If you’re a small defense contractor, your CMMC SSP template can’t read like a policy brochure. It has to read like a map. A map of where CUI lives, who touches it, what tools enforce the rules, and what proof you can hand an assessor in 10 minutes without panic-searching admin portals.
I write SSPs for teams with limited IT staff, often running Microsoft 365 for the business and a separated enclave for CUI. That split can keep scope under control, but only if the boundary is tight and your documentation matches reality.
For the control requirements, I anchor everything to the official NIST SP 800-171 Rev. 2 (with update) and I write evidence steps in the same spirit as the CMMC Level 2 Assessment Guide v2.13: show it, prove it, repeat it.
How I scope a Microsoft 365 plus enclave boundary (so it survives assessment)
When I’m using Microsoft 365 plus an enclave model, I define the enclave as the only place CUI is stored, processed, or transmitted (except for tightly controlled email or approved workflows). Everything else stays “business network,” even if it’s in the same tenant.
Two scoping rules keep me out of trouble:
First, CUI pathways define scope, not org charts. If a receptionist can open an email attachment that contains CUI on an unmanaged laptop, that laptop just became part of your CUI environment, no matter what your SSP says.
Second, I document the “thin waist” between environments. That might be a VPN into the enclave, a jump host, or a virtual desktop broker. Assessors love boundaries that are simple to explain and hard to bypass.
Common boundary mistakes I call out in the SSP (because assessors will):
- “Temporary” local downloads to endpoints, then forgotten.
- Teams chats or SharePoint libraries used for CUI in a commercial tenant.
- Shared accounts on the enclave jump host.
- Split identity, where the enclave isn’t enforcing the same MFA and device rules.
- Undocumented vendor remote access paths.
If you want a plain-language primer on enclave thinking, I’ve found CMMC enclaves explained helpful for non-IT stakeholders.
A downloadable-style SSP template you can paste into Word (and actually maintain)
An SSP fails when it’s either vague or too big to update. I keep mine short, then I attach evidence maps and inventories that can be refreshed monthly.
SSP cover and system facts (copy and fill)
| Field | Example entry | Your value |
|---|---|---|
| System name | “CUI Enclave for Program X” | [SYSTEM_NAME] |
| CMMC level target | Level 2 | [LEVEL] |
| Framework | NIST SP 800-171 (110 controls) | [FRAMEWORK] |
| Tenant | Microsoft 365 GCC High | [TENANT_TYPE] |
| Enclave type | Segmented network + jump host | [ENCLAVE_TYPE] |
| SSP owner | Security Officer | [OWNER_NAME] |
| Last updated | 2026-02-01 | [DATE] |
System boundary and CUI handling statement
| Boundary element | In scope? | Notes (be specific) |
|---|---|---|
| Enclave subnet and servers/VDI | Yes | Stores and processes CUI. |
| Jump host (bastion) | Yes | Only interactive path into enclave. |
| User endpoints (business) | No (goal) | Block CUI downloads, restrict access paths. |
| Microsoft 365 services | Yes (as used) | Email and collaboration for authorized workflows. |
| Personal devices | No | Prohibited by policy and enforced via access controls. |
Data flow narrative (paste-ready):
CUI enters the organization through (contract portal/email/vendor transfer) and is moved into the enclave via (approved upload path). Users access CUI only through (VDI/jump host) using MFA and compliant devices. CUI exits the enclave only through (approved export process), is logged, and is reviewed by (role).
Asset inventory (small contractor-friendly)
| Asset ID | Type | Owner | Location | Handles CUI? | Baseline/Hardening reference |
|---|---|---|---|---|---|
| EN-VM-01 | Enclave VM | IT | Enclave | Yes | [HARDENING_STD] |
| JH-01 | Jump host | IT | Enclave edge | Yes | [JUMP_HOST_STD] |
| LT-### | Laptop | User | Office/Remote | No | [INTUNE_BASELINE] |
Control entry template (repeat for all 110 controls)
Use this block for every NIST 800-171 requirement. The trick is consistency. Assessors sample controls, but they also judge whether your SSP method is repeatable.
| Control ID | Implementation statement (your words) | Where configured (high-level) | Evidence to capture (exact admin area) | What assessors test or sample |
|---|---|---|---|---|
| [e.g., 3.5.3] | [How we meet it in M365 + enclave] | [Portal + setting area] | [Admin page path and screenshot name] | [Interview prompts + artifacts + failure modes] |
Filled examples for commonly sampled controls (M365 + enclave)
| Control ID | Sample implementation statement | Where configured | Evidence to capture | What assessors actually check |
|---|---|---|---|---|
| 3.5.3 MFA | MFA required for all users, admin roles, and enclave access, with exceptions prohibited. | Microsoft Entra admin center, Authentication Methods, Conditional Access | Screenshot Conditional Access policies list, MFA method settings, break-glass account record | They interview: “Show me who is exempt.” They test sign-in paths and sample accounts. Failure: legacy auth allowed or conditional access not covering admin portals. |
| 3.1.1 Limit access | CUI apps and enclave resources are restricted to authorized roles, enforced by groups and least privilege. | Entra groups, Privileged Identity Management (if used), enclave RBAC | Group membership export, admin role assignment page | They sample a user, validate access matches job role. Failure: shared accounts, “everyone” groups, stale access. |
| 3.3.1 Audit events | We log user and admin activity for M365 and enclave systems, retain logs, and review alerts. | Microsoft Purview Audit, Defender portal, enclave SIEM/log host | Screenshot Purview Audit enabled, audit search example, log retention setting | They ask for logs covering a time range and for evidence of review. Failure: audit not enabled, retention too short, no review record. |
| 3.13.8 Encrypt in transit | All CUI transfers use TLS, VPN, or approved secure channels, with insecure protocols blocked. | Enclave VPN gateway, M365 transport settings | VPN config summary, email transport rule screenshots (if used), secure file transfer settings | They validate protocols, test for weak paths. Failure: SMB open across segments, weak VPN settings, uncontrolled email forwarding. |
| 3.14.1 Vulnerability mgmt | We run authenticated scans on enclave assets and track remediation with tickets and timelines. | Scanner platform, patch management, Intune (for managed endpoints) | Last scan report, remediation tickets, patch compliance report | They sample findings and verify closure. Failure: scans not authenticated, no proof of remediation, “accepted risk” with no approval trail. |
Evidence screenshots that hold up in a C3PAO review (and where to grab them)
I don’t claim “screenshots included” inside the SSP. I write “Evidence to capture” with a filename convention so anyone on my team can reproduce it.
My go-to evidence set for Microsoft 365 plus enclave includes:
- Microsoft Entra admin center: Conditional Access policies, sign-in logs, authentication methods, admin role assignments.
- Microsoft Intune admin center: device compliance policies, configuration profiles for Device Hardening, endpoint encryption status, update rings.
- Microsoft Defender portal: endpoint security alerts, onboarding status, AV and EDR policy state.
- Microsoft Purview compliance portal: audit configuration, retention policies (where applicable), eDiscovery holds if used for CUI workflows.
- Enclave: VPN configuration summary, jump host access logs, firewall rules between business network and enclave, VDI session logs.
For cloud tenant selection and why GCC High shows up so often in CUI conversations, I point stakeholders to a plain explainer like how Microsoft 365 GCC High supports CMMC, then I document what we configured versus what we inherit.
What assessors actually check (interviews, sampling, and failure modes)
In practice, assessors don’t “check your vibe.” They triangulate: your SSP says X, your admins say Y, and your portals show Z. If those don’t match, you’ve got a finding.
What I prepare for every review:
- Interview readiness: Can the system owner explain the boundary in 2 minutes?
- Sampling proof: A small set of users, devices, and enclave assets with clean records.
- Inherited controls: A short statement of shared responsibility. Microsoft operates parts of the stack, but I still must show configuration, monitoring, and governance on my side.
- Failure-mode notes: I document known weak points and how we prevent them (USB, local admin, shadow IT file shares).
This is also where my broader work shows up. I’m often the Small Business IT contact one day, then deep in Cloud Infrastructure the next. I handle Office 365 Migration projects, Data Center Technology validations, and yes, Restaurant POS Support and Kitchen Technology Solutions when a client also runs a side business. The same Cybersecurity Services mindset carries across: Endpoint Security, Device Hardening, Cloud Management, and Business Continuity & Security. That mix is why I write SSPs like a Business Technology Partner doing Technology Consulting, not like a compliance factory. The goal is Infrastructure Optimization that supports real Digital Transformation and a practical IT Strategy for SMBs, built on Secure Cloud Architecture and Managed IT for Small Business with Innovative IT Solutions and Tailored Technology Services.
Conclusion
A Level 2 SSP isn’t a novel, it’s a proof binder with a table of contents. If you keep your enclave boundary tight, document data flows honestly, and write every control entry with configuration and evidence in mind, you’ll walk into assessment week with less stress and fewer surprises.
If you want one immediate next step, pick five controls from your SSP and collect the screenshots today. Your CMMC SSP template should make that easy, even when your best admin is out sick.
Discover more from Guide to Technology
Subscribe to get the latest posts sent to your email.