CMMC Practice CA.L2-3.12.3, drawn from NIST SP 800-171 Rev 2 Security Requirement 3.12.3, requires organizations to monitor security controls on an ongoing basis to ensure they remain effective in protecting Controlled Unclassified Information (CUI). Ongoing monitoring goes beyond point-in-time assessments; it involves the continuous awareness of the security state of organizational systems, including tracking changes, reviewing control performance metrics, and detecting when controls degrade or fail. The practice encompasses both automated and manual monitoring activities that collectively produce a current picture of security posture. Organizations must establish a monitoring strategy that defines what is monitored, how frequently, and how results are analyzed and acted upon. Monitoring results feed directly into risk management decisions, plan of action and milestones (POA&M) updates, and future security assessment activities.
Where it stops · what it isn't
- —This practice does not replace the periodic formal security assessment required by CA.L2-3.12.1; it supplements it with continuous between-assessment monitoring.
- —This practice does not require the implementation of a full Security Operations Center (SOC) or enterprise-grade Security Information and Event Management (SIEM) platform, though those may be used to satisfy it.
- —This practice does not cover incident response procedures themselves; monitoring that detects an incident triggers IR practices, but the response actions are governed by IR domain requirements.
- —This practice does not mandate real-time monitoring of every control; the monitoring frequency must be commensurate with the risk associated with the control and the system.
- —This practice does not govern the physical security monitoring of facilities, only the monitoring of information security controls protecting CUI systems.
Connected concepts in the graph
Every cubelet sits in a knowledge graph. Here's what this one connects to.
PART OFdomain/security-assessment-ca