A comprehensive document that explains how an organization implements and maintains the cybersecurity controls required under NIST SP 800-171 and DFARS 252.204-7012. The SSP outlines the current security environment, details the systems where Controlled Unclassified Information (CUI) is stored or transmitted, and describes how each security requirement is met. It serves as a foundational artifact for CMMC assessments and is often reviewed alongside supporting evidence such as policies, diagrams, and procedures.