← Custodia

The Free CMMC Level 1 SSP Template (Fill-in-the-Blank) — 2026

A free, fill-in-the-blank System Security Plan template for CMMC Level 1. Covers all 15 FAR 52.204-21 safeguarding requirements. Built by engineers, used by hundreds of small defense contractors.

By David Fuentes· Compliance Officer, CustodiaMay 13, 20267 min read

Every CMMC Level 1 contractor needs a System Security Plan. Not because the rule literally says so, but because every prime, every government program office, and every assessor will ask for one. The SSP is your single source of truth: how your company implements each of the 15 FAR 52.204-21 safeguarding requirements, who is responsible, and where the evidence lives.

What an SSP actually is

An SSP is a short document — for Level 1, typically 3 to 6 pages — that describes how your company implements each control. It is not a policy document. Policies describe what your company requires. The SSP describes what your company does in operational terms.

  • A policy says: “All users must authenticate with MFA.”
  • An SSP says: “MFA is enforced on M365 via Conditional Access. The IT admin reviews exception requests monthly. Evidence: the Conditional Access policy export saved in /compliance/2026/.”

The required structure

The Custodia template includes:

  1. Cover page — company name, CAGE/UEI, system owner, affirming official, version, dates.
  2. System description — what the system does, who uses it, what FCI it handles. Two paragraphs.
  3. Boundary & scope summary — references your scoping worksheet.
  4. Control-by-control implementation — one section per requirement. Prompt: How does your organization implement this? Who is responsible? Where is the evidence?
  5. Attestation block — signature, title, date.

How to fill it out (in 60 minutes)

  1. Block 60 uninterrupted minutes. Have your scoping worksheet and policy pack open.
  2. Fill the cover page first. Three minutes.
  3. For each of the 15 controls, write 2–4 sentences answering: what we do, who's responsible, where the evidence lives.
  4. Reference your policies and inventory. Don't repeat them — cite the document and the file path.
  5. Sign and date. Save the PDF in a folder you can find under pressure.

Common mistakes

  • Writing aspirational descriptions. The SSP describes what you actually do, not what you wish you did.
  • Pasting policy language verbatim. Auditors recognize this immediately. It signals the SSP isn't operational.
  • Forgetting evidence pointers. Every control implementation should say where the proof lives.
  • Skipping the annual review. A 2-year-old SSP is treated as stale.

Get the free template

The Custodia SSP template is here, free, printable, no email gate: Open the SSP template →

Or follow the full DIY path: The Free DIY CMMC Level 1 Handbook.

FAQ

Is an SSP required for CMMC Level 1?

Yes. While the FAR clause itself doesn't use the word 'SSP,' 32 CFR Part 170 and DoD assessment guidance treat the SSP as the canonical evidence artifact for Level 1. Primes routinely request it as part of subcontract flow-down. Practically: if you don't have an SSP and a prime asks, you fail their gate.

How long does the SSP need to be?

For Level 1, 3–6 pages is normal. Two to four sentences per control, plus a cover page describing your scope. Longer is not better — auditors and primes want to find the answer to 'how do you implement AC.L1-3.1.1?' in 30 seconds.

Who signs the SSP?

The affirming official — the same person who will sign your SPRS attestation. This is the owner, CEO, or formally delegated CIO. Not an external consultant, not your MSP, not a junior staffer.

Does it need to be updated?

Yes — at minimum once a year before your annual affirmation, and whenever scope changes materially (new in-scope cloud app, new office, new joiner with FCI access).

Keep reading
  1. CMMC Level 1
    CMMC Level 1: The Complete 2026 Guide for Small DoD Contractors

    The single page to read first. What CMMC Level 1 is, who it applies to, what's actually required, what it costs, and the fastest honest path through it in 2026.

    Read →
  2. CMMC Level 1
    DoD Cybersecurity Requirements: A Plain-English Guide for Non-Technical Business Owners

    You're not an IT person. You won a contract. The prime is asking weird questions. Here's exactly what they need, in English, without the acronym soup.

    Read →
  3. CMMC Level 1
    CMMC vs NIST 800-171: The Difference Most Small Contractors Get Wrong (2026)

    CMMC and NIST 800-171 are not the same thing. The difference decides whether your weekend is 5 days of paperwork or a $50K assessment.

    Read →
Stop reading. Start filing.

Find your SPRS score in 4 minutes. Then file it in 7 days.

Take the free SPRS quiz to see exactly where you stand on the 15 FAR 52.204-21 safeguarding requirements — no signup, no card. If you like what you see, the 7-day Custodia trial picks up where the quiz leaves off and walks you to a signed, bid-ready package.

Take the free SPRS quizStart 7-day free trial

7-day free trial · No credit card required · $249/mo Self Service ($2,496/yr on annual — two months free)