Docs / SSP & POA&M
Generating your SSP & POA&M
These two documents are the backbone of a CMMC assessment. Bastion builds both directly from the answers, notes, and evidence you entered — plus an executive readiness report for leadership.
On this page
The System Security Plan (SSP)
The SSP is the document that describes your in-scope system and explains how each of the 110 controls is implemented. It's required under NIST 800-171 (control 3.12.4) and is the first thing an assessor reads. A good SSP answers: what's the boundary, what's in scope, and for every control — how do you satisfy it, who owns it, and what's the evidence?
Bastion assembles your SSP from:
- System profile — the system name, scope, and boundary you defined.
- Per-control status — Met, Partially Met, Not Met, N/A, or Inherited.
- Implementation notes — the narrative you wrote on each control becomes that control's implementation description.
- Evidence references — what backs each control, including anything imported from Sightline and Cairn.
- Inheritance details — which controls a provider satisfies on your behalf.
This is why the notes you write per control matter so much: they are your SSP. Write them clearly the first time and the document writes itself.
The Plan of Action & Milestones (POA&M)
The POA&M is your remediation roadmap: every control that isn't fully Met becomes a tracked entry with what's wrong, who owns it, and when it'll be fixed. It's how you demonstrate that gaps are managed, not ignored — and a credible POA&M is often what lets a supplier with an imperfect score stay eligible while they close out.
Bastion turns each Partially Met and Not Met control into a POA&M line containing:
| Field | Source |
|---|---|
| Control ID & requirement | The NIST 800-171 control itself. |
| Current status & weakness | Your status and the gap described in your notes. |
| Point value | The control's SPRS weight (5 / 3 / 1) — so you can prioritize. |
| Owner | The responsible person you assign. |
| Target completion date | The milestone date you set. |
The remediation planner ties straight into the POA&M: as you sequence fixes, the what-if projected SPRS shows the score you'll reach once each milestone closes.
The executive readiness report
Not everyone needs the 110-control detail. The executive readiness report is a one-page summary for leadership or a prime: your current SPRS score, the gap picture by control family, the top remediation priorities, and your trajectory from the score-history snapshots. It's the "are we contract-ready, and if not, when?" view.
How Bastion builds them
The artifacts are only as complete as your inputs. Controls with thin notes produce thin SSP sections; open controls with no owner or date produce incomplete POA&M lines. Fill those in before you export.
What assessors expect
- An SSP that matches your SPRS score. The documented status of each control should reconcile with the number you posted.
- A POA&M with real owners and dates, not placeholder text — and target dates that are credible.
- Evidence that backs the narrative. Where the SSP says a control is Met, you should be able to produce the proof.
- Documented inheritance. For Inherited controls, the provider's responsibility matrix or attestation.
- Currency. Documents dated and kept up to date as your posture changes.
Remember: Bastion produces audit-ready artifacts, but official certification is performed by a C3PAO. Use these documents to walk into that assessment prepared.