SSP vs POAM — what's the difference and do you need both for CMMC?

Two documents that every CMMC Level 2 candidate dreads writing are the System Security Plan (SSP) and the Plan of Action and Milestones (POAM). Most contractors are unclear on what goes in each, how they relate to each other, and whether both are actually required. This guide answers all three questions.

What is the SSP?

The System Security Plan (SSP) is a document that describes your organization's information system — what it does, what data it handles, who uses it, and how each of the 110 NIST 800-171 controls is implemented (or why it's not applicable).

Think of the SSP as a snapshot of your current security posture. For every control, you write a brief description of how you've implemented it and what evidence exists to prove it. Controls that aren't applicable need to be documented with a justification.

What goes in an SSP?

• System name and description
• System owner and authorized users
• System boundary — what hardware, software, and networks are in scope
• Types of data processed (particularly CUI)
• How CUI flows through your systems
• For each of 110 controls: implementation status, description, and evidence reference
• Any interconnections to other systems

What is the POAM?

The Plan of Action and Milestones (POAM) is a living document that tracks every security gap — controls you haven't fully implemented — along with your plan to fix them, who's responsible, and when it will be done.

The POAM is not a sign of failure. Assessors expect contractors to have some open items. What matters is that you're aware of your gaps, you have a realistic plan to address them, and you're making progress.

What goes in a POAM?

• Every control that is not fully implemented
• Description of the weakness or deficiency
• The specific fix or remediation action
• Who is responsible for fixing it
• Scheduled completion date
• Resources required
• Current status and any milestones achieved

How they work together

Every control that shows up as a gap in your POAM should also have a corresponding entry in your SSP noting it as "planned" or "partially implemented." The two documents reference each other.

How long should they be?

An SSP for a small to mid-size contractor typically runs 40–80 pages. It does not need to be elaborate prose — clear, factual descriptions of what you do for each control are sufficient. Assessors value accuracy over length.

A POAM is typically a spreadsheet or table. Each row is one gap. The length depends entirely on how many open items you have — could be 5 rows for a mature organization or 40+ rows for a contractor just starting out.

Do you need to have zero POAM items to pass?

No. Having open POAM items does not automatically fail your assessment, as long as:

• The open items are not critical-severity gaps
• Your milestone dates are realistic and in the near term
• You're making visible progress against the plan
• The open gaps don't create systemic risk to CUI

Critical gaps — like missing MFA or unencrypted CUI — must typically be remediated before the assessment. These are not acceptable as POAM items.

How long does it take to write them?

Writing an SSP manually typically takes 2–6 weeks depending on the size of your environment and team. The POAM takes another week. Most contractors find the documentation burden to be the most time-consuming part of CMMC preparation.

AuditSolz auto-generates both documents from your assessment answers. When you answer questions about each control, the system populates the SSP with your implementation descriptions and creates POAM entries for every gap — cutting documentation time from weeks to minutes.