Information systems must be protected from unauthorized access, use, disclosure, interception, or destruction. The security of these systems is essential to the confidentiality, integrity, and availability of the information processed and stored within them. Information technology (IT) users with access to Controlled Unclassified Information (CUI) must ensure that all CUI is safeguarded under laws, regulations, and policies. The Cybersecurity Maturity Model Certification (CMMC) is a framework that guides the implementation of security controls and practices across five maturity levels. The goal of CMMC is to reduce cyber risks to CUI within the Department of Defense (DoD) supply chain. Organizations seeking to do business with the DoD will need to be certified at one of the five CMMC levels, depending on the CUI they will have access to. The CMMC System Security Plan (SSP) is a required component of the CMMC certification process. The SSP is a living document that describes an organization's security position and details the security controls and practices in place to protect CUI. The SSP must be updated as changes are made to the organization's security position. The SSP