If you've ever stared at a blank SSP template and wondered where to start — or worse, submitted one and found out mid-assessment it wasn't what the assessor expected — you're not alone. In a recent webinar, 112Cyber and ASCERA brought together two Certified CMMC Assessors to cut through the confusion and share what actually makes an SSP work.
Here's what they covered.
The SSP Isn't Just a Compliance Checkbox
Jordon opened by reframing how to think about the SSP entirely.
Before a single control gets validated or an interview gets scheduled, assessors use the SSP to understand your environment. A strong one signals that you know your systems and have thought through how requirements are implemented. A weak one — vague boundaries, generic narratives, outdated diagrams — immediately raises questions. And once questions start, the microscope comes out.
The practical test Jordon offered: if a new IT administrator joined tomorrow, could they use your SSP to understand the environment and how it's secured? If not, the document isn't doing its job.
Start with Data, Not Infrastructure
When it comes to defining your system boundary, Nick's advice was direct: start with the data, not the devices.
Your boundary should be built around where CUI is processed, stored, and transmitted. Map how it comes in — contracts, email, SFTP, even a USB drive walked across the street — and follow it from there. Once you understand the data flows, scoping the assets becomes significantly more straightforward.
Why does this matter? Because scope drives cost and assessment complexity, and scope creep is easy. If CUI is flowing somewhere you haven't accounted for, that area is in scope whether you documented it or not. Getting this right in the SSP upfront saves significant pain later.
The Three Diagrams (and What Each One Has to Answer)
Nick also walked through the three diagrams that should accompany every SSP:
What's in scope and why? This is the foundational diagram for CMMC. Everything within the boundary gets assessed.
How are systems connected and protected? It doesn't need rack-level detail. Assessors just need enough to understand the environment's architecture and where components live.
How does CUI enter, move through, and exit the environment? This one and the authorization boundary diagram are often combined, and both are genuinely required under CMMC.
The goal isn't to impress anyone with diagram complexity. It's to make it easy for an assessor to follow the story of your environment without having to ask.
Writing Control Narratives That Hold Up
This is where a lot of organizations fall short. Generic or copied control narratives — the kind that could apply to any company — are one of the most common problems assessors encounter, and one of the most avoidable.
A strong implementation statement answers four things:
- Who is responsible for this control
- How it's implemented in your specific environment
- Where the supporting evidence lives
- How often it's reviewed or audited
Jordon's formula: [This system] performs [this function] using [these methods] managed by [these people] validated through [this evidence] and reviewed on [this schedule].
Each control also has specific objectives that need to be addressed. Don't write one general paragraph and assume it covers everything — go through the objectives and make sure each one is answered.
Maintaining Audit Readiness Year-Round
Building an SSP is the easier part. Keeping it accurate over time is where most organizations struggle.
Users get added. Systems get upgraded. Cloud services change. Diagrams go stale. If the only time you open the SSP is a few weeks before the assessment, it's likely drifted from reality — and assessors will notice.
The organizations that have the smoothest assessments treat the SSP as an operational document, not a compliance artifact. They have a process for evaluating whether changes to the environment require updates to documentation, diagrams, and control statements. When assessment time arrives, it's a validation exercise, not a scramble.
How ASCERA Helps
ASCERA was built specifically to address the maintenance problem. Rather than managing an SSP as a static Word document, ASCERA keeps it as a live record — implementation statements, evidence references, asset inventory, and diagrams all maintained in one place.
When you need to generate the SSP for a phase one submission or an internal audit, you export it. It reflects whatever's current, with evidence already linked to the relevant controls. No manual reconciliation, no version confusion.
With ASCERA, you can:
- Keep your SSP as a live, continuously updated record rather than a document you scramble to revise before an assessment
- Link controls directly to evidence — screenshots, configurations, and logs — so assessors can verify implementation, not just read about it
- Generate a complete Body of Evidence as a single export, with evidence already mapped to the correct controls
- Monitor compliance in real time, with alerts when remediation deadlines are approaching or controls fall out of alignment
- Reduce time spent on CMMC program management activities by up to 50%
The Bottom Line
An audit-ready SSP isn't a document you write once and file away. It's an accurate, current description of how your environment operates and how it's protected. Assessors aren't looking for perfection — they're looking for accuracy and evidence that you understand your own environment.
Get the boundary right. Make the diagrams clear. Write control narratives that are specific to your organization. And maintain it throughout the year.
Questions about building your SSP or preparing for a CMMC assessment?