Hands-on masterclass building a System Security Plan and Plan of Action & Milestones suitable for CMMC Level 2 submission. Covers system boundary documentation, control implementation statements, evidence cross-references, and the SPRS scoring methodology. Participants leave with templated artifacts.
Building a compliant System Security Plan and Plan of Action & Milestones is one of the most technically demanding requirements a defense contractor faces on the path to CMMC Level 2 certification. This six-hour masterclass with Carl B. Johnson, President & CISO of Cleared Systems, moves practitioner-by-practitioner through every major component an assessor will scrutinize — from the first line of boundary documentation to the final SPRS score entry.
You cannot write a credible SSP without a defensible system boundary. This session opens by walking through the process of identifying and documenting which assets, users, technologies, and external service providers fall inside your authorization boundary for Controlled Unclassified Information (CUI). Participants work through boundary scoping decisions, network topology narratives, and the data flow descriptions that underpin every control implementation statement that follows.
The bulk of the session is devoted to writing implementation statements for the NIST SP 800-171 control families required at CMMC Level 2. Participants learn how to articulate what the control requires, how your organization satisfies it, who is responsible, and where the evidence lives — the four elements assessors expect to see in every statement. Common weaknesses that cause assessors to downgrade or reject a control are addressed directly, so participants leave knowing what adequate looks like versus what gets flagged.
Implementation statements alone are not enough. This session covers how to build a structured evidence cross-reference that ties each control statement to supporting documentation — policies, configuration screenshots, audit logs, training records, and third-party attestations. Participants learn how to organize the evidence package so it is navigable during a CMMC Level 2 assessment and how to avoid the common mistake of referencing artifacts that do not actually substantiate the claim being made.
A Plan of Action & Milestones is not an admission of failure — it is a required artifact that must reflect reality accurately. This portion of the session covers how to document gaps in control implementation, assign realistic remediation milestones, and write POA&M entries in language that demonstrates risk awareness and management commitment. Participants also learn what distinguishes a POA&M that supports submission from one that raises assessor concerns.
The session closes by walking through the Supplier Performance Risk System scoring methodology, showing how the SSP and POA&M together drive your organization's calculated score. Participants learn how to calculate and validate a defensible SPRS score based on their documented control posture and how that score must align with the narrative in both artifacts before submission.
This masterclass is built for the practitioners doing the work: information system security officers (ISSOs), compliance managers, IT managers, and security analysts at defense contractors and federal subcontractors who handle CUI and are preparing for or maintaining CMMC Level 2 compliance. It is equally valuable for program managers and operations leads who own the SSP on paper and need to understand what their team is producing and why it matters to an assessor.
If your organization is working with an outside advisor on your CMMC, CUI & DFARS compliance program, this training ensures your internal team can contribute meaningfully, review deliverables critically, and maintain artifacts independently between assessments. Organizations that want structured, ongoing support for building and sustaining their compliance program can explore Compliance Program Development services from Cleared Systems.
Six hours of focused, practitioner-level instruction will give your team the templates, the methodology, and the hands-on confidence to produce SSP and POA&M documentation that reflects your actual security posture — and supports a credible CMMC Level 2 submission. Register your seat or send this page to the person who approves your training budget.
Ask about group rates, private delivery of this curriculum for your team, or whether this session fits your compliance roadmap.
Contact Us
