CA.L2-3.12.4 — Develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems.26

What this control requires

Develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems.26

Source: CMMC L2 v2.13 CA.L2-3.12.4 / NIST SP 800-171 R2 3.12.4 (official control text).

Why this matters

A system security plan (SSP) is the blueprint that maps your technical environment to security requirements. It defines what systems handle CUI, where those systems live, how they connect to each other, and which controls protect them. Without an SSP, auditors cannot validate your scope, assessors cannot trace controls to assets, and your own team lacks a shared understanding of what must be protected. This document transforms abstract compliance obligations into a concrete inventory of systems, boundaries, and implemented safeguards—making it the foundation of your entire CMMC assessment.

What evidence assessors expect

Assessors typically look for: PDF. FORCE coaches you through the exact implementation steps and captures each artifact in-platform.

Related controls