Skip to main content
NetStable
Level 2 CA.L2-3.12.1

Periodically assess the security controls to determine if the controls are effective

What It Means Why It Matters How to Implement Evidence SSP Guidance Assessment Common Mistakes

📖 What This Means

This practice requires organizations to regularly check if their security measures are working as intended. Think of it like a car inspection—you don’t wait for something to break; you proactively test systems to catch issues early. For example, a defense contractor might test whether their firewall is actually blocking unauthorized access or if employee training has reduced phishing click rates. The goal is to verify that security controls aren’t just 'in place' but are actively protecting sensitive defense information (CUI).

🎯 Why It Matters

Without regular assessments, security controls can become outdated or misconfigured, leaving gaps for attackers. A 2022 DoD report found that 60% of contractor breaches involved exploited vulnerabilities that hadn’t been tested in over a year. One real-world case: A small aerospace contractor failed to test their access controls, allowing a hacker to steal F-35 blueprints via an inactive admin account. The DoD mandates this control because CUI protection requires continuous validation—not just a 'set it and forget it' approach.

How to Implement

  1. 1. Schedule quarterly assessments using cloud-native tools (e.g., AWS Security Hub, Azure Security Center).
  2. 2. Configure automated compliance checks for critical controls (e.g., encryption, IAM policies).
  3. 3. Export findings to a centralized dashboard (e.g., Splunk, Datadog) for tracking.
  4. 4. Test incident response playbooks by simulating breaches (e.g., AWS GuardDuty findings).
  5. 5. Document results in a standardized report template (include pass/fail status and remediation dates).
⏱️
Estimated Effort
2-3 days per assessment (mid-level IT skills required). Automated tools reduce manual effort by 40%.

📋 Evidence Examples

Security Assessment Report

Format: PDF/DOCX
Frequency: Quarterly
Contents: Control names, test methods, results, and action items
Collection: Export from assessment tools or manual template

Vulnerability Scan Results

Format: CSV/PDF
Frequency: Biannually
Contents: List of vulnerabilities with CVSS scores
Collection: Export from Nessus/OpenVAS

Remediation Tracking

Format: Excel/SharePoint
Frequency: Ongoing
Contents: Vulnerability IDs, fix owners, due dates
Collection: Manual update after assessments

📝 SSP Guidance

Use this guidance when writing the System Security Plan (SSP) narrative for this control.

How to Write the SSP Narrative

For CA.L2-3.12.1 ("Periodically assess the security controls to determine if the controls are effective"), your SSP narrative should specifically describe: (1) the tools and technologies you use to implement this control, (2) the configuration or process that enforces it, (3) who is responsible for maintaining it, and (4) what evidence proves it's working. Describe your security assessment program, SSP maintenance process, continuous monitoring capabilities, and penetration testing schedule. Reference specific tools and responsible parties. Be specific -- name your actual products, settings, and responsible personnel.

Example SSP Narratives

Cloud (Azure/AWS)

"CA.L2-3.12.1 is implemented using cloud-native controls. [Organization] uses [specific cloud service/feature] to periodically assess the security controls to determine if the controls are effec.... The configuration is managed through [Azure Policy/AWS Config/Terraform] and monitored via [SIEM tool]. Responsible party: [IT Security Manager]. Evidence: [specific artifact, e.g., 'Azure AD Conditional Access policy screenshot, CloudTrail logs']."

On-Premise

"CA.L2-3.12.1 is implemented through on-premise infrastructure controls. [Organization] uses [Active Directory/Group Policy/specific tool] to periodically assess the security controls to determine if the controls are effec.... Configuration is documented in [location] and audited [frequency]. Responsible party: [System Administrator]. Evidence: [specific artifact, e.g., 'Group Policy export, Windows Event logs']."

Hybrid

"CA.L2-3.12.1 is implemented across both cloud and on-premise environments. [Organization] uses [Azure AD Connect/hybrid tool] to ensure consistent enforcement. Cloud resources are managed via [cloud tool] and on-premise systems via [on-prem tool]. Both environments report to [centralized SIEM]. Responsible party: [IT Director]. Evidence: [artifacts from both environments]."

System Boundary Considerations

  • Define the assessment boundary (which systems are in scope)
  • Document assessment methodology and tools
  • Identify assessors (internal team, external firm)
  • Ensure this control covers all systems within your defined CUI boundary where periodically assess the security controls to determine if the controls are effective applies
  • Document any systems where this control is not applicable and explain why

Key Documentation to Reference in SSP

  • 📄 Security Assessment Policy
  • 📄 System Security Plan (SSP)
  • 📄 Plan of Action & Milestones (POA&M)
  • 📄 Assessment reports
  • 📄 Evidence artifacts specific to CA.L2-3.12.1
  • 📄 POA&M entry if control is not fully implemented

What the Assessor Looks For

The assessor will review your SSP for completeness, verify POA&M items are being tracked and remediated, and check that assessments are conducted at the required frequency.

💬 Self-Assessment Questions

Use these questions to assess your compliance. Each "NO" answer provides specific remediation guidance.

Question 1: Do you have a documented schedule for security control assessments?

✅ YES → Proceed to Q2
❌ NO → GAP: Create an assessment calendar with at least quarterly tests. Use this template: [LINK]
Remediation:
30 days

Question 2: Are assessment reports retained for at least 3 years?

✅ YES → Proceed to Q3
❌ NO → GAP: Store reports in a secure archive. Enable versioning in SharePoint/S3.
Remediation:
14 days

Question 3: Do assessments cover all controls protecting CUI?

✅ YES → Compliant
❌ NO → GAP: Map controls to CUI flows using NIST SP 800-171 Appendix D.
Remediation:
60 days

⚠️ Common Mistakes (What Auditors Flag)

1. Only testing technical controls (ignoring policies/training)

Why this happens: Focusing solely on 'scannable' items like firewalls
How to avoid: Include policy reviews (e.g., verify training attendance logs)

2. Using generic reports without CUI-specific context

Why this happens: Copy-pasting cloud provider compliance reports
How to avoid: Customize reports to highlight controls for DFARS 252.204-7012

3. No remediation tracking

Why this happens: Treating assessments as checkbox exercises
How to avoid: Require POA&Ms for all findings with deadlines

📚 Parent Policy

This practice is governed by the Assessment, Authorization, and Monitoring Policy

View CA Policy →

📚 Related Controls

CA.L2-3.12.2 RA.L2-3.11.1 SI.L2-3.14.1
Previous
AU.L2-3.3.9
Back to CA
Next
CA.L2-3.12.2