Deretti Cyber Labs CMMC Desk · Evidence, SSP & POA&M

Evidence, SSP & POA&M.

Proof is what you already produce by operating the way you said you would.

Assessors don’t grade good intentions. They look for evidence — tickets, configs, logs, records — that ordinary operational practice matches the System Security Plan on file. This page covers what that proof looks like, the document it all points back to, exactly how a Plan of Action & Milestones works when a gap is found, the annual affirmation that carries real legal weight, and the three methods an assessor actually uses to check any of it.

01What counts as evidence

Evidence, at Level 2, is not a folder assembled the week before an assessment. It is the ordinary paperwork and system output an organization already produces by operating the way its SSP says it does — a change ticket, a log-review note, a training roster, a sanitization certificate, a vulnerability scan with a date on it. An assessor examining a requirement is looking for that ordinary output, not a purpose-built demonstration staged for the occasion.

Every family page on this desk carries its own “What evidence may look like” section for exactly this reason: the proof is a side effect of doing the work, not a separate project layered on top of it. A shop that treats evidence as something to construct after the fact usually finds the construction is the hard part — the actual practices were already there.

02The SSP: the document everything else points to

CA.L2-3.12.4 requires a system security plan — a document describing the system boundary, its environment of operation, how each Level 2 requirement is implemented (or planned to be, where a gap is still open), and how the system connects to anything outside it: an ESP’s tooling, a prime’s portal, a cloud service. NIST prescribes no specific format or level of detail; what matters is that the information 3.12.4 requires is actually conveyed somewhere in the document, and kept current. See Security Assessment for the rest of the family this requirement belongs to.

The SSP is the document the rest of the program hangs on, because it is typically the first thing an assessor reads and the reference point every other requirement’s evidence gets checked against. It is also, on its own, categorically excluded from ever sitting on a POA&M — Section 03 covers why, and what that means in practice.

What an SSP typically contains

NIST mandates no format, but its non-mandatory CUI SSP template — and the way assessors actually read these documents — converge on the same handful of parts: system identification (what the system is called, who owns and operates it, the CAGE codes it maps to); the boundary, in prose and in a network diagram that matches reality; the environment of operation — on-premises, cloud services, an ESP’s tooling, and how they connect; requirement-by-requirement implementation statements for each of the 110, or the POA&M reference where a gap is still open — the part assessors spend the most time in; roles and responsibilities, including the customer responsibility matrix where an ESP is involved; and external connections — every path in or out, from a prime’s portal to the MSP’s remote access. Treat that as the shape reviewers expect to find, not a mandated outline: 3.12.4 requires the information, not the format. NIST SP 800-171 R2 §3.12.4; NIST CUI SSP template

03POA&M mechanics, in full

A Level 2 assessment does not have to land on a perfect score to reach a usable status. Conditional status exists for a small, bounded set of gaps, on a clock — not an open-ended allowance to defer work.

The rule says

“An OSA is only permitted to achieve the CMMC Status of Conditional Level 2 (Self) or Conditional Level 2 (C3PAO), as appropriate, if all the following conditions are met: (i) The assessment score divided by the total number of CMMC Level 2 security requirements is greater than or equal to 0.8; (ii) None of the security requirements included in the POA&M have a point value of greater than 1 as specified in the CMMC Scoring Methodology… except SC.L2-3.13.11 CUI Encryption may be included on a POA&M if encryption is employed but it is not FIPS-validated, which would result in a point value of 3; and (iii) None of the following security requirements are included in the POA&M.”

32 CFR 170.21(a)(2)

In practice

Three conditions have to hold at once. The score has to be at least 88 of 110 (0.8 × 110). Every requirement left open on the POA&M has to be worth 1 point — with one named exception, SC.L2-3.13.11 (CUI encryption that’s in place but not yet FIPS-validated), capped at 3 points. And a short list of specific requirements can never sit on a POA&M at all, regardless of score, because the rule treats them as too foundational to leave open.

The six requirements excluded outright, whatever the score: AC.L2-3.1.20 (External Connections), AC.L2-3.1.22 (Control Public Information), CA.L2-3.12.4 (the System Security Plan — Section 02, above), PE.L2-3.10.3 (Escort Visitors), PE.L2-3.10.4 (Physical Access Logs), and PE.L2-3.10.5 (Manage Physical Access Devices). 32 CFR 170.21(a)(2)(iii)

Conditional → Final: the 180-day clock

A Conditional status opens a 180-day window. A closeout assessment within that window has to confirm every open POA&M item is closed; the status then moves to Final, and closeout itself requires a fresh affirmation (Section 04). Miss the window, and Conditional status simply expires — it does not roll over quietly, and the rule builds in no grace period. 32 CFR 170.21(b)

What a POA&M entry typically carries

A POA&M is a small table doing a specific job: naming what is open, what closing it takes, and by when. An entry that can survive a closeout assessment usually carries the requirement ID and its point value; what specifically is not yet MET, at the assessment-objective level rather than just the requirement number; the remediation steps or milestones; an owner; the resources it needs; a target date inside the 180-day window; and its current status. Deficiency-tracking itself is a Level 2 requirement in its own right — 3.12.2 — so the habit outlives any single assessment. 32 CFR 170.21; NIST SP 800-171 R2 §3.12.2

04Affirmations: the annual promise

Every level carries the same ongoing obligation on top of the assessment itself: once a year, a senior official — the Affirming Official — submits an affirmation in SPRS stating that the organization continues to meet the security requirements behind its CMMC Status. This happens at Level 1, 2, and 3 alike, and again whenever a POA&M closes out (Section 03).

An affirmation is not a formality. It is a representation to the government, made by someone with the standing to know whether it is true, and it carries the exposure that comes with any representation made to secure a federal contract — the Department of Justice’s Civil Cyber-Fraud Initiative has pursued False Claims Act cases built on exactly this kind of misrepresentation. See the Glossary for the full Affirmation / Affirming Official entry, and The Levels for how affirmations sit alongside each level’s assessment path.

05How an assessor actually looks: examine, interview, test

NIST SP 800-171A — the companion document to the 110 requirements — defines three assessment methods an assessor applies against the evidence described above. Understanding the three helps explain why the same requirement might get checked by reading a document one day and watching a login attempt the next.

The three NIST SP 800-171A assessment methods, what they examine, and their purpose
MethodApplied toWhat it does
ExamineSpecifications (policies, SSPs, procedures, designs)Reviewing, inspecting, or studying a document or artifact to understand it, clarify it, or find evidence in it.
InterviewIndividuals or groups (admins, security staff, account managers)Holding a discussion to understand something, clarify it, or locate evidence a document alone wouldn’t show.
TestMechanisms and activities (hardware, software, operations)Exercising something under specified conditions to compare what actually happens against what should happen.

All three methods work toward the same goal — supporting a determination of whether a safeguard exists, functions, is correctly implemented, and is complete — and none is required for every requirement on every assessment. As SP 800-171A puts it plainly: there is no expectation that all assessment methods and all objects will be used for every assessment. An SSP that’s current and specific (Section 02) is frequently what makes the examine method fast; a shop with nothing written down forces more of the assessment onto interviews, which take longer and depend more on who happens to be in the room that day.

06At the shop

At the shop

Blanchard Tool & Machining is the desk’s fictional composite (any resemblance to an actual company is coincidental). When Blanchard ran a practice self-assessment ahead of its planned C3PAO certification, the findings sorted cleanly into what a POA&M can and can’t hold. One gap was POA&M-eligible: its CUI backups were encrypted, but with a drive-native tool that wasn’t FIPS-validated — SC.L2-3.13.11, the single named exception, worth 3 points precisely because encryption was employed but not yet FIPS-validated. With a self-assessed score above the 88 floor, that item went onto a POA&M with a target date inside the 180-day window, the FIPS-validated replacement drive already on order. Two other findings couldn’t: the stale visitor-log format is Physical Access Logs (PE.L2-3.10.4), and the SSP’s own out-of-date network diagram is CA.L2-3.12.4 — both sit on the six-item exclusion list, so neither could be deferred to a POA&M. Blanchard fixed them before the assessment: the log format corrected the same week, the SSP diagram updated to match what the practice run actually found on the network.

07Sources

Primary sources for evidence, the SSP, and POA&M mechanics
DocumentWhat it’s for
32 CFR 170.21POA&M eligibility, the six categorical exclusions, and the 180-day closeout clock.
32 CFR 170.22Affirmation requirements at every level and at POA&M closeout.
NIST SP 800-171 Rev. 2, §3.12.4The System Security Plan requirement itself.
NIST CUI SSP templateA non-mandatory starting template for the 3.12.4 System Security Plan.
NIST SP 800-171AThe examine/interview/test assessment methods and objects, in full, with depth and coverage attributes.
DOJ Civil Cyber-Fraud Initiative announcementSource for the False Claims Act exposure tied to affirmations.