Security Assessment (CA): Evaluating & Strengthening Cyber Defenses

See below all the 4 controls

← or go back to the NIST SP 800-171 R2 Guide

Got questions? Contact our team today for a free CMMC Consultation

3.12.1

Conduct regular evaluations of implemented security controls to determine their effectiveness in protecting organizational systems. These assessments ensure that controls are functioning as intended and remain aligned with evolving threats.

More details

+
NIST 800-171 Control Identifier: 3.12.1
CMMC Control Identifier: CA.L2-3.12.1
Control CMMC Level: 2
Basic or Derived Security: Basic

Relevant NIST SP 800-53 R5

CA-2: Conduct security assessments

CA-5: Maintain Plan of Action & Milestones (POA&M)

CA-7: Perform continuous monitoring

PL-2: Maintain documented system security and privacy plans

Recommended Microsoft Licensing

Microsoft 365 E5 (or GCC High E5 for CUI)

3.12.2

Implement actionable Plans of Action (POA&M) to address known security control deficiencies and system vulnerabilities. These plans must be documented, tracked, and reviewed to ensure timely remediation aligned with risk posture.

More details

+
NIST 800-171 Control Identifier: 3.12.2
CMMC Control Identifier: CA.L2-3.12.2
Control CMMC Level: 2
Basic or Derived Security: Basic

Relevant NIST SP 800-53 R5

CA-2: Security control assessments

CA-5: Maintain Plan of Action & Milestones (POA&M)

CA-7: Continuous control monitoring

PL-2: System security planning and documentation

Recommended Microsoft Licensing

Microsoft 365 E5 (or GCC High E5 for CUI) — Enables integration of remediation workflows, control mapping, and POA&M tracking via Compliance Manager, SharePoint, and Microsoft Planner.

3.12.3

Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls

More details

+
NIST 800-171 Control Identifier: 3.12.3
CMMC Control Identifier: CA.L2-3.12.3
Control CMMC Level: 2
Basic or Derived Security: Basic

Relevant NIST SP 800-53 R5

CA-2: Periodic security control assessments

CA-5: Maintain Plan of Action and Milestones (POA&M)

CA-7: Continuous monitoring of controls and emerging threats

PL-2: Maintain and align system security plans with monitoring outcomes

Recommended Microsoft Licensing

Microsoft 365 E5 (or GCC High E5 for CUI) — Enables continuous monitoring through Microsoft Defender, Sentinel integration, and Compliance Manager control mapping.

3.12.4

Develop, document, and maintain system security plans (SSPs) that define boundaries, operational environments, implemented controls (Basic or Derived), and inter-system connections. Periodically review and update these plans to reflect current configurations, risks, and interdependencies.

More details

+
NIST 800-171 Control Identifier: 3.12.4
CMMC Control Identifier: CA.L2-3.12.4
Control CMMC Level: 2
Basic or Derived Security: Basic

Relevant NIST SP 800-53 R5

CA-2: Conduct assessment to validate control effectiveness

CA-5: Maintain a Plan of Action and Milestones (POA&M)

CA-7: Implement continuous monitoring

PL-2: Document and maintain system security and privacy plans

Recommended Microsoft Licensing

Microsoft 365 E5 (or GCC High E5 for CUI) — Supports SSP documentation and POA&M management through Microsoft Purview, Defender Security Center, and Microsoft Compliance Manager.

Microsoft Cloud for CMMC Compliance

Contact our team today

See how Agile IT's MSP for CMMC can strengthen your data security and allow your team to focus on your business's objectives and success.

Schedule a FREE
consultation