See below all the 4 controls
← or go back to the NIST SP 800-171 R2 GuideGot questions? Contact our team today for a free CMMC Consultation
Conduct regular evaluations of implemented security controls to determine their effectiveness in protecting organizational systems. These assessments ensure that controls are functioning as intended and remain aligned with evolving threats.
More details Less details
+ —CA-2: Conduct security assessments
CA-5: Maintain Plan of Action & Milestones (POA&M)
CA-7: Perform continuous monitoring
PL-2: Maintain documented system security and privacy plans
Microsoft 365 E5 (or GCC High E5 for CUI)
Implement actionable Plans of Action (POA&M) to address known security control deficiencies and system vulnerabilities. These plans must be documented, tracked, and reviewed to ensure timely remediation aligned with risk posture.
More details Less details
+ —CA-2: Security control assessments
CA-5: Maintain Plan of Action & Milestones (POA&M)
CA-7: Continuous control monitoring
PL-2: System security planning and documentation
Microsoft 365 E5 (or GCC High E5 for CUI) — Enables integration of remediation workflows, control mapping, and POA&M tracking via Compliance Manager, SharePoint, and Microsoft Planner.
Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls
More details Less details
+ —CA-2: Periodic security control assessments
CA-5: Maintain Plan of Action and Milestones (POA&M)
CA-7: Continuous monitoring of controls and emerging threats
PL-2: Maintain and align system security plans with monitoring outcomes
Microsoft 365 E5 (or GCC High E5 for CUI) — Enables continuous monitoring through Microsoft Defender, Sentinel integration, and Compliance Manager control mapping.
Develop, document, and maintain system security plans (SSPs) that define boundaries, operational environments, implemented controls (Basic or Derived), and inter-system connections. Periodically review and update these plans to reflect current configurations, risks, and interdependencies.
More details Less details
+ —CA-2: Conduct assessment to validate control effectiveness
CA-5: Maintain a Plan of Action and Milestones (POA&M)
CA-7: Implement continuous monitoring
PL-2: Document and maintain system security and privacy plans
Microsoft 365 E5 (or GCC High E5 for CUI) — Supports SSP documentation and POA&M management through Microsoft Purview, Defender Security Center, and Microsoft Compliance Manager.
See how Agile IT's MSP for CMMC can strengthen your data security and allow your team to focus on your business's objectives and success.
Schedule a FREE