if it falsely reduces scopeAsset owner + RP/RPO
11Network and data-flow diagrams agree with the SSPDCR TESTDCR testNames, zones, connections, and providers match — not a diagram showing a tenant the SSP never mentionsCONDITIONALArchitect/network owner
12CSP/ESP relationships and services documentedOFFICIALOfficialRole, service, data handled, and responsibility boundary explicit — not “our MSP handles security” HARD STOPif materially wrong / if omissions change scope / if relied upon / if a required objective has no owner / if it falsely reduces scopeVendor manager + SSP owner
13Shared/inherited responsibilities reconcile to the CRMOFFICIALDCR TESTOfficial + DCREvery shared objective has a contractor or provider owner and an evidence path — not both parties assuming the other performs it HARD STOPif materially wrong / if omissions change scope / if relied upon / if a required objective has no owner / if it falsely reduces scopeProvider manager + requirement owner
14Out-of-scope assertions are supportableOFFICIALDCR TESTOfficial + DCRYou can show why the asset cannot process, store, or transmit CUI and provides no security protection, or how it’s separated — not “users are told not to” treated as technical inability HARD STOPif materially wrong / if omissions change scope / if relied upon / if a required objective has no owner / if it falsely reduces scopeScoping lead + counsel where needed

Layer C — Implementation-to-evidence traceability

Source: NIST SP 800-171A; CMMC Assessment Guide – Level 2 v2.13.

24-point matrix Layer C: implementation-to-evidence traceability
#Defensibility checkSourceWhat “pass” looks like (and the stop signal)Stop / conditionalLikely repair owner
15Every applicable requirement traces to an implementation descriptionOFFICIALDCR TESTOfficial + DCREach points to a narrative or incorporated document — not blank sections or references to missing files HARD STOPif material coverage is absentSSP author + requirement owners
16Narratives identify who, what, where, how, and frequency where relevantDCR TESTDCR testA knowledgeable person can understand and verify the process — not “access is controlled according to policy”CONDITIONALDocumentation lead
17Each applicable objective has a plausible examine, interview, or test pathDCR TESTDCR testYou know what can be examined, who can be interviewed, what can be tested — not one screenshot expected to prove an entire requirementCONDITIONALEvidence/GRC owner
18Provider inheritance and policy references don’t stand in for operating evidenceDCR TESTDCR testProvider authorization, CRM, your configuration, and your operating artifacts are distinct — not “FedRAMP authorized” treated as proof of your configurationCONDITIONALCloud owner + evidence owner

Layer D — Operational truth and change control

Source: DoD CMMC FAQ; CA.L2-3.12.2.

24-point matrix Layer D: operational truth and change control
#Defensibility checkSourceWhat “pass” looks like (and the stop signal)Stop / conditionalLikely repair owner
19Sample configurations, logs, tickets, and records agree with the SSPDCR TESTDCR testRepresentative evidence confirms the claim — not “MFA is enforced” while an in-scope path bypasses it HARD STOPwhen materially contradictoryTechnical requirement owner
20Personnel can explain the process, and recurring controls produce recurring evidenceDCR TESTDCR testInterview answers and time-series evidence align with the written process — not a one-time screenshot or staff who contradict the narrativeCONDITIONALProcess owner + managers
21Present implementation is separated from planned work, operational plans of action, CMMC POA&Ms, and enduring exceptionsOFFICIALDCR TESTOfficial + DCRThe SSP describes current state; future work is unmistakably separate — not “will implement” presented as Met HARD STOPif future state is shown as currentSSP owner + program lead

Layer E — SPRS, affirmation, and governance

Source: 32 CFR 170.16, 170.22; DFARS 252.204-7021.

24-point matrix Layer E: SPRS, affirmation, and governance
#Defensibility checkSourceWhat “pass” looks like (and the stop signal)Stop / conditionalLikely repair owner
22SSP, scope, CAGE codes, SPRS result, affirmation, and (where 252.204-7021 applies) CMMC UID identify the same systemOFFICIALDCR TESTOfficial + DCRThe same information system runs through every artifact — not one enterprise SSP supporting a score scoped to a different enclave HARD STOPCMMC program owner
23The result and affirmation are reproducible from current evidenceOFFICIALDCR TESTOfficial + DCRAn independent reviewer could reach the submitted conclusion from retained evidence — not a score based on estimates or an outdated state HARD STOPAssessment lead + Affirming Official
24Version control, material-change review, approval, and ownership are functioningDCR TESTDCR testNamed owner, version history, review evidence, and change triggers exist — not a document nobody owns between annual datesCONDITIONALGovernance owner

This matrix is a readiness diagnostic, not a CMMC assessment result. A Level 2 (Self) assessment is conducted by your organization under 32 CFR 170.16; a Level 2 certification assessment is conducted by an authorized or accredited C3PAO under 32 CFR 170.17; a Level 3 certification assessment is conducted by DCMA DIBCAC under 32 CFR 170.18.


What does CA.L2-3.12.4 actually require? The eight objectives

The SSP requirement isn’t vague. CMMC breaks it into eight assessment objectives, [a] through [h], and an assessor checks each one.If any applicable objective cannot be determined Met, CA.L2-3.12.4 is not Met — and because it’s the roadmap for the whole assessment, that’s a bad place to fail. Source: CMMC Assessment Guide – Level 2, Version 2.13; NIST SP 800-171A.

Every one of the 110 Level 2 security requirements maps to NIST SP 800-171 Revision 2 and breaks into assessment objectives — 320 of them across the 14 requirement families. The SSP requirement is where eight of those objectives live. Here’s the plain-English version.

CA.L2-3.12.4 eight assessment objectives
ObjectiveThe question it answersWhat “Met” looks likeWhere it goes wrong
[a] Plan developedCan you produce the current plan?A controlled, current SSP or coordinated document set for every in-scope systemDraft, or scattered fragments nobody owns
[b] Boundary documentedWhat system is being described?A boundary that reconciles to CUI flow and diagramsNarrative boundary ≠ actual tenant, network, users
[c] Environment documentedWhere and how does it operate?Physical, cloud, remote, and personnel contextA tool list with no operating context
[d] Non-applicable requirements identifiedWhich requirements are approved as N/A?Each N/A has a defensible basis and any required determination“N/A” used for “not done”
[e] Implementation method describedHow is each applicable requirement met?A specific narrative or incorporated referenceThe requirement copied verbatim
[f] Relationships documentedWhat connects to or supports this system?Interconnections and providers mappedThe MSP, cloud, or identity provider omitted
[g] Update frequency definedWhen must the plan be reviewed?A stated cadence (at least annually)“Reviewed periodically,” with no frequency
[h] Updated as definedDid the reviews actually happen?Version history and approval evidenceThe date changed, but nothing was reconciled

Two things worth burning into memory. First, “no prescribed format” does not mean “no content standard.” You can structure the SSP however you like — even as a coordinated set of referenced documents — but the eight objectives still have to be satisfiable. Formal leadership approval is a sound governance practice we recommend, but note that it is not one of the eight objectives unless your contract, policy, or procedure requires it. Second, you do nothave to stuff every individual asset inside the SSP. The Level 2 Scoping Guide is explicit that assets must be inventoried, categorized, and shown in your scope documentation and diagrams, and their treatment documented — but the SSP itself doesn’t need to embed each one. Confusing the asset inventory with the SSP is a common way to make both worse.


Does my SSP match my actual CUI boundary?

Your boundary is defensible only when the CUI data flow, the asset inventory, the network diagrams, and the SSP all tell the same story. A boundary that omits a CUI Asset, a Security Protection Asset, a Contractor Risk Managed Asset, a Specialized Asset, or an applicable ESP service will quietly undermine every implementation claim built on top of it. Source: 32 CFR 170.19; CMMC Level 2 Scoping Guide v2.13.

Reconcile it in this order, following the data rather than the org chart: where CUI is received and created, then where it’s processed, stored, and transmitted, then printing and physical handling and disposition, then the security-protection functions around it, then the providers and interconnections — and only then check that your inventory and diagrams agree with the SSP.

The reason this matters so much is that CMMC Level 2 scoping sorts everything into five asset categories, and they don’t carry the same obligations. The four in-scope categories carry the asset-inventory, SSP-treatment, and network-diagram requirements specified in 32 CFR 170.19(c). Out-of-Scope Assets carry a justification obligation — not those same documentation and assessment requirements.

CMMC Level 2 asset categories: scope and SSP obligations
Asset categoryIn scope?What the SSP must address / what you must be ready to justifyThe trap
CUI AssetYesTreatment and implementation for the requirement setOnly storage systems listed; processing paths omitted
Security Protection AssetYes, for relevant functionsThe security capability it provides and its treatmentSIEM, identity, firewall, or backup left out
Contractor Risk Managed AssetIn scope; treatment-dependentRisk-based treatment and rationale“Not intended for CUI” treated as “out of scope”
Specialized AssetIn scope, with specified treatmentThe asset’s limitation and how it’s handledOT, test equipment, or legacy systems ignored
Out-of-Scope AssetNo, if criteria are metWhy the asset can’t process, store, or transmit CUI and provides no security protection, or how it’s separated — retaining that rationale is a DCR practice; the rule assigns no CMMC assessment requirement to the assetA policy telling users “don’t” mistaken for technical inability

The edge cases are where most boundaries quietly break: remote workers and home offices, printed CUI, multifunction printers, removable media, shop-floor and operational-technology equipment, backup and disaster recovery, security logs, identity providers, shared enterprise services, and test and development environments. Treat corporate-system reachability, new facilities, and acquisitions as immediate scoping triggers— not automatic classifications. Classify each affected asset under 32 CFR 170.19(c) based on whether it processes, stores, or transmits CUI; provides security protection; can but isn’t intended to handle CUI; is specialized; or meets the out-of-scope criteria.

The right CMMC provider isn’t the same for every contractor — the category you need (a C3PAO, an RPO, an MSSP, a GRC platform, or a CUI enclave) depends on your required CMMC level, whether you handle FCI or CUI, your assessment type, your cloud and IT environment, and your contract timeline. The contract clause sets your level, not a checklist.

Provider matching may generate referral or lead-routing compensation, disclosed at the point of recommendation. Compensation does not control the category result.

Map my gap to a provider category →

Are my MSP, MSSP, and cloud responsibilities defensible?

Using a service provider does not automatically transfer all of your responsibility to that provider.Your SSP, the service description, and the Customer Responsibility Matrix (CRM) have to show the actual split of responsibilities and the evidence you can produce. “FedRAMP authorized” describes the platform; it does not prove your configuration or your operation. Source: 32 CFR 170.16 and 170.19; CMMC Level 2 Scoping Guide v2.13.

Stop at four sentences and the SSP hasn’t documented the split: “Microsoft hosts our data.” “Our MSP handles security.” “The platform is FedRAMP authorized.” “The MSSP monitors the logs.” The missing detail may live in an incorporated service description or CRM — but the SSP has to lead the reviewer to it.

What a defensible SSP does instead is reconcile shared responsibility control by control. For every objective a provider touches, the SSP (or a referenced matrix) should name the service and offering, the data or Security Protection Data involved, exactly which piece the provider performs versus what your team performs, how the provider connects to your systems, and what evidence youcan hand an assessor. Build it as a simple table — objective, what the provider states, what you state, who owns the evidence, and the gap — and it surfaces the two high-risk responsibility gaps that sink assessments: each party assumes the other performs the objective, or both claim it without a supportable evidence path.

One more distinction worth getting right: not every vendor is a CMMC ESP. Under 32 CFR 170.19, a service provider that processes neither CUI nor Security Protection Data does not meet the CMMC definition of an ESP. And here’s the honest limit of the cloud shortcut: a compliant or authorized platform can take real infrastructure burden off your plate, but it does not write your SSP, configure every customer-side control, operate your processes, or generate your evidence. That’s not a reason to avoid a strong platform — it’s a reason to document the seam between what the platform does and what you still own.

See also: CMMC External Service Provider Assessment — when your MSP, MSSP, or cloud lands in scope and what the evidence checklist requires.


Does every claim in my SSP lead to evidence?

A defensible implementation statement tells a reviewer what is implemented, where it runs, who owns it, and how it can be examined, discussed, or tested.A policy citation describes an intention. Assessors examine, interview, and test — so the SSP has to lead them to something real, not end at a paragraph. Source: NIST SP 800-171A assessment methods; CMMC Assessment Guide – Level 2 v2.13.

The trace you want, for every applicable requirement, is a chain: requirement → assessment objective → implementation narrative → evidence. If any link is missing, that’s where the assessment stalls. A strong narrative answers a handful of questions in plain language — what security outcome is implemented, which system performs it, who operates or reviews it, how it’s configured, how often it happens, what the exception path is, and which artifact backs it up.

The difference between weak and defensible is almost always specificity plus a named artifact. The examples below are illustrative, not required wording.

Weak vs defensible SSP implementation statements
Weak (indefensible)DefensibleEvidence an assessor may want
“MFA is required by policy.”Names the identity service, the access paths it covers, how it’s enforced, the exceptions, and the ownerConfiguration export, a live demonstration, an access test, exception records
“Logs are reviewed regularly.”Names the log sources, the review frequency, the responsible role, the alert path, and retentionSIEM query, review ticket, alert record, interview
“Access is removed promptly.”Names the termination trigger, the teams, the target systems, the completion window, and verificationHR ticket, identity logs, a disabled account, interview
“CUI is encrypted.”Names the FIPS-validated cryptographic module used where cryptography protects the confidentiality of CUI, with the applicable CMVP certificate and configurationCMVP certificate, module/version mapping, configuration evidence

A policy may support the examine method, but many objectives also require other documents, interviews, demonstrations, configuration checks, or tests appropriate to the objective. Two disciplines separate the ready from the not-ready. Keep an evidence index, not an evidence dump — map each requirement and objective to the artifact, the owner, the period it covers, and where it’s stored, and don’t bury sensitive screenshots inside the SSP itself. And watch evidence freshness: a one-time screenshot from last year does not prove a control that’s supposed to run continuously. Recurring controls should produce recurring evidence.

Related: What counts as CMMC assessment evidence — what fails, how it’s scored, and a free 14-family evidence matrix.


Does the SSP describe what’s true today — not what you plan to build?

An SSP becomes indefensible the moment future-state language is presented as current implementation.The plan must describe the system as it exists now and clearly separate what’s implemented from what’s planned, tracked in an operational plan of action, placed on a CMMC assessment POA&M, or covered by a documented enduring exception. “Will implement” is not “implemented,” and an assessor validates against live systems, not intentions. Source: CMMC Assessment Guide – Level 2 v2.13; DoD CMMC FAQ.

Run a future-tense audit. Search your SSP for will, plan to, intend to, in progress, being implemented, to be configured, tool purchased, awaiting deployment, target state. Not every hit is wrong — but each one needs to be classified into exactly one of four buckets.

SSP state classification buckets
ConditionWhat it meansWhere it belongs
ImplementedOperates now and can be evidencedThe SSP implementation narrative
Temporary deficiencyA previously implemented requirement has a feasible known fix or fix in processThe operational plan of action required by CA.L2-3.12.2 — this is not automatically a CMMC assessment POA&M
Operational planInternal fix-it work, separate from any CMMC conditional statusOperational tracking, not the “implemented” column
Enduring exceptionA special circumstance or system for which remediation and full compliance are not feasibleThe SSP, with any other approval or risk documentation your contract or process requires

A CMMC assessment POA&M is a separate mechanism, permitted only for eligible requirements scored NOT MET under 32 CFR 170.21, subject to that section’s eligibility and 180-day closeout limits. Do not use “operational plan of action” and “CMMC assessment POA&M” interchangeably — and remember CA.L2-3.12.4 itself cannot be placed on a CMMC POA&M.

Then run a contradiction scan on a risk-based sample — identity and MFA, account lifecycle, logging, vulnerability management, configuration management, incident response, media, remote access, backup, provider monitoring, physical access. For each, compare four things: what the SSP says, the actual configuration, a recent operating record, and what the owner says in an interview. Where those four agree, that sampled claim is internally consistent. Where they diverge, you’ve found a repair before an assessor does.


How current does my SSP need to be?

The SSP update frequency must be defined, and the current Level 2 guide says the plan should be updated at least annually.But a material boundary, provider, architecture, requirement, or operating change can make an SSP stale sooner — even when the date on the cover is less than a year old. Source: CMMC Assessment Guide – Level 2 v2.13; DoD CMMC FAQ.

Use two triggers, not one. The calendar trigger is at least annually. The event triggeris any material system or scope change — and the Department’s CMMC FAQ warns that a future assessment can evaluate whether changes were managed and performed as your SSP describes, so a quietly outdated SSP creates real exposure.

Events that trigger an SSP review
EventWhy it triggers an SSP review
New or removed CUI flowChanges what’s in scope and how it’s protected
New cloud tenant or offeringNew boundary, new inheritance, new evidence
MSP / MSSP / CSP changeResponsibility split and CRM change
Identity-provider changeAccess-control implementation changes
Network merger or new facilityMay pull unassessed systems into scope
Remote-work model changeAlters the environment of operation
New security tool or major reconfigurationImplementation narratives and evidence change
New specialized or OT assetNew treatment and scoping obligations
New interconnectionNew relationship to document
Change in assessment scopeThe whole boundary story may shift

Keep version control that records the version, effective date, change summary, sections affected, scope impact, and the reviewer and approver. When a change lands, ask: did it alter CUI flow, add or remove an in-scope asset category, change an implementation method, change a provider responsibility, or introduce a system, configuration, or security tool that was never assessed? If yes, the SSP — and possibly your posted result — needs a look before you rely on it.


What does an indefensible SSP actually cost? What the DOJ pursued

Recent cybersecurity False Claims Act settlements did not turn on data breaches. The liability came from the gap between what a company represented and what its documentation could support.A knowingly false or materially unsupported SPRS score can expose a company to False Claims Act liability — where the government must still prove the statutory elements, including falsity, knowledge, and materiality — and the affirmation behind that score is a legally significant representation, not a formality. Source: U.S. Department of Justice press releases; DOJ Civil Cyber-Fraud Initiative.

We read the settlement documents. Two cases matter most, because both are anchored in the government’s own statements, and both turned on the exact failures this page is about.

DOJ False Claims Act settlements: MORSECORP and LOGZONE
ContractorWhat the government saidResolutionThe SSP lesson
MORSECORP Inc. (Mar 2025)MORSE admitted that from Jan 2018 through Jan 2021 it had no consolidated written plan for its covered systems; it submitted a score of 104 in Jan 2021; a third-party consultant reported a score of −142 on July 27, 2022 and that only ~22% of requirements were implemented; and it did not update SPRS until June 15, 2023. The United States contended that payment claims during the period were false or fraudulent because of that conduct.$4.6M plus interest; the relator receives 18.5% of payments received by the United States.A submitted score and the underlying plan, implementation, and evidence must be capable of reconciliation.
LOGZONE Inc. (Jun 2026)The DOJ alleged that LOGZONE submitted a perfect self-assessed score of 110in Oct 2021; that DCMA’s DIBCAC assessment in Feb 2024 produced a score of −170; and that from May 2021 to March 2025 it billed the Navy while knowing it had not fully implemented required NIST SP 800-171 controls. No breach was alleged.$507,144, including $253,572 in restitution (a 2× multiplier on roughly $682,000 in payments). No admission of liability.A perfect self-score with no implementation behind it is a representation the government can — and did — check.

Both agreements resolved allegations. They record admitted facts and the government’s contentions, and are not adjudications of False Claims Act liability. The DOJ’s own LOGZONE release states the claims “are allegations only, and there has been no determination of liability.”

Read those two rows together and the lesson is unmistakable. MORSECORP’s whistleblower was the company’s own head of security. LOGZONE had no whistleblower at all — it was caught by a routine DIBCAC assessment, the same kind of government-led assessment that continues today under DFARS 252.240-7997. Neither case involved a hacker. Both involved a number the documentation couldn’t reproduce. These aren’t outliers, either: in a May 2025 Justice Department settlement, Raytheon and its successor RTX agreed to pay $8.4 million in a matter where storing covered defense information on a system with no NIST SP 800-171 controls and no SSP was central. The direction of enforcement has moved steadily down the supply chain — from primes to a logistics subcontractor most people had never heard of.

The takeaway is not “have a low score.” A low, honest score is not automatically safe — it can document noncompliance, affect award eligibility, and require remediation — but it is far safer than a knowingly false one. The real risk is making a representation your current SSP, scope, and evidence cannot reproduce.

If you’re not certain your posted score would survive a DIBCAC review, start by reconciling your SSP, your SPRS score, and your POA&M. Our SPRS scoring guide walks the reconciliation step by step.


Did the CMMC suspension mean I can stop working on my SSP?

No — not for anything that makes an SSP defensible. The suspension paused the transition to third-party (C3PAO) assessments. It did not touch self-assessments, DFARS 252.204-7012, NIST SP 800-171 Revision 2, government assessments, or False Claims Act exposure. If a contract requires CMMC Level 2 (Self), you still self-assess against the same criteria, post the result in SPRS, and affirm it. Source: U.S. Department of War release, July 13, 2026; 32 CFR 170.16; DFARS 252.240-7997.

Here’s the clean split of what’s paused versus what remains, as of our verification.

What the CMMC suspension paused vs. what remains required
PausedRemains required or available where applicable
The transition to Level 2 (C3PAO) third-party assessmentsLevel 1 (Self) and Level 2 (Self) self-assessments
The transition to Level 3 (DIBCAC) certificationDFARS 252.204-7012 (safeguarding CUI, incident reporting)
Pending and future CMMC implementation milestonesNIST SP 800-171 Revision 2 as the Level 2 baseline
Selected government Medium and High assessments where the applicable clause and requirement authorize them — a High assessment validates implementation against your SSP
Annual affirmation for an applicable CMMC Status; False Claims Act exposure where the statutory elements are met

If anything, the suspension raises the stakes on your SSP, because self-assessment is now doing more of the work — and the self-assessment is only as trustworthy as the plan behind it. The criteria are identical: the same 320 objectives, graded against the same NIST SP 800-171A. “Self” is not a looser bar — it’s the same bar, and you’re the one signing.

One caution worth stating plainly: the Department did not rule out changing the CMMC program further during its review, and formal FAR/DFARS rulemaking is still underway, so clause numbers and timelines can move. But the foundation this page rests on — DFARS 252.204-7012, NIST SP 800-171, and the False Claims Act — is independent of whatever the CMMC program becomes. Those obligations remain in force as of this page’s last-verified date, and they long predate CMMC.


Does my SSP support my SPRS result, CAGE codes, CMMC UID, and annual affirmation?

Your SSP should reconcile to the system, the CAGE codes, the assessment scope, the current evidence, and the result or affirmation you’ve submitted. Level 2 self-assessment results are entered in SPRS under 32 CFR 170.16, annual affirmations are required under 32 CFR 170.22, and the CMMC Unique Identifier flows through the DFARS 252.204-7021 framework and SPRS. When those don’t line up, the representation is the thing left exposed.

The minimum Level 2 self-assessment inputs under 32 CFR 170.16 include the assessment scope and the associated CAGE codes, the overall score, and — where the score is below full implementation — the POA&M status, with the result affirmed after the assessment and annually thereafter. The CMMC UID requirement comes through the applicable 252.204-7021 clause framework and is reflected in SPRS for each contractor information system.

DCR reconciliation test

Do the SSP, the CMMC Assessment Scope, the associated CAGE code or codes, the SPRS self-assessment result, the annual affirmation, and — where DFARS 252.204-7021 applies — the CMMC UID all identify the same contractor information system? If the answer is anything but a clean yes, that’s the gap the government pursued in both settlements above. And retain the evidence: artifacts used as evidence for a Level 2 self-assessment must be kept for six years from the CMMC Status Date under 32 CFR 170.16(c)(4).

See also: CMMC Annual Affirmation guide — who signs, what they’re affirming, and the legal liability attached.


Is an AI-generated or template SSP defensible?

A template or an AI draft can organize the work, but neither is evidence, and neither can know your real boundary, configurations, provider responsibilities, or operating records. It becomes useful only after people who actually know the environment validate every consequential statement against reality. Editorial guidance grounded in CMMC Assessment Guide – Level 2 v2.13.

Used well, AI is a genuinely good editor for an SSP. It can flag vague wording, catch internal contradictions, find future-tense statements, build a question list for your requirement owners, and map your existing narratives to the assessment objectives so you can see what’s missing. That’s real value.

Used badly, it manufactures risk. AI should never invent implementation details, declare a requirement “Met,” assume a provider satisfies your responsibilities, infer your CUI boundary from an incomplete description, or generate evidence. And it should never receive CUI or sensitive system details in a tool that hasn’t been authorized for that information. For every AI-assisted paragraph, the protocol is the same: name the technical owner, verify the system, verify the current configuration, verify the responsibility split, verify the evidence, verify the scope, and approve the final language. The AI drafts. A human who runs the system decides what’s true.

Do not place CUI, network diagrams, credentials, vulnerability details, or contract-sensitive information into an AI tool unless that use has been independently authorized for the information and the environment involved.

Related: CMMC SSP template guide — what a usable starting structure includes and what the assessment guide actually requires.


What do I do if my SSP is not defensible?

Don’t start by rewriting every paragraph.Freeze the current version, confirm the contractual and CUI scope, reconcile assets and providers, repair the eight objectives, connect implementation claims to evidence, rerun the applicable assessment, and review whether any representation you’ve already made needs correcting through the right channel. Editorial framework grounded in the sources cited throughout this page.

The repair sequence, in order:

  1. 1

    Freeze and preserve the current version.

    Keep the version, date, approvals, and the evidence used for prior decisions. You may need to show what you knew and when.

  2. 2

    Confirm the governing contract and information scope.

    Determine which systems and information are actually implicated before you touch the document.

  3. 3

    Rebuild the boundary source of truth.

    Reconcile CUI flow, assets, providers, diagrams, facilities, and users. Get this right first — everything else sits on top of it.

  4. 4

    Repair all eight CA.L2-3.12.4 objectives.

    Don’t just add prose; fix the missing underlying information the objectives ask for.

  5. 5

    Build the implementation-to-evidence trace.

    Map each applicable requirement and objective to current examine, interview, or test support.

  6. 6

    Rerun the applicable assessment and governance review.

    Don’t assume the previous result survives a changed scope or implementation.

  7. 7

    Review representations and corrections.

    Escalate any material discrepancy to the Affirming Official, contracts and compliance leadership, and qualified counsel as appropriate.

And don’t default to “start over.” Match the fix to the failure:

SSP repair approach by failure condition
ConditionRecommended approach
Structure is usable; facts are staleReconcile and update
Boundary is materially wrongRescope before rewriting
Narratives are generic but the environment is implementedConduct technical interviews and rewrite
Requirements aren’t operatingImplementation project first, documentation second
Provider responsibility is unclearCRM and contract reconciliation
A prior result appears unsupportedIndependent assessment and a correction review

Who should fix a weak SSP?

The right kind of help depends entirely on what failed — and the answer is almost never “hire a C3PAO to write it.”Scope and documentation gaps point to a Registered Provider Organization or Registered Practitioner (RPO/RP); operating-control gaps point to an MSP or MSSP; evidence-workflow gaps point to a GRC (governance, risk, and compliance) platform; a boundary that’s too big to manage points to a CUI enclave; and a formal assessment points to a C3PAO — but only when that assessment is contractually required and permitted. This is our editorial provider-fit judgment, built from the verified facts on this page; independence rule from 32 CFR 170.8.

Match the deficiency to the category before you request a single quote.

SSP deficiency to provider category match
What failedCategory that usually fixes itWhat to buyThe deliverable that proves it’s done
Applicability or CUI-scope confusionRPO/RP, or a federal-contracts attorney for the legal callA documented contract/CUI/scoping decisionA written scope determination you can defend
Boundary, diagrams, or SSP narrativeRPO/RP or readiness consultant, with technical participationA reconciled boundary, diagrams, inventory treatment, SSP repairAn SSP that reconciles to the environment
Technical controls not implementedCMMC-focused MSP/MSSPImplemented controls, procedures, artifacts, a transition planWorking controls with operating evidence
Evidence scattered or not repeatableGRC platform + an accountable internal ownerAn objective-to-evidence map and a recurring workflowA maintained body of evidence, not a one-time export
Boundary too broad to manageCUI enclave architect/implementerA scoped architecture, migration, and responsibility modelA smaller, documented in-scope environment
Formal Level 2 assessment (when required)Independent C3PAOThe assessment itselfA completed assessment by an independent team

That last row is a rule, not a preference. Under 32 CFR 170.8, CMMC Ecosystem members are prohibited from participating in a Level 2 certification assessment when they served as a consultant preparing that organization for any CMMC assessment within the preceding three years. Apply the conflict check to the C3PAO entity and the proposed Assessment Team — not only to the brand name on the proposal. When you evaluate a provider, ask directly: which part of this is scope, documentation, implementation, evidence, or assessment prep; who validates the real configuration; which deliverables will we own; and who on your side is disqualified from performing our future assessment?

When you know which category you need, get scoped quotes for the work you actually need — not an open-ended engagement.Tell us your level, scope pattern, primary deficiency, and timeline, and we’ll match you with source-checked provider categories.

Provider matching may generate referral or lead-routing compensation, disclosed at the point of recommendation. Compensation does not control the category result.

Get a source-checked readiness match →

What should I share with a prime, consultant, or assessor?

An SSP can expose your architecture, your providers, and your security assumptions — so don’t treat a request for “proof” as an automatic instruction to email the whole document.Clarify the purpose, the authority behind the request, the minimum information that satisfies it, the recipient, and a secure delivery method. When it’s ambiguous, involve contracts, security, or counsel. DCR operational guidance.

Use a disclosure ladder rather than a reflex.

SSP disclosure ladder by request type
What’s being askedA measured response
Status confirmation from a primeYour current status and date, a high-level scope identifier, and the appropriate UID or score information where authorized
Readiness support from a consultantShare only the information necessary for the defined engagement, through an authorized secure method. A full SSP may be necessary for a complete SSP review — confirm the recipient, purpose, access controls, retention terms, and handling requirements first
Due diligenceRelevant controlled excerpts or redacted diagrams, through an approved process with the right agreements in place
A government or third-party assessmentThe required SSP and evidence, through the agreed secure assessment process

Before you send anything, answer a few questions: who is asking, what contractual or assessment purpose it serves, whether the full SSP is actually necessary or a redacted summary would do, what markings apply, which transfer method is authorized, and who may retain or redistribute it. A prime can legitimately ask about your posture. That doesn’t mean the complete document, with every architectural assumption in it, should land in an unsecured inbox.

Want a repeatable way to handle these requests? Our free, one-page SSP Disclosure Decision Checklistcaptures the requester, purpose, authority, minimum artifact, redaction decision, markings, and secure-transfer method — so your team makes the same defensible call every time.

Download the SSP Disclosure Decision Checklist →

What we actually verified

This page is built on a dated cross-check of current primary sources, not a synthesis of other vendors’ blog posts.Where we state a rule, we read the rule. Where we cite a case, we read the Justice Department’s own statement. Here’s exactly what we confirmed and when.

Verified :

Our method is simple, and we’ll state it out loud: we separate what the regulation requires from what we recommend. Anywhere we describe a verification test rather than a rule, that’s our editorial method for catching contradictions — not an added government requirement. When in doubt, confirm scope and applicability with a CMMC Registered Practitioner (RP/RPO) or a qualified federal-contracts attorney. The contract clause and your CUI handling set your level — a checklist can’t. See our editorial standards, review process, and corrections policy.


Frequently asked questions

Most SSP defensibility questions come down to format, detail, scope, evidence, updates, responsibility, and how the document relates to what you’ve reported. Here are the ones we get most, with the primary source behind each answer.

Can a short SSP be defensible?
Yes. The official Level 2 guide prescribes no format and no page count. What matters is whether the boundary, environment, implementation of each applicable requirement, connections, and update process are documented clearly enough to be verified. A tight, accurate SSP beats a long, generic one every time.(CMMC Assessment Guide – Level 2 v2.13.)
Is there an official required SSP template?
No. You can use your own format or a coordinated set of referenced documents, as long as the eight CA.L2-3.12.4 objectives are satisfied. NIST SP 800-18 Revision 2, finalized in June 2026, provides system-plan structure and example outlines, but it is guidance, not a prescribed CMMC SSP format — and it addresses a different subject than NIST SP 800-171 Revision 2.(CMMC Assessment Guide – Level 2 v2.13; NIST SP 800-18 Rev 2.)
Does every asset have to be listed inside the SSP?
No. Assets must be inventoried, categorized into the five Level 2 categories, shown in your scope documentation and diagrams, and their treatment documented — but the Scoping Guide is explicit that each individual asset does not need to be embedded in the SSP itself.(CMMC Level 2 Scoping Guide v2.13.)
Does the SSP need to address all 110 Level 2 requirements?
It must describe how the applicable requirements are implemented, directly or through clear incorporated references. Don’t assume that copying all 110 requirement statements creates adequate narratives — CMMC Level 2 has 320 assessment objectives across 14 families, and the strongest SSPs speak to that objective level.(NIST SP 800-171A; CMMC Assessment Guide – Level 2 v2.13.)
Is a policy enough evidence?
Usually not on its own. A policy may support the examine method, but many objectives also require interviews, tests, configurations, tickets, logs, or records appropriate to the objective. Assessors examine, interview, and test.(NIST SP 800-171A.)
How often must the SSP be updated?
The update frequency must be defined, and the current Level 2 guide says at least annually. A material change — new CUI flow, new cloud tenant, a provider swap, a scope change, a new security tool — should trigger a review sooner. A document updated six months ago can still be stale if the system changed last week.(CMMC Assessment Guide – Level 2 v2.13.)
How long must Level 2 self-assessment evidence be retained?
Artifacts used as evidence for a Level 2 self-assessment must be retained by your organization for six years from the CMMC Status Date.(32 CFR 170.16(c)(4).)
Does this Level 2 SSP test apply to CMMC Level 1?
CA.L2-3.12.4 is a Level 2 requirement. Level 1 covers Federal Contract Information and maps to the 15 basic safeguarding requirements incorporated through the applicable FAR clause in your solicitation or contract. Note the transition wrinkle: the July 2026 CMMC suspension procedures still reference FAR 52.204-21, while the February 2026 FAR Part 40 deviation directs contracting officers to revised Part 40 text (FAR 52.240-93) for covered actions — so verify the actual clause in your solicitation or contract.(32 CFR 170.15; FAR 52.204-21 / 52.240-93.)
Can an MSP write our SSP?
An MSP or readiness provider can absolutely help draft it, and for the portion of the environment they operate, they may maintain that documentation. But your organization is responsible for ensuring the SSP describes your real system and your real responsibilities. Outsourcing the writing does not outsource the truth of the statements or your continuing obligations.
Can the same C3PAO fix our SSP and then assess it?
No. Under 32 CFR 170.8, CMMC Ecosystem members are prohibited from participating in a Level 2 certification assessment when they served as a consultant preparing that organization for any CMMC assessment within the preceding three years. Keep remediation and formal assessment in separate hands, and apply the check to the entity and the proposed Assessment Team — not just the brand.(32 CFR 170.8.)
What if our cloud tenant or network changed?
Review whether the change altered CUI flow, scope, an implementation method, or a provider responsibility, or introduced systems, configurations, or security tools that were never assessed. The Department’s CMMC FAQ warns that future assessments can evaluate whether changes were managed and performed as your SSP describes — so a quietly outdated SSP creates real exposure.(DoD CMMC FAQ.)
Does the Phase II suspension mean SSP work can wait?
No. Phase I self-assessments remain, DFARS 252.204-7012 stays in effect, Level 2 still uses NIST SP 800-171 Revision 2, and government assessments can still examine implementation against your SSP. The suspension removed the scheduled Phase II transition. It did not make an unsupported SSP or an inaccurate representation safe.(U.S. Department of War release, July 13, 2026.)

The bottom line

Your SSP is not defensible because it’s long, polished, or generated from a respected template. It’s defensible only when the document, the CUI boundary, the provider responsibilities, the implementation evidence, the current system, and the representations you’ve already made all tell the same, supportable story. Run the check. Fix the hard stops first. Then decide, honestly, whether you can repair this internally or need to bring in the right category of help.

Need help deciding what type of CMMC provider you need?Tell us your level, scope, and timeline, and we’ll match you with source-checked CMMC provider options.

Do not submit CUI, drawings, or sensitive contract details through any form.

Find My CMMC Path →

Disclosure: The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. We may receive compensation for qualified introductions, sponsorships, or partner referrals when disclosed. Compensation does not control our regulatory analysis, provider-category recommendations, or Cyber AB status verification. This page is educational research, not legal, contractual, assessment, or compliance advice; confirm scope and applicability with a CMMC Registered Practitioner (RP/RPO) or a qualified federal-contracts attorney. The contract clause and your CUI handling set your level, not a checklist.

Editorial research — not formally reviewed by a CMMC Subject Matter Advisor. Verify scope and applicability with a Registered Practitioner before acting.