CA.L2-3.12.1

CA.L2-3.12.1: Security Control Assessment

Periodically assess security controls for effectiveness.

A control that you never test is a control you do not know is working. CA.L2-3.12.1 requires that you periodically evaluate your security controls to confirm they are effective. This is not a one-time event. You must demonstrate a regular cadence of assessment. Assessment findings feed CA.L2-3.12.2 (remediation plans) and link to CA.L2-3.12.3 (continuous monitoring).

Family Security Assessment
Practice CA.L2-3.12.1
Difficulty Medium
Key evidence Assessment schedule, test results, findings, remediation

What the assessor is actually evaluating

The assessor will look for:

  1. A documented assessment program: You should have a policy or plan that describes what controls you test, how often, and who is responsible. This does not need to be elaborate. A simple statement like “We conduct annual penetration testing and quarterly access control reviews” is sufficient.

  2. Evidence of periodic testing: The assessor will ask when the last assessment was performed and request to see the results. They will want at least 2-3 years of assessment history to confirm the process is repeating.

  3. Response to findings: If your assessments discover problems, you must have documented steps to correct them. The assessor will compare assessment findings against remediation records to confirm gaps were closed.

Get assessment room tips in your inbox

Short, practical breakdowns of what assessors actually ask and how to answer. No compliance jargon, no sales pitch. Subscribe free on Substack.

What a realistic SSP definition looks like

Policy: “The organization conducts annual security assessments of critical systems and controls. Assessments include review of access controls, password policies, encryption configurations, logging mechanisms, and incident response procedures. Results are documented and any deficiencies are remediated within 30 days.”

Supporting details:

  • Assessment scope: 12 in-scope systems covering servers, network devices, workstations, and cloud infrastructure.
  • Assessment methods: Automated compliance scanning, manual policy review, access control testing, and configuration audits.
  • Schedule: Conducted in Q4 each year, or within 60 days of significant system changes.
  • Assessment team: Internal IT manager and security staff, with external auditor contracted annually.
  • Reporting: Assessment reports are provided to leadership and findings are tracked in Jira until resolved.

How to present your evidence

  • Assessment policy document: Defines scope, frequency, methods, and responsible parties. Should be approved and dated.
  • Assessment schedule: Shows planned assessments for the current and next calendar year.
  • Assessment reports: Provide 2-3 recent assessment reports (e.g., annual reports from the past 2-3 years). Each report should include scope, methodology, findings, and severity ratings.
  • Findings tracking: A spreadsheet or ticketing system showing each finding with discovery date, remediation plan, and closure date.
  • Remediation evidence: For a sample of findings, show what was done to close each one. This might be a patched server, a updated policy, or a configuration change.
Assessment room tips

Keep answers short. Show the evidence, don't describe it. Let the assessor drive. For more on how to present in the assessment room, see How to Present Evidence in the Assessment Room.

Assessor: “Tell me about your security control assessments. How often do you test your controls?”

You: “We conduct annual assessments of all critical systems. The last one was in November, and we also do quarterly access control reviews.” [Pull up assessment policy and last annual report]

Assessor: “What did the annual assessment find?”

You: “Seven findings: two critical, three high, two medium. All seven have been remediated. Here is the spreadsheet tracking each one from finding date through closure.” [Pull up findings spreadsheet with remediation dates]

Assessor: “Show me one of the critical findings and the remediation evidence.”

You: “This was an unencrypted connection in the backup system. We enabled TLS encryption, updated the configuration, and verified in the next monthly scan.” [Pull up ticket and verification scan]

Common failures

No documented assessment process: You perform assessments informally, but there is no policy defining scope, frequency, or methods. Assessors need a formal program.

Assessment reports exist but are not recent: Your most recent report is two years old. Assessors want to see current evidence that controls are being tested regularly.

Findings are not tracked or remediated: The assessment report identifies problems, but there is no follow-up. Findings sit open for months with no action. This suggests assessments are not taken seriously.

Documented recurring assessments: Assessment reports from multiple years showing a consistent pattern of testing. This demonstrates maturity and discipline.

Rapid response to findings: Assessments find issues, and remediation begins within days. Findings are marked closed with evidence of the fix.

If you use an MSP/MSSP

If an external auditor or MSP conducts your assessments, ensure the scope and frequency align with your CMMC requirements. Request assessment reports annually and confirm they cover all in-scope systems. You must retain copies of all assessment reports and remediation records. The assessor will ask to see these reports directly.

This guide is for reference only and does not replace official CMMC documentation or professional compliance advice.

New practice breakdowns and assessment tips every week. Follow on Substack to stay current as the November 2026 deadline gets closer.

← CA.L2-3.12.2: Plan of Action All Practices RA.L2-3.11.3: Vulnerability Remediation →