Q&A: SSP Report Generation — Visual Indicators, Formatting & Audit Readiness

[AGI-Corporation]

SSP Report Generation Deep-Dive Q&A

This thread covers everything about the System Security Plan (SSP) report generator — how it works, how to customize output, how visual indicators (emojis, progress bars, star ratings) are rendered, and how to produce audit-ready documentation for C3PAOs and government reviewers.

This thread is particularly relevant following the recently merged PR #66 (Palette: Enhance SSP report with visual indicators).

---

Common Questions

Report generation basics

• How do I trigger SSP report generation — CLI, API endpoint, or web UI?
• What file formats does the SSP report export to (Markdown, PDF, DOCX, HTML)?
• How do I generate a report for a specific CMMC level (1, 2, or 3) only?
• Can I generate a partial report for a single domain (e.g., Access Control only)?
• How long does report generation take for a full 110-control assessment?

Visual indicators (PR #66)

• What do the status emojis mean? (✅ implemented, 🟡 partial, 📝 planned, 🛑 not implemented, ⚪ N/A)
• How is the progress bar calculated — what counts as "implemented"?
• How is the confidence star rating derived from the confidence score?
• Why does confidence=0.0 show 1 star instead of 0? Is this intentional?
• How do I customize the visual indicator style for my organization's report template?

Control status normalization

• What are all the valid implementation_status values the agent accepts?
• I'm seeing ⚪ for a status I know should map to something else — how do I fix the mapping?
• How does the SSP handle controls marked in_progress vs partial?
• What happens to controls with not_applicable status in the compliance percentage calculation?

Audit readiness & C3PAO review

• What sections must be in an SSP for a CMMC Level 2 assessment?
• Does the generated SSP meet the DoD Assessment Methodology requirements?
• How do I add organization-specific narrative to auto-generated control descriptions?
• Can the SSP include system boundary diagrams or data flow diagrams?
• How do I export the SSP in OSCAL (JSON/XML) format for automated tool ingestion?

Branding & customization

• How do I update the SSP report footer with my organization's name?
• Can I add a cover page, table of contents, or version history?
• Is there a template engine (Jinja2, etc.) I can override for custom report layouts?

---

Post your SSP report questions below. Include your CMMC level, report format, and any relevant error output or sample report snippet.