System Security Plan
Develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems.
What an assessor scores, the objectives
CA.L2-3.12.4 is met only when every one of these 8 objectives, from NIST SP 800-171A, is satisfied. A single missed objective makes the whole requirement not met.
- a.a system security plan is developed
- b.the system boundary is described and documented in the system security plan
- c.the system environment of operation is described and documented in the system security plan
- d.the security requirements identified and approved by the designated authority as non-applicable are identified
- e.the method of security requirement implementation is described and documented in the system security plan
- f.the relationship with or connection to other systems is described and documented in the system security plan
- g.the frequency to update the system security plan is defined
- h.system security plan is updated with the defined frequency
How a C3PAO checks it
NIST SP 800-171A defines three assessment methods. For CA.L2-3.12.4, an assessor uses these:
Security planning policy; procedures addressing system security plan development and implementation; procedures addressing system security plan reviews and updates; enterprise architecture documentation; system security plan; records of system security plan reviews and updates; other relevant documents or records
Personnel with security planning and system security plan implementation responsibilities; personnel with information security responsibilities
Organizational processes for system security plan development, review, update, and approval; mechanisms supporting the system security plan
What it means, in context
System security plans relate security requirements to a set of security controls. System security plans also describe, at a high level, how the security controls meet those security requirements, but do not provide detailed, technical descriptions of the design or implementation of the controls. System security plans contain sufficient information to enable a design and implementation that is unambiguously compliant with the intent of the plans and subsequent determinations of risk if the plan is implemented as intended. Security plans need not be single documents; the plans can be a collection of various documents including documents that already exist. Effective security plans make extensive use of references to policies, procedures, and additional documents (e.g., design and implementation specifications) where more detailed information can be obtained. This reduces the documentation requirements associated with security programs and maintains security-related information in other established management/operational areas related to enterprise architecture, system development life cycle, systems engineering, and acquisition. Federal agencies may consider the submitted system security plans and plans of action as critical inputs to an overall risk management decision to process, store, or transmit CUI on a system hosted by a nonfederal organization and whether it is advisable to pursue an agreement or contract with the nonfederal organization. NIST SP 800-18 provides guidance on developing security plans.
A system security plan (SSP) is a document that outlines how an organization implements its security requirements. OSAs must have an SSP in place at the time of assessment to describe each information system within the CMMC Assessment Scope. The absence of an up-to-date SSP at the time of the assessment would result in a finding that an assessment could not be completed due to incomplete i nformation and noncompliance with DFARS clause 252.204-7012. OSAs are free to choose the format of their SSP. At a minimum, an SSP must include: • Description of the CMMC Assessment Scope; • CMMC Assessment Scope D escription: high -level description of the assets within the assessment scope 186; • Description of the Environment of Operation: physical surroundings in which an information system processes, stores, and transmits information; • Identified and Approved Security Requirements: requirements levied on an information system that are derived from applicable laws, Executive Orders, directives, policies, standards, instructions, regulations, procedures, or organizational mission/business case needs to ensure the confidentiality, integrity, and availability of the information being processed, stored, or transmitted; 186 There is no requirement to embed every asset in the SSP. . • Implementation Method for S ecurity Requirements: description of how the identified and approved security requirements are implemented with the system or environment; • Connections and R elationships to Other Systems and N etworks: description of related, dependent, and interconnected systems; and • Defined Frequency of Updates: at least annually. In addition to the requirements above, an SSP often includes: • general information system description: technical and functional description; • design philosophies: defense-in-depth strategies and allowed interfaces and network protocols; and • roles and responsibilities: description of the roles and responsibilities for key personnel, which may include the system owner, system custodian, authorizing officials, and other stakeholders This requirement, CA.L2-3.12.4, which requires developing, documenting, and updating system security plans, promotes effective information security within organizational systems required by SC.L2 -3.13.2, as well as other system and communications protection requirements. Example You are in charge of system security. You develop an SSP and have senior leadership formally approve the document [a]. The SSP explains how your organization handles CUI and defines how that data is stored, transmitted, and protected [d,e]. The criteria outlined in the SSP is used to guide configuration of the network and other information resources to meet your company’s goals. Knowing that it is important to keep the SSP current, you establish a policy that requires a formal review and update of the SSP each year [g,h]. Potential Assessment Considerations • Do mechanisms exist to develop and periodically update an SSP [a,g]? • Are s ecurity requirements identified and approved by the designated authority as non-applicable documented [d]?
What passing evidence looks like
The System Security Plan itself, current and complete: boundary, environment, how each requirement is implemented, and the relationships between systems. Without it the assessment cannot happen at all.
Common ways contractors fail CA.L2-3.12.4
- !This is the one requirement with no point value because a missing SSP stops the whole assessment. The platform assembles yours from the journey: finish steps 1 through 4 and the Audit Room renders it. Keep it versioned; assessors ask what changed since the last revision.
The step by step walkthrough for Microsoft 365 GCC High, Google Workspace, and on premises setups, plus the exact evidence to capture, lives inside the Level 2 Accelerator.
Prove CA.L2-3.12.4, and the other 109
The Level 2 Accelerator walks all 110 requirements with you, generates your SSP, POA&M, and Audit Room from real evidence, includes the full Level 1 platform, and puts a credentialed officer alongside you for 180 days. Filed in 180 days, or we work free until you are.
No credit card. Phase 2 begins Nov 10, 2026, when applicable DoD solicitations start requiring a current Level 2 status to win the award.
CA.L2-3.12.4 questions, answered
How many points is CMMC requirement CA.L2-3.12.4 worth?+
CA.L2-3.12.4 is scored as part of the CMMC Level 2 assessment out of 110 under 32 CFR 170.24.
Can CA.L2-3.12.4 be placed on a POA&M?+
No. CA.L2-3.12.4 must be fully met before you can file. It cannot be deferred to a POA&M, so it is a gate on your assessment.
What family does CA.L2-3.12.4 belong to?+
CA.L2-3.12.4 is in the Security Assessment (CA) family, one of the 14 families of NIST SP 800-171 that make up CMMC Level 2.
- NIST SP 800-171 Rev. 2 3.12.4