Skip to main content
NetStable
🔍 4 Practices NIST 3.12.1 - 3.12.4

Security Assessment, Authorization, and Monitoring Policy

Assessment, Authorization, and Monitoring Domain (CA)

Overview Why It Matters Requirements Roles Implementation CMMC Mapping Evidence Common Gaps Template Guide

📖 What This Policy Covers

Assessment, Authorization, and Monitoring is the governance loop that keeps your security program honest. This policy covers periodic security assessments (internal quarterly, external annually), System Security Plans (SSPs) -- the master document describing your security posture for each CUI system, continuous monitoring (SIEM, vulnerability scanning, config compliance, patch status), and penetration testing (annual external and internal pen tests with remediation tracking). This is the domain where all other policies come together -- the SSP references every other policy, and assessments verify they're working.

Purpose

This policy ensures security controls are periodically assessed for effectiveness, system security plans (SSPs) are maintained for all CUI systems, continuous monitoring provides ongoing security assurance, and penetration testing identifies exploitable vulnerabilities before attackers do.

Scope

Applies to all information systems processing, storing, or transmitting CUI. Covers security assessments, SSP maintenance, continuous monitoring programs, and penetration testing activities.

🎯 Why It Matters

This domain is the foundation of CMMC assessment itself. The SSP is the first document a C3PAO assessor reviews -- it tells them what you have, how it's protected, and where the gaps are (POA&M). Without a current SSP, you cannot pass a CMMC assessment. Penetration testing proves your controls work in practice, not just on paper. Continuous monitoring ensures you maintain compliance between assessments rather than just preparing for audits.

🔐 Key Requirements

1. Periodic Security Assessments

CA.L2-3.12.1

Regular assessments to verify security controls are implemented and effective.

  • Vulnerability assessments: automated scanning (see RA Policy)
  • Security control assessments: verify SSP controls are implemented and effective
  • Compliance assessments: quarterly self-assessment, C3PAO every 3 years
  • Internal: IT Security team (quarterly), External: independent 3rd party (annual)
  • Assessment report: scope, findings, recommendations, POA&M for gaps

2. System Security Plans (SSPs)

CA.L2-3.12.2 CA.L2-3.12.4

Maintain comprehensive SSPs for each CUI system boundary.

  • SSP per NIST SP 800-171A: system description, boundaries, categorization, security controls mapped to NIST 800-171, responsible personnel, interconnections, applicable regulations
  • Plan of Action & Milestones (POA&M) for incomplete controls
  • Review annually or after significant changes
  • Version-controlled with change tracking
  • CISO + System Owner signature required
  • Treat SSP as CUI (contains security details), store encrypted

3. Continuous Monitoring

CA.L2-3.12.3

Ongoing monitoring activities that maintain security posture between assessments.

  • Security event monitoring: SIEM alerts, 24/7 SOC
  • Vulnerability scanning: weekly
  • Configuration compliance monitoring: Azure Policy, AWS Config
  • Patch status monitoring: % systems up-to-date
  • Access reviews: quarterly
  • Insider threat monitoring: UEBA
  • Reporting: weekly to IT Security, monthly to CISO, quarterly to executives

4. Penetration Testing

CA.L2-3.12.4

Annual simulated attacks to identify exploitable vulnerabilities.

  • Annual or after significant system changes
  • Scope: external pen test (internet-facing), internal pen test (assume-breach), web application testing (OWASP Top 10)
  • Conducted by qualified 3rd party (CREST, OSCP certified)
  • Rules of engagement: pre-approved scope, authorized times, emergency contact
  • Deliverables: executive summary, technical report with proof-of-concept, prioritized remediation
  • Remediation SLAs: Critical 7 days, High 30 days, Medium 90 days, retest after fixes

👥 Roles & Responsibilities

CISO

  • Own the SSP and ensure it stays current
  • Approve assessment scope and findings
  • Present compliance status to executive leadership
  • Manage POA&M and remediation tracking

IT Security

  • Conduct internal security assessments
  • Maintain continuous monitoring tools
  • Coordinate with 3rd party assessors and pen testers
  • Track remediation of assessment findings

System Owners

  • Provide system information for SSP
  • Remediate findings for their systems
  • Participate in assessments for their systems

Executive Leadership

  • Approve POA&M and risk acceptance
  • Allocate budget for remediation
  • Support C3PAO assessment process

🛠️ Implementation Roadmap (8 Weeks)

1

SSP Development

Weeks 1-2
  • Create SSP template using NIST SP 800-171A
  • Document system boundaries, data flows, and security controls
  • Identify gaps and create initial POA&M
2

Continuous Monitoring

Weeks 3-4
  • Establish SIEM-based monitoring dashboard
  • Configure vulnerability management integration
  • Create automated compliance reporting
3

Internal Assessment

Weeks 5-6
  • Conduct control verification against SSP
  • Document assessment findings
  • Update POA&M with new findings and remediation timelines
4

Penetration Testing

Weeks 7-8
  • Procure qualified pen testing firm
  • Define scope and rules of engagement
  • Conduct pen test and receive report
  • Begin remediation of critical/high findings

Recommended Tools

NIST SP 800-171A (SSP template)Splunk / Azure Sentinel (continuous monitoring)Nessus / Qualys (vulnerability management)3rd party pen testing firm (CREST/OSCP certified)POA&M tracker (Excel or GRC tool)

📊 CMMC Practice Mapping

Practice ID Requirement Policy Section
CA.L2-3.12.1 Periodically assess security controls 1
CA.L2-3.12.2 Develop/implement plans to correct deficiencies 1, 2 (POA&M)
CA.L2-3.12.3 Monitor security controls on ongoing basis 3
CA.L2-3.12.4 Develop/implement system security plans 2, 4

📋 Evidence Requirements

These are the artifacts a C3PAO assessor will ask for. Start collecting early.

System Security Plans (SSPs)

Format: PDF (signed)
Frequency: Annual review or after changes
Contents: Current SSP for each CUI system boundary with all NIST 800-171A sections completed
Tip: The SSP is THE document for CMMC assessment. Keep it current. Version-control it. Have it signed by CISO and System Owner.

Security Assessment Report

Format: PDF
Frequency: Annual
Contents: Annual 3rd party assessment with scope, methodology, findings, and recommendations
Tip: Show that findings from previous assessments have been remediated. Include evidence of remediation.

Plan of Action & Milestones (POA&M)

Format: Excel
Frequency: Updated monthly
Contents: All identified gaps with: description, severity, responsible party, milestone dates, status
Tip: POA&M must show progress. Assessors look for stale items. Every gap needs a realistic remediation date and assigned owner.

Penetration Test Report

Format: PDF
Frequency: Annual
Contents: Executive summary, technical findings with severity, proof-of-concept, remediation evidence
Tip: Include remediation evidence for critical/high findings. Show the retest results confirming fixes worked.

Continuous Monitoring Dashboard

Format: PNG/PDF
Frequency: Monthly
Contents: Screenshots showing current compliance metrics, vulnerability trends, patch status
Tip: Show trending data -- compliance should improve over time.

⚠️ Common Gaps (What Assessors Flag)

1. No SSP exists

Why this happens: Organization knows their security controls but never documented them in a formal SSP.
How to close the gap: Download the NIST SP 800-171A template. Work through it section by section. Start with system boundaries and data flows. This is your #1 priority for CMMC.

2. POA&M is empty or stale

Why this happens: POA&M was created but never updated. Gaps sit with no remediation progress.
How to close the gap: Review and update monthly. Assign owners to every item. Set realistic dates. Track completion rate as a KPI.

3. No penetration testing performed

Why this happens: Budget constraints or didn't realize it was required.
How to close the gap: Pen testing is required. Budget $10-30K annually. Start with an external-only test if budget is tight. Use the results to justify additional security investment.

4. Continuous monitoring is just SIEM alerts

Why this happens: Monitoring program covers security events but misses configuration compliance, patch status, and access reviews.
How to close the gap: Expand monitoring to include: automated config compliance checks (Azure Policy/AWS Config), patch status reports, quarterly access reviews. Create a dashboard combining all metrics.

📝 Template Customization Guide

When filling in the downloadable template for this policy, replace these placeholders with your organization's specifics:

[COMPANY NAME]

Your organization's legal name

Example: Acme Defense Systems, LLC

[CISO Name]

Name of your CISO

Example: Jane Smith

Customization Tips

  • 💡 The SSP is a separate, detailed document -- this policy governs its creation and maintenance
  • 💡 If you use a GRC tool (Archer, Drata, Vanta), it may generate your SSP and POA&M automatically
  • 💡 Document your specific pen testing firm and their qualifications (CREST, OSCP certifications)
  • 💡 Include your CMMC assessment timeline and C3PAO selection criteria

📚 Related Policies

Risk Assessment Policy Configuration Management Policy Audit and Accountability Policy Incident Response Policy
Previous
AU Policy
All Policies
Next
CM Policy