PeregrinoTech

← All guides

SSP and POA&M: the two documents your assessor asks for first

June 27, 2026

When an assessor sits down with you, two documents set the tone for everything that follows: your SSP and your POA&M. Get these right and the assessment goes smoothly. Get them wrong and nothing else matters.

The SSP — your System Security Plan

The SSP is the master document that describes how your system meets each of the 110 NIST 800-171 controls. Think of it as the blueprint of your security program. A solid SSP covers:

  • The system boundary — what’s in scope: the systems, networks, people, and cloud services that store, process, or transmit CUI.
  • How each control is implemented — for every control, a clear statement of what you do and how. Remember the 110 controls break down into 320 assessment objectives (per NIST 800-171A); your assessor checks against those objectives, so vague answers don’t survive.
  • Roles and responsibilities — who owns what.
  • Supporting evidence — pointers to the policies, configurations, and records that prove each statement is true.

If a control isn’t written down in the SSP, an assessor will treat it as not done — even if you technically do it. Documentation is the control.

The POA&M — Plan of Action & Milestones

No one is perfect on day one. The POA&M is the honest list of gaps you haven’t closed yet, each with a fix and a deadline. It shows you know where you stand and have a credible plan.

But under CMMC, POA&Ms come with strict limits — this is where contractors get caught out:

  • Only certain controls are POA&M-eligible. The highest-weighted and most critical controls generally must be fully met before you can be certified.
  • There’s a minimum score threshold you must already hit to qualify for a conditional certification with open POA&M items.
  • Open items must be closed within 180 days, then verified.

In other words: a POA&M is a short bridge, not a parking lot. Plan to close items, not to live with them.

Rules around POA&M eligibility and scoring are set by the current CMMC program rule and your specific contract — always confirm the details that apply to your situation before you rely on them.

Practical advice

  • Start the SSP early. Writing it reveals gaps faster than any scan.
  • Keep evidence beside each control, not in a separate pile you’ll never find.
  • Be honest in the POA&M. Assessors respect a clear-eyed plan far more than a document that pretends everything is perfect.

Done well, these two documents don’t just pass an assessment — they become the operating manual for your security program.

Want help putting this into practice?

I can review or set this up for your business.

Work with me →