A photograph-style close-up of an open binder on a desk showing a printed network boundary diagram — a clean schematic with labeled zones and connecting lines, partially annotated in pen in the margins. A second printed document is visible underneath, slightly pulled out. Soft overhead office lighting, no people, no screens.

Your SSP Is Only as Good as Your Scope: How System Security Plans Break at the Boundary

June 08, 20268 min read

The System Security Plan is the document a C3PAO assessor reads before walking into a CMMC Level 2 assessment. It is the contractor's formal record of the CUI environment: which systems are in scope, how the boundary is defined, what controls are implemented, and which assets are subject to which assessment requirements. Before an assessor evaluates whether AC.1.001 is correctly implemented or whether RA.3.137 has been addressed, they evaluate whether the SSP accurately describes the environment they are about to assess.

That evaluation happens at the boundary. And when the scope documented in the SSP does not match the boundary the controls actually enforce, the SSP does not function as documentation of compliance. It functions as documentation of a discrepancy — and that discrepancy shapes everything the assessor does from the moment they find it.


Why the SSP Scope Section Carries Disproportionate Weight

Most contractors think of the SSP as a controls documentation tool — a record of what is implemented and how. That framing is correct but incomplete. The SSP is also the contractor's argument for why the assessment boundary is defined the way it is.

An assessor approaching a Level 2 engagement uses the SSP scope section to construct a mental model of the environment before any interview, walk-through, or evidence review begins. They are looking for four things: a clear definition of which assets are in scope, correct asset category designations for each in-scope system, a boundary diagram that matches the network architecture documentation, and documented rationale for why out-of-scope assets are outside the boundary.

When those four elements are present and internally consistent, the assessment can proceed on the assumption that the contractor understands their own environment. When one or more are absent or inconsistent, the assessor has to resolve the inconsistency before evaluating controls — and the resolution process consumes time, produces findings, and in some cases redefines the scope in ways the contractor did not anticipate.


Failure Point 1: Missing Asset Category Designations

The CMMC asset category framework is not optional documentation. It is the mechanism by which the regulation assigns different assessment treatments to different systems in the same environment.

CUI Assets are assessed against the full 110 controls. Security Protection Assets — the systems providing security functions for the CUI environment, including firewalls, SIEMs, identity providers, and endpoint protection platforms — are assessed against controls relevant to the capabilities they provide. Contractor Risk Managed Assets, Specialized Assets, and Out-of-Scope Assets each carry distinct documentation and assessment requirements defined in 32 CFR 170.19.

When an SSP lists in-scope systems without assigning categories, the assessor cannot determine which controls apply to which systems without reconstructing the categorization from scratch. A contractor in the aerospace supply chain submitted an SSP listing 54 in-scope assets with no category designations. The assessor's pre-assessment review could not confirm whether the full 110-control set applied to the entire asset list or only a subset. The categorization review that should have been completed before the SSP was finalized consumed the first two weeks of the assessment engagement, before a single control under AC, IA, or AU was evaluated. Three assets were recategorized during that review in ways that changed which controls applied to them, requiring the contractor to produce evidence that the remediation program had never generated.


Failure Point 2: Security Protection Assets Omitted From the Boundary

Security Protection Assets are among the most consequential systems in a CUI environment. The firewall enforcing the enclave boundary, the identity provider managing access to CUI systems, the endpoint protection platform monitoring CUI workstations for anomalous behavior — these are the systems through which the controls protecting CUI are actually delivered.

When they are omitted from the SSP boundary diagram, the assessor's ability to evaluate the controls those assets provide is compromised. The assessor can verify that AC.2.006 requires the contractor to control remote access through managed access control points — but if the system enforcing that control is not documented in the SSP, the evidence review has no anchor. The control is documented. The asset delivering the control is not. That gap produces a finding regardless of whether the asset is functioning correctly.

A defense engineering firm submitted an SSP with a boundary diagram covering CUI workstations, a file server, and a cloud collaboration platform. The firm's endpoint detection and response platform and its multi-factor authentication provider were not included in the boundary documentation. The assessor identified both omissions during the walk-through and could not evaluate the controls relying on those systems — including IA.3.083 for MFA enforcement and SI.3.219 for malicious code protection — without supplementary documentation the SSP should have contained from the start. The gap added four weeks to the assessment timeline.


Failure Point 3: Enclave Documentation That Doesn't Match the Network

The enclave approach — segmenting the CUI environment from the broader business network — produces a defensible scope only when the technical enforcement of the boundary matches what the SSP documents. An enclave diagram that does not correspond to actual network segmentation, VLAN configuration, or access control enforcement is not a boundary. It is a description of a boundary that does not exist.

A sub-tier defense contractor documented a CUI enclave in their SSP covering 16 engineering workstations and a program-specific file server. The boundary diagram showed network segmentation enforced by a managed switch configuration separating the enclave VLAN from the corporate network. During the assessment walk-through, the assessor reviewed the switch configuration records and found that the VLAN separation shown in the diagram had been partially implemented — four of the 16 workstations remained on the corporate VLAN. CUI assets were reachable from out-of-scope systems. The enclave boundary documented under SC.3.177 for network segmentation did not match the environment SC.3.177 was supposed to protect. The assessor suspended the evaluation of all controls dependent on the enclave boundary until the network configuration was corrected and re-verified.


Failure Point 4: Scope That Expanded Without SSP Updates

CMMC remediation programs run for months. During that time, the CUI environment changes. A cloud storage platform is added to the data flow. A new workstation is provisioned for a program team. A remote access solution is deployed to support distributed engineering work. Each of those changes affects the assessment scope — and each requires a corresponding update to the SSP.

When scope expands during implementation without SSP updates, the assessor finds a gap between the environment documented at the start of the program and the environment that actually exists at assessment time. That gap raises questions about every boundary decision in the SSP, because if one change was not reflected, the assessor cannot determine without additional investigation whether other changes were also omitted.

A prime defense contractor added a cloud-hosted engineering collaboration platform to their CUI workflow eight months into remediation. The platform was not added to the SSP asset inventory, was not assigned an asset category, and was not included in the boundary diagram. When the C3PAO assessment began, the assessor identified CUI stored in the platform during the data flow walk-through. The SSP boundary did not acknowledge the platform's existence. The assessor could not verify CM.2.061 for configuration baseline management or AC.3.012 for separation of duties relative to the platform, because neither the system nor the controls protecting it were documented. The scope review had to be reopened, delaying the assessment by three weeks and generating findings that the remediation program had never addressed.


What a Defensible SSP Scope Section Looks Like

The common thread across all four failure points is the same: the SSP was treated as a document produced at the end of remediation rather than a living record maintained throughout the program.

A defensible SSP scope section contains a clear asset inventory with category designations assigned to every in-scope system. It contains a boundary diagram that matches the network architecture documentation, with Security Protection Assets included alongside CUI Assets. It contains documented rationale for out-of-scope decisions, so an assessor reviewing the boundary can evaluate whether systems excluded from scope are genuinely isolated from the CUI environment. And it is updated when the environment changes, so the document the assessor reads at the start of the engagement reflects the environment they are walking into.

That alignment — between what the SSP documents and what the assessor finds — is what makes an assessment proceed on schedule. The controls can be correctly implemented, and the evidence can be well-organized, but if the scope section does not accurately describe the environment those controls are protecting, the assessment cannot proceed as planned. The boundary is the foundation. Everything else in the SSP is built on top of it.


About Xact Cybersecurity

Xact Cybersecurity is a division of Xact IT Solutions, a cybersecurity compliance firm based in Marlton, NJ, specializing in CMMC Level 2 preparation and assessment readiness for defense contractors and members of the Defense Industrial Base. Xact IT Solutions holds the GTIA Cybersecurity Trustmark Assured credential, meaning its internal operations have been independently validated against the same standards they help clients achieve.

For defense contractors with questions about SSP scope documentation, CUI boundary definition, or CMMC Level 2 readiness, the Xact Cybersecurity team offers a free 30-minute strategy call. Schedule at getready4cmmc.com/free-cmmc-strategy-call or contact the team directly at [email protected] | 856-282-4100 | 1 Executive Drive Suite 100, Marlton, NJ 08053.

Back to Blog