In today’s blog post, we will take a deep dive into the world of documentation. In the context of Redspin’s joint surveillance assessments (JSVAP), we have seen a split between successful and struggling documentation practices. So, this discussion aims to shed light on the importance of proper documentation and provide insights into best practices. We will cover topics such as addressing objectives, maintaining living documents, upcoming changes in NIST Revision 3, and the significance of the System Security Plan (SSP). Join us on this informative journey as we explore the intricacies of documentation for successful compliance.

Addressing Objectives: Going Beyond Practices

During a CMMC level 2 assessment, there are 110 practices and 320 objectives to consider. The question arises: should documentation primarily focus on the practices or also address the objectives? According to experts, it is crucial to delve down to the objective levels. The NIST 800-171A, similar to the CMMC assessment guide, provides assessment objectives that need to be documented. Whenever the terms “defined” or “identified” appear, they should be included in the documentation, such as policies or System Security Plans (SSPs). Assessors will examine whether these objectives have been adequately defined and implemented.

Living Documents: Maintaining Relevance

Documentation is not a static endeavor; it must evolve and adapt over time. We emphasize the significance of treating documents as “living” documents. While the initial focus may be on passing the assessment, organizations must remember that assessments occur every three years. We like to refer to the concept “is lean to mean” or “does bloat equal gloat.” The key is to understand the essential requirements and stay within those parameters. We suggest designating a person responsible for maintaining documentation and combining a higher-level approach with periodic reviews to keep documentation up to date.

NIST Revision 3: Embracing Change

We would like to highlight the release of NIST Revision 3 for 800-171, which introduces changes that organizations must consider while updating their documentation. For example, previously separate items like most of the Non-Federal Organization (NFO) controls in Appendix E of NIST 800-171 r2 are now included in the main body of NIST 800-171 r3. These changes, among others, require organizations to adjust their SSPs and related documentation accordingly. We would like to emphasize the importance of staying updated, as revisions and requirements can impact the compliance landscape across various government agencies. It is also important to mention that you should continue to build your documentation to reflect NIST 800-171 Revision 2 since Revision 3 is still in draft.

Scalability and Separation: Agency-Specific SSPs

With the expansion of compliance rules to other agencies beyond the Department of Defense (DOD), the question arises: should organizations define separate scopes and maintain multiple SSPs for each agency or expand the existing scope? The answer lies in a case-by-case assessment. While maintaining a single system and SSP may be more manageable, certain assets within the system may not meet the stringent requirements of specific agencies. In such cases, separating systems or assets may be a viable option. Another potential solution is to compare the requirements of different agencies, identify which is the most stringent, and then implement the more stringent one.

The Key Document: System Security Plan (SSP)

The System Security Plan (SSP) emerges as a critical document in compliance efforts. An SSP serves as the game plan for an organization, outlining how it will meet compliance requirements and implement controls. We would like to point out the distinction between an SSP, policy, and procedure. While the SSP focuses on system-specific implementation, policies reflect overarching commitments, and procedures outline how policies are implemented.

Proper documentation plays a vital role in ensuring compliance and clarity in assessments. By addressing objectives, maintaining living documents, adapting to changes in standards like NIST Revision 3, considering scalability and separation for agency-specific requirements, and focusing on the System Security Plan (SSP), organizations can improve their documentation practices significantly. By following these best practices and embracing documentation as an ongoing process, organizations can enhance their compliance efforts, improve clarity, and mitigate potential risks. Ultimately, proper documentation lays the foundation for successful assessments and strengthens an organization’s overall security posture. Remember, documentation does not equal security but instead leads to security.

How Redspin can help >>

Need help with your documentation process? Reach out to our team with your questions at


Book a meeting to start your CMMC journey by filling out the form below