CA.L2-3.12.1[b] – Examine documentation to confirm assessments to be performed are identified.
This objective ensures your organization has formally documented which assessments will be performed, how often, and by whom. These assessments must be clearly defined in your policies, procedures, or security plans to demonstrate your ongoing evaluation of controls protecting Controlled Unclassified Information (CUI).
CA.L2-3.12.4[a] – Identify system-level assessments.
This objective requires your organization to identify specific assessments that evaluate the effectiveness of security controls at the system level—particularly those related to the processing, storage, or transmission of Controlled Unclassified Information (CUI).
CA.L2-3.12.2[c] – Determine if plans of action are implemented.
This objective verifies that your organization is not only documenting Plans of Action and Milestones (POA&Ms) but is actively executing them. It ensures you are making measurable progress to correct identified control deficiencies—especially those that affect the protection of Controlled Unclassified Information (CUI).
CA.L2-3.12.4[b] – Examine documentation to confirm system-level assessments are identified.
This objective ensures your organization has formally documented which system-level assessments are being performed to evaluate the effectiveness of security controls related to Controlled Unclassified Information (CUI). These assessments must be clearly scoped, scheduled, and tied to your security objectives.
CA.L2-3.12.4[c] – Determine if system-level assessments are performed.
This objective ensures your organization is not only identifying and documenting system-level assessments, but also actively performing them to evaluate the effectiveness of security controls protecting Controlled Unclassified Information (CUI).
CA.L2-3.12.2[b] – Examine documentation to confirm plans of action are developed.
This objective ensures your organization has formally documented Plans of Action and Milestones (POA&Ms) for known gaps in the implementation of security requirements—especially for those impacting the protection of Controlled Unclassified Information (CUI).
CA.L2-3.12.3 – Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls.
This control requires your organization to continuously monitor the performance and effectiveness of the security controls protecting your systems—especially those used to safeguard Controlled Unclassified Information (CUI). It’s about ensuring your safeguards don’t just exist, but continue to work over time.
CA.L2-3.12.2[a] – Identify and develop plans of action.
This objective requires your organization to identify and document plans of action to address any security controls that are not fully implemented, or any known weaknesses or deficiencies—especially those affecting the protection of Controlled Unclassified Information (CUI).
CA.L2-3.12.1[a] – Identify assessments to be performed.
This objective requires your organization to identify and plan the assessments needed to evaluate how effectively your security controls are implemented and operating—especially those that protect Controlled Unclassified Information (CUI). These may include internal assessments, third-party audits, or control-specific tests.
3.12.3 – Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls
This control requires organizations to continuously monitor their security controls—not just assess them once a year. You must ensure that all controls remain effective over time, even as systems, threats, or users change. Read the full blog breakdown of 3.12.3