SSP, POA&M, SPRS: what each one is and where buyers slip
Three documents do most of the work in a CMMC engagement. SSP, POA&M, and SPRS. They sound related, and the vendor sales decks that mention them rarely explain which one a buyer owns vs. which one a provider produces. Confusion here is one of the most common ways buyers overpay.
This is a plain-English field guide to each, in the order they tend to come up.
SSP: System Security Plan
The SSP is the document that describes how your systems implement each of the NIST SP 800-171 security requirements (cite [1]). It is the single most important artifact in any Level 2 engagement, because an assessor reads the SSP before they look at anything else. NIST SP 800-171 Rev. 3 reinforces this framing, describing the publication as recommended security requirements for protecting CUI in nonfederal systems (cite [2]).
It is also the most commonly under-built deliverable. ComplianceForge, whose product is documentation templates, explicitly states that templates are not fill-in-the-blank. Buyers must tailor them because “only you know the technologies and resources available” (cite [3]). A template SSP without that tailoring is, at best, a half-finished deliverable.
Where buyers slip: treating the SSP as the provider’s job. Even when an RPO or consultant authors it, the SSP describes your environment, and the people answering the assessor’s questions are your team. The SSP has to match reality.
POA&M: Plan of Action and Milestones
The POA&M is the document that tracks the gaps you know about and the plan to close them. It exists because not every control is always fully implemented in real organizations, and the rule explicitly allows scored partial implementation with a documented plan.
A POA&M is a contract between you, the assessor, and (in practice) your CFO: what gets fixed, by when, and at what cost. A good POA&M is dated, owned, and live. A bad POA&M is a spreadsheet of vague intentions that nobody re-reads.
Where buyers slip: letting the POA&M sit static between vendor cycles. The assessor will compare the POA&M you submit with the SSP you submit, and with what they see on the day. A drifting POA&M is a leading indicator of a difficult assessment.
SPRS: Supplier Performance Risk System score
SPRS is the DoD-side system where contractors record a self-scored assessment against NIST SP 800-171 (under DFARS 252.204-7012 / 7019 / 7020 / 7021). The score is computed from a maximum of 110 points, with negative weights for unmet controls.
Some primes already require a SPRS score in the bid. It is also the most-cited number when a contracting officer or prime asks “where are you on CMMC,” long before a C3PAO assessment is in the picture.
Where buyers slip: entering an optimistic SPRS score to win a bid, then having to defend it later when the actual environment doesn’t match. An honest, defensible score is always cheaper than a flattering one you have to walk back.
How the three fit together
A simple mental model:
- SSP = what the system is.
- POA&M = what the system isn’t yet, and when it will be.
- SPRS = the official score the DoD sees, computed from the gap between the two.
These have to agree. The single most common engagement-quality problem we see in buyer conversations is documentation that doesn’t reconcile: an SSP that says one thing, a POA&M that contradicts it, and a SPRS score that ignores both.
What to ask providers
Three questions worth asking before signing an engagement that includes documentation work:
- “Will the SSP you produce describe what we do, or will we have to operate to match the SSP you write?”
- “Who owns the POA&M after you leave? How does it stay live?”
- “What SPRS score do you expect us to be able to defend, and how does that differ from the score we’d want to claim?”
Good providers answer all three plainly. The ones who hedge on the third are the ones whose engagements get expensive.