STUDENT PRACTICE TOOL
● Unsaved Changes
System Security Plan (SSP)
CMMC 2.0 Level 2 Compliance — Student Practice Exercise
[Organization name will appear here after entering in Section 2]
🎓 Student Instructions
- Click ✏️ Edit Mode to enable editing of all text fields — click again to lock them.
- Work through each section (1–10) to build a complete SSP for your assigned case study company.
- Use the + Add Row buttons to populate tables with roles, assets, controls, risks, and POA&M items.
- Use 💾 Save to store progress in your browser, or 📤 Export JSON to download a file.
- Use 🖨️ Print / PDF to generate your final submission — toolbar and instructions will be hidden.
- Tip: Ctrl+S saves at any time.
1. Document Control & Metadata
| Document Title | |
|---|---|
| Document Version | |
| Classification | |
| Prepared By | |
| Review Date | |
| Next Review Date | |
| Approval Authority |
Document Purpose
2. System Description & Overview
Organization Overview
System Purpose and Function
System Classification
3. System Boundaries & Assessment Scope
CMMC Assessment Scope Definition
In-Scope Systems
CUI Processing Systems
Security Protection Assets
Network Infrastructure
Out-of-Scope Systems
4. Environment of Operation
Physical Environment
Technical Environment
Operational Environment
5. Roles & Responsibilities
| Role | Personnel / Title | Responsibilities | Contact | Actions |
|---|---|---|---|---|
| No roles added yet — click "Add Role" below to begin. | ||||
6. Security Controls Implementation
NIST SP 800-171 Controls Summary
| Control Family | Control Count | Implementation Status | Compliance Score | Actions |
|---|---|---|---|---|
| No control families added yet — click "Add Control Family" below. | ||||
Key Control Implementation Details
Click "Add Control Detail" to document specific control implementations.
7. Asset Inventory & Categorization
Asset Inventory Table
List all in-scope assets. Use asset categories: CUI, SPA, CRMA, SA, or OOS.
| Asset ID | Asset Name | Type | Location | Owner | Classification | Actions |
|---|---|---|---|---|---|---|
| No assets added yet — click "Add Asset" below. | ||||||
8. Network Architecture
Network Diagram Description
Network Components
| Component | Purpose | Security Controls | Network Location / VLAN | Actions |
|---|---|---|---|---|
| No network components added yet — click "Add Component" below. | ||||
9. Risk Assessment & Management
Risk Assessment Summary
Identified Risks and Mitigations
| Risk ID | Risk Description | Likelihood | Impact | Risk Level | Mitigation Strategy | Actions |
|---|---|---|---|---|---|---|
| No risks added yet — click "Add Risk" below. | ||||||
10. Plan of Action & Milestones (POA&M)
POA&M Overview
Current POA&M Items
| POA&M ID | Control ID | Weakness / Gap | Planned Action | Responsible Party | Target Date | Status | Actions |
|---|---|---|---|---|---|---|---|
| No POA&M items added yet — click "Add POA&M Item" below. | |||||||
Continuous Monitoring Program
Document Classification: | Date Generated:
This document contains sensitive information and should be handled in accordance with CMMC and NIST SP 800-171 requirements.