CA β Security Assessment Domain Notes
CMMC Domain: CA (Security Assessment / CAAP)
NIST 800-171 Family: 3.12.x
General Notes
System Security Plan (SSP) is the Core Artifact
- SSP is the backbone of your audit
- Must document ALL controls β even inherited ones (with reference to the inheritance source)
- Format: no single required format; Word document (~100 pages) accepted by major C3PAOs
- Separate per-domain docs also works well (14 documents, one per domain)
SSP Content Requirements
- Every control needs: policy statement (even one sentence) + procedure describing implementation
- Inherited controls: describe the inheritance, flag as inherited, include specific Microsoft/vendor control reference
- Boundaries must be clearly defined β you define them, assessors assess what you've defined
SSP Templates
- See templates/index.md for full list
- Free: Peak InfoSec, Hive Systems, CMMC SSP Builder (GitHub)
- Paid: Kieri KCD (~$14K), ComplianceForge NCP (~$5K)
- Microsoft publishes their own CMMC reference materials β use Appendix J + Implementation Guide
Mock Assessments
- Get mock from your C3PAO, not from a consultant β C3PAOs know exactly what they'll look for
- C3PAO mock typically done before formal assessment to identify gaps
- Some C3PAOs offer mock at no extra cost (Emgage example)
- Source: lotsofxeons megathread (2025)
SPRS Score
- Organizations must have a valid SPRS score on file
- 110/110 is perfect; any negative findings reduce the score
- Self-assessment score vs C3PAO-assessed score β different validation levels
- Some contracts now require C3PAO-assessed score (not just self-attestation)
- Source: https://old.reddit.com/r/CMMC/comments/1r5q11b/ (2026-02-15) β CMMC Self-Assessment on SPRS
DIBCAC Assessment
- DIB Cybersecurity Assessment Center β conducts assessments for government contractors
- "Anyone with experience of going through DIBCAC assessments?" β active thread
- Source: https://old.reddit.com/r/CMMC/comments/1qqn10a/ (2026-01-29)
Related Posts
- Screenshots (evidence) β 2026-03-04
- SSPs quantity β 2026-01-13
- CUI Interviews and Documentation β 2026-01-27
SSP Format β Confirmed Working Example (2026-03-11)
Source: https://old.reddit.com/r/CMMC/comments/1rpitjk/ (Kieri assessment, 110/110)
- Format: Single large Word document (~100 pages) listing all 110 controls
- Inherited controls: Documented with: description of inheritance + "Inherited from Microsoft GCC High" + specific Microsoft control reference
- Kieri accepted this format with no complaints
- Community corroboration: SSPs written for clients run 150-200 pages depending on scope/complexity
- SSP implementation statements double as work instructions β write them to describe the how, not just the what
- Assessor variability is real β two different assessors per control family domain; parts were hard, parts easy
First-Submission Pass Rate
- Community reporting: under 30% first-submission pass rate across C3PAOs
- Source: https://old.reddit.com/r/CMMC/comments/1rnu0yr/ (RPO asking CCAs for pattern data)
-
Most common failure mode: folder/naming chaos and controls that look implemented but have no auditable evidence
-
CMMC Self-Assessment on SPRS and JCP β 2026-02-15
- Anyone with experience of going through DIBCAC assessments? β 2026-01-29