CMMC NUGGET #4

The Compliance Foundation: SSP, POA&M, SPRS & Annual Affirmation

The System Security Plan is the foundational document of your entire CMMC compliance program. It describes your organization, your assessment boundary, your information systems, and most critically, how each of the NIST SP 800-171 controls are implemented in your environment. It is a required document under CA.L2-3.12.4 and DFARS 252.204-7012.

Every CMMC Level 2 assessment begins with the SSP. Assessors use it to understand your environment before they evaluate a single control. A weak or incomplete SSP does not just create a documentation finding, it undermines the credibility of everything else you have implemented.

A compliant SSP is not a template you fill in once and file away. It is a living document that must accurately reflect your environment at the time of assessment. At minimum it must address:

• System description: What your organization does, the nature of the CUI you handle, and the systems that support CUI processing, storage, and transmission
• Assessment boundary: A precise description of what is in scope and what is out of scope, supported by network diagrams showing system interconnections and data flows
• Asset inventory: All hardware, software, and cloud services within the assessment scope, categorized using the five asset categories (CUI Assets, SPAs, CRMAs, Specialized Assets, Out-of-Scope)
• Control implementation statements: For each of the 110 controls — a clear statement of how that control is implemented, who is responsible, and what evidence exists of implementation. “Implemented,” “Partially Implemented,” “Planned,” and “Not Applicable” are the four possible designations
• Interconnections and dependencies: External systems, cloud service providers, and managed service providers that connect to or support your CUI environment
• Responsible parties: Named roles and individuals accountable for each control domain

Assessors compare your SSP to your actual environment. The most common SSP failure is not missing content, it is inaccurate content. An SSP that describes controls as “Implemented” when they are not, or that describes a network boundary that does not match the actual network, is a direct finding.

Keep your SSP current as a living document. Any significant change to your environment: new systems; new vendors; network changes; personnel changes in key roles; etc. All of these should trigger an SSP update, not just a mental note.

A Plan of Action and Milestones is a formal document that tracks every security deficiency in your environment. Items such as controls that are not yet implemented or only partially implemented, along with a documented plan to remediate them. It is required under CA.L2-3.12.2 and is one of the most scrutinized artifacts during a CMMC assessment.

Think of the POA&M as the honest accounting of your gaps. Every organization has them. The POA&M is how you demonstrate that you know what they are and have a credible plan to fix them.

For each open deficiency, your POA&M must document:

• The specific control that is not fully implemented, referenced by its CMMC control identifier
• A description of the weakness: what is missing or not functioning as required
• Remediation tasks: the specific steps required to close the gap
• Responsible party: the named individual or team accountable for remediation
• Resources required: budget, personnel, or tools needed to complete remediation
• Scheduled completion date: a realistic, committed target date
• Milestones: intermediate checkpoints for longer remediation efforts

Under the CMMC program, your certification status can be either Final or Conditional:

• A CMMC status of Final means all 110 controls are fully implemented at the time of the assessment
• A Conditional status means some of the controls have not been adequately implemented yet but are captured in a valid POA&M. Restrictions on conditional status include:
  • You must achieve an 80%+ score (minimum 88/110 points)
  • POA&M items are restricted to 1-point requirements only but not all 1-point requirements are POA&M-able
  • No 3-point or 5-point controls can be included in the POA&M, except for one narrow case
  • Exception: SC.L2-3.13.11 (CUI Encryption) can be placed on a POA&M if encryption is employed but not FIPS-validated (treated as a 3-point deduction instead of 5). If no encryption is in place at all, it cannot go on a POA&M
• Conditional status is valid for 180 days, during which you must close out all POA&M items and achieve a Final status or your conditional certification will lapse.

Assessors look for three things in a POA&M:

1. Is it complete (all known gaps are captured)
2. Is it credible (remediation timelines are realistic, not aspirational)
3. Is it active (it is being worked, not sitting in a drawer)

A POA&M with completion dates that have already passed and no evidence of progress is a significant finding.

The Supplier Performance Risk System (SPRS) is the DoD’s official database for tracking contractor cybersecurity compliance. Under DFARS 252.204-7019, all contractors subject to DFARS 252.204-7012 must conduct a self-assessment against all 110 NIST SP 800-171 controls and submit their score to SPRS. This is not optional! A current SPRS score is often a condition of contract award.

Your SPRS score reflects your implementation status against all 110 controls using the DoD Assessment Methodology:

1. Maximum score: 110 (all controls fully implemented)
2. Minimum score: – 203 (worst possible score, reflecting maximum weighted deficiencies)
3. Each control carries a point value based on its assessed risk weight. Controls that are not implemented reduce your score; the reduction varies by control weight
4. The average SPRS score across the DIB is significantly below 110. In reality, many organizations are negative

To submit your SPRS score:

1. Conduct a self-assessment against all 110 NIST SP 800-171 Rev 2 controls using the DoD Assessment Methodology
2. Calculate your score based on implementation status of each control
3. Submit your score via the PIEE portal at piee.eb.mil
4. Your score must be accompanied by the Affirming Official’s affirmation (covered below)
5. Scores must be current, not more than three years old, and must be updated whenever significant changes to your environment affect compliance status

Under the final DFARS rule, a CMMC status is “current” only if there have been no changes that would affect compliance. If your environment changes materially:

• New systems added to scope
• Controls that were implemented are no longer functioning
• Personnel changes affecting key controls

Your score should be updated to reflect the actual state, not the state at the time of your last submission.

Contracting officers verify your SPRS score before contract award. Prime contractors are increasingly verifying their subcontractors’ SPRS scores as a condition of subcontracting. An absent or outdated SPRS score can disqualify you from award, regardless of your actual security posture. Submit your score, keep it current, and ensure it matches your SSP and POA&M.

Under 32 CFR § 170.22, a senior executive (designated as the Affirming Official) must submit a formal affirmation in SPRS attesting that the organization has implemented and will maintain implementation of all applicable CMMC security requirements. This is not a checkbox exercise but rather a legally significant attestation.

The Affirming Official is defined as the senior level representative from within the organization who is responsible for ensuring CMMC compliance and has the authority to affirm continuing compliance. This is typically a C-suite executive such as the CEO, COO, or equivalent. The designation is not delegable to IT staff or compliance personnel; it must be someone with organizational authority and accountability.

The Affirming Official needs a PIEE account with the SPRS Cyber Vendor User role to complete the affirmation process.

Affirmation is required at the following points:

• Upon achieving Conditional CMMC Status: immediately after assessment if any POA&M items remain open
• Upon achieving Final CMMC Status: at completion of assessment or POA&M closeout
• Annually thereafter: on the anniversary of Final CMMC Status, every year the certification is maintained

The affirmation statement attests that the organization:

“Has implemented and will maintain implementation of all applicable CMMC security requirements for all information systems within the relevant CMMC Assessment Scope.”

This is not a statement that you are working toward compliance, it is a statement that you are compliant now. Submitting an affirmation when controls are not actually implemented is a materially false statement that creates False Claims Act exposure. The Department of Justice has made cybersecurity fraud enforcement a priority; seven cases were settled in 2025 alone; including actions against subcontractors!

The annual affirmation is one of the most underappreciated obligations in the entire CMMC framework. Many organizations achieve certification, file their initial affirmation, and then fail to calendar the annual renewal. A lapsed affirmation means your CMMC status is no longer current, which can affect contract eligibility even if your technical controls are fully in place. Put the annual affirmation date on the calendar the day you achieve certification and treat it as a hard deadline.

For assistance developing your SSP, establishing your POA&M process, or preparing for SPRS submission. As a C3PAO, we can perform assessments, conduct gap analyses, and readiness reviews to help your organization build a defensible compliance foundation.