CRM System Security Plan Template for CMMC: What to Document

Your System Security Plan (SSP) is the document that tells your C3PAO assessor how you meet each NIST 800-171 control. For your CRM, this means documenting exactly how CUI is handled, who has access, and what controls are in place. This template covers the CRM-specific sections you need.

This template supports our CUI-Safe CRM guide and CMMC CRM checklist. Use the checklist to verify controls, then document them here.

Section 1: System Description

Document these items for your CRM system:

• System Name: [Your CRM platform name and version]
• Deployment Model: [Cloud SaaS / Self-hosted / Hybrid]
• FedRAMP Authorization: [Authorization level, package ID, or N/A with justification]
• Data Location: [Data center region, cloud provider, GovCloud designation]
• System Boundary: [List all connected systems: email, ERP, document management, AI services]
• CUI Categories Present: [List specific CUI categories handled: CTI, ITAR, source selection, etc.]

Section 2: Authorization Boundary

Define the CUI boundary for your CRM:

• CUI Ingress Points: [Email sync, manual entry, API integrations, file uploads]
• CUI Egress Points: [Reports, exports, API calls, email sending, AI processing]
• Connected Systems: [List every system the CRM exchanges data with and the direction of CUI flow]

For detailed CUI flow mapping, reference our CUI Data Flow analysis.

Section 3: Access Control Documentation (AC)

For each role in your CRM, document:

• Role name and description: [e.g., 'BD Manager - Can view/edit opportunities assigned to their division']
• Object-level permissions: [What records can this role see? Contacts, opportunities, accounts?]
• Field-level permissions: [Which fields are visible/editable for this role?]
• Export permissions: [Can this role export data? In what formats?]
• MFA requirement: [MFA method, enforcement status]

Section 4: Audit & Accountability (AU)

Document your audit logging implementation:

• Events logged: [Login, record view, record edit, export, delete, search, AI query]
• Log detail: [User ID, timestamp, action, record ID, field changed, old/new value]
• Retention period: [How long are logs retained? Minimum 1 year recommended]
• Log protection: [How are logs protected from tampering? Read-only, separate storage?]
• Monitoring: [SIEM integration, alerting rules, review cadence]

Section 5: System & Communications Protection (SC)

• Encryption at rest: [Algorithm, FIPS validation certificate number]
• Encryption in transit: [TLS version, cipher suites, certificate management]
• Key management: [Who controls encryption keys? Customer-managed or vendor-managed?]

Section 6: AI & Automation Controls

If your CRM uses AI features, document:

• AI features enabled: [List all active AI features: summarization, scoring, auto-complete, search]
• Processing location: [Isolated/dedicated or multi-tenant?]
• Data training policy: [Contractual prohibition on training with your data?]
• AI audit trail: [Are AI interactions logged with user, input, and output?]

Next Steps

Complete each section with your specific implementation details. Attach evidence for each control:

• Screenshots of configuration settings
• Exported role/permission matrices
• Sample audit log exports
• Vendor security documentation and FedRAMP package references

For the complete technical requirements, review our CUI-Safe CRM guide and the CMMC compliance guide.