CA.L2-3.12.1 requires organizations to periodically assess the security controls implemented in their systems to determine whether those controls are operating effectively and meeting established security requirements, as specified in NIST SP 800-171 Rev 2 §3.12.1. Two elements must be satisfied: the organization must define the frequency at which these assessments occur, and it must actually conduct assessments at that defined frequency. Assessment activities may include reviews of documentation, interviews with personnel, and technical testing of controls. The goal is to produce evidence-based determinations about whether security controls are implemented correctly, operating as intended, and producing the desired outcomes. Results feed directly into Plans of Action and Milestones (POA&Ms) and continuous monitoring activities.
Where it stops · what it isn't
- —Does not require a formal third-party or government-sponsored assessment — internal assessments performed by qualified staff are acceptable
- —Does not define a mandated minimum assessment frequency — the organization must define and justify its own cadence based on risk
- —Does not encompass the remediation activities following assessment findings — those are addressed under CA.L2-3.12.2 (POA&M development)
- —Does not replace or substitute for the CMMC certification assessment conducted by a C3PAO
- —Does not require assessment of every control simultaneously — scoped or rolling assessments covering all controls within the defined period are acceptable
Connected concepts in the graph
Every cubelet sits in a knowledge graph. Here's what this one connects to.
PART OFdomain/security-assessment-ca