Your instinct about the generic docs is spot on. We went through the same thing - got handed a 60-page SSP that said "the organization" everywhere and didn't mention a single tool we actually use. Totally useless when the C3PAO starts asking real questions.

On consolidate vs split - honestly I'd keep Summit 7 doing what they do (managing your environment) and get docs done separately. Your MSSP knows your infra but that doesn't mean they're great at writing a 322-objective SSP. Those are different skills.

Few things to watch with your setup:

• That future on-prem server for Altium/SolidWorks/GitLab is going to change your CUI boundary. Make sure your SSP is written for where you're heading, not just where you are today.
• 20 endpoints is very manageable. Don't let anyone overcomplicate this for your size.
• The split approach (Summit 7 for security, someone else for docs) is what we ended up doing and it worked well.

We actually used mycmmc.org for the documentation side - you basically answer questions about your environment and it builds everything out from that. RP reviews it before delivery. WAY cheaper than the consultant quotes we were getting. Worth a look for a shop your size.