The CMMC Level 1 System Security Plan template.
A fill-in-the-blank SSP for the 15 safeguarding requirements in FAR 52.204-21. Hand-write or type into the blanks; print or save as PDF when you're done.
- 17
- Controls covered
- ~60 min
- To complete
- 1
- Living document
How to use this SSP
- 1.Fill in the cover page — company, system name (often “Corporate IT”), system owner.
- 2. For each of the 17controls, write 2–4 sentences answering the prompt. Plain English beats jargon every time.
- 3. Sign the attestation. Date it. Save the file (PDF or Word). Schedule a calendar reminder to review annually.
- 4.Keep this with your evidence folder. When a prime asks “do you have an SSP?” the answer is now yes.
For Level 1 self-assessment, an SSP is recommended but not strictly required by the FAR clause. It is required when a prime or DCMA asks for proof, and it is the single document that makes every other CMMC step easier later.
System identification
In 3–5 sentences: what the system is, what people use it for, whether it touches federal contract information (FCI).
List the people, devices, networks, and cloud apps that are in scope. Anything not listed is out of scope.
Access Control
Limit access to authorized users
AC.L1-3.1.1Prompt: Describe how user accounts are created, who approves them, and where the list of active users is maintained.
Limit access to authorized functions
AC.L1-3.1.2Prompt: Describe how role-based or permission-based access is granted (who has admin, who has standard, who reviews this).
Control external system connections
AC.L1-3.1.20Prompt: List the third-party services (cloud apps, VPNs, vendor portals) approved for federal contract work and who approves new ones.
Control public posting of information
AC.L1-3.1.22Prompt: Describe the review/approval process before federal contract information is posted publicly (site, social, conferences).
Identification & Authentication
Identify users and devices
IA.L1-3.5.1Prompt: Describe how each user gets a unique account, and how company devices are inventoried.
Authenticate users and devices
IA.L1-3.5.2Prompt: Describe your password policy and where multi-factor authentication is enforced (email, cloud apps, remote access).
Media Protection
Sanitize media before disposal
MP.L1-3.8.3Prompt: Describe how laptops, drives, phones, and paper are wiped or destroyed before disposal, and where the disposal log lives.
Physical Protection
Limit physical access
PE.L1-3.10.1Prompt: Describe the physical work area, how it is secured (locks, badges, alarm), and who has access.
Escort visitors
PE.L1-3.10.3Prompt: Describe the visitor escort policy and who is responsible for visitors on-site.
Maintain audit logs of physical access
PE.L1-3.10.4Prompt: Describe how visitors are logged (clipboard, badge system, receptionist log) and how long records are kept.
Control physical access devices
PE.L1-3.10.5Prompt: Describe how keys, badges, fobs, and alarm codes are issued, tracked, and collected when staff leave.
System & Communications Protection
Monitor and control the network boundary
SC.L1-3.13.1Prompt: Describe the firewall (where it is, who manages it) and how inbound/outbound traffic is controlled.
Separate public-facing systems
SC.L1-3.13.5Prompt: Describe how guest Wi-Fi and public-facing systems are separated from the internal work network.
System & Information Integrity
Fix flaws in a timely manner
SI.L1-3.14.1Prompt: Describe how OS and application updates are installed, who is responsible, and the target patch window.
Use malicious code protection
SI.L1-3.14.2Prompt: List the antivirus / endpoint protection product on every device and who confirms it is enabled.
Update malicious code protection
SI.L1-3.14.4Prompt: Describe how antivirus signatures and firewall threat lists are kept current (automatic / manual).
Run periodic scans
SI.L1-3.14.5Prompt: Describe the scheduled scan frequency and that real-time protection is enabled.
Signature & affirmation
I affirm that the information in this System Security Plan is true and accurate to the best of my knowledge, that the implementations described reflect the actual practices of the organization, and that I am authorized to attest on behalf of the company.