CMMC CA.L2-3.12.1: Periodic Security Control Assessment
Security controls degrade over time without regular evaluation. CMMC CA.L2-3.12.1 requires organizations to periodically assess whether their implemented controls remain effective and properly configured. This foundational control ensures your security posture stays ahead of emerging threats and organizational changes.
What this means
This control mandates that you establish and execute a recurring assessment schedule to evaluate all security controls in your information systems. The assessment must verify that controls are functioning as intended, properly configured, and achieving their stated security objectives. You need documented evidence of when assessments occur, what was tested, findings discovered, and any remediation actions taken.
How to comply
- 1.Define a periodic assessment schedule (typically annually or semi-annually) and document the frequency in your security plan
- 2.Create or adopt an assessment checklist covering all deployed security controls relevant to your systems
- 3.Conduct assessments using qualified personnel with technical knowledge of your systems and security requirements
- 4.Document assessment results including control effectiveness ratings, gaps identified, and dates of evaluation
- 5.Track remediation of any deficient controls and verify closure before the next assessment cycle
- 6.Review and update your assessment program annually to account for new systems, controls, or regulatory changes
Evidence auditors look for
- Security control assessment schedule and calendar showing periodic review dates
- Assessment checklists or templates listing all controls evaluated
- Assessment reports with dates, findings, control effectiveness ratings, and responsible parties
- Evidence of testing performed (logs, screenshots, test results) supporting assessment conclusions
- Remediation tracking records showing deficiencies found and corrective actions completed
- Management sign-off on assessment results and approval of remediation plans
- Updated system security plans reflecting assessment findings and control changes
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates control assessment scheduling, provides built-in CMMC assessment templates, and tracks remediation across your controls—eliminating manual spreadsheet management and ensuring assessments happen on schedule.
See how GRCWatch handles this control automatically
Start free trial