Finding a problem is step one. Fixing it requires a plan. CA.L2-3.12.2 requires you to document remediation plans for every security deficiency and then follow through on them. The assessor will verify both the plans and their execution. Remediation plans stem from CA.L2-3.12.1 (assessments) and complement CA.L2-3.12.3 (continuous monitoring).
What the assessor is actually evaluating
The assessor will examine:
Deficiency identification: Findings can come from vulnerability scans, security assessments, audit reports, or incident investigations. The assessor will ask where your deficiencies come from and how they are documented.
Documented remediation plans: For each deficiency, there must be a written plan that describes the corrective action, responsible party, and target completion date. The plan does not need to be lengthy, but it must exist.
Plan execution and closure: The assessor will verify that plans are actually executed. This means checking that the remediation was completed by the target date (or with documented justification for delays) and that the deficiency was verified as closed.
What a realistic SSP definition looks like
Policy: “When security assessments, audits, or incidents identify deficiencies, the IT manager documents the finding and creates a remediation plan. The plan specifies the corrective action, target completion date, and responsible party. Plans are tracked in a central system until closure. High-severity deficiencies are remediated within 30 days. Medium-severity within 90 days. Low-severity within 180 days.”
Supporting details:
- Tracking system: Jira project called “Security Deficiencies” with fields for finding source, severity, remediation plan, due date, and closure evidence.
- Plan approval: The IT manager and Chief Information Security Officer review and approve plans for high-severity findings.
- Escalation: If a plan cannot be completed by the due date, the issue is escalated to leadership with justification.
- Verification: Once remediation is complete, a team member other than the remediator verifies closure.
How to present your evidence
- Deficiency policy document: Describes how findings are identified, who creates remediation plans, and approval requirements.
- Sample deficiencies with plans: Pull 5-10 recent deficiencies from your tracking system. Each should include the original finding, documented remediation plan, target completion date, and closure date.
- Remediation plan details: For at least 3 deficiencies, show the specific corrective actions that were taken. This might be a ticket description, a change log, or a configuration screenshot.
- Verification evidence: Show that remediation was verified. This might be a re-scan, a test result, or a sign-off from a team member.
- Timeline compliance: Demonstrate that plans were executed on or before the target completion date. If delays occurred, show they were documented and justified.
Keep answers short. Show the evidence, don't describe it. Let the assessor drive. For more on how to present in the assessment room, see How to Present Evidence in the Assessment Room.
Assessor: “When you find a security deficiency, what is your process for fixing it?”
You: “We document the finding, create a remediation plan with a target date based on severity, and track progress in Jira. High-severity items are fixed within 30 days.” [Pull up remediation policy and a sample Jira project]
Assessor: “Show me three deficiencies from the past six months with their remediation plans.”
You: [Pull up three Jira tickets. Each shows the finding date, plan description, assigned owner, due date, and closed date with verification]
Assessor: “This one was due on January 15th but closed on January 18th. What caused the delay?”
You: “The patch required a server restart, which was scheduled for after hours on the 17th. Verification was completed the next morning.” [Pull up the plan notes or change log showing the delay was documented]
Short, practical breakdowns of what assessors actually ask and how to answer. No compliance jargon, no sales pitch. Subscribe free on Substack.
Common failures
Verbal remediation plans: Deficiencies are discussed in meetings, but no written plan is created. When the assessor asks to see the plan, you cannot produce one.
Plans with no accountability: A plan says “fix the vulnerability” but does not assign a specific person, department, or due date. Without clear ownership and timelines, nothing gets done.
Execution without verification: Remediation was supposedly completed, but there is no evidence it actually worked. A re-scan, test result, or sign-off is needed to close the loop.
Overdue remediation plans: Plans are documented, but many are overdue. A high-severity finding from 90 days ago should have been fixed 60 days ago.
Clear remediation tracking: A spreadsheet or system showing every deficiency found in the past year, with plans, due dates, and closure evidence. All items are on-time or have justified delays.
Assigned remediation ownership: Each plan has a named owner, clear actions, and a specific due date. This creates accountability.
If you use an MSP/MSSP
If your MSP remediates deficiencies on your behalf, request weekly or monthly status reports on all open remediation plans. Ensure the service agreement includes timelines that align with your severity levels. You are accountable to assessors for plan execution, even if the work is outsourced. Maintain copies of all plans and closure evidence in your own systems.
This guide is for reference only and does not replace official CMMC documentation or professional compliance advice.