CA.L2-3.12.3

CA.L2-3.12.3: Security Control Monitoring

Monitor security controls on an ongoing basis.

Annual testing is not enough. Controls can fail between assessments. CA.L2-3.12.3 requires you to monitor your security controls on an ongoing basis. This does not mean constant hands-on testing, but it does mean you have a mechanism to detect control failures. Continuous monitoring complements CA.L2-3.12.1 (periodic assessments) and feeds findings into CA.L2-3.12.2 (remediation plans).

Family Security Assessment
Practice CA.L2-3.12.3
Difficulty Medium
Key evidence Monitoring tools, logs, alerts, documented responses

What the assessor is actually evaluating

The assessor will check for:

  1. Active monitoring mechanisms: You should have tools or processes that check control status regularly. Examples include automated compliance scanning, firewall rule audits, access control audits, or log file reviews.

  2. Monitoring frequency and evidence: The assessor will ask “How often do you monitor?” and “Show me the monitoring results from the past 30 days.” They want to see that monitoring is active and generating results.

  3. Response to monitoring findings: If monitoring detects a control failure (e.g., a firewall rule changed, an access control violation, or a configuration drift), there should be a documented response. The assessor will ask how you handle alerts and whether you have records of actions taken.

What a realistic SSP definition looks like

Policy: “The organization monitors security controls on an ongoing basis through automated tools and periodic manual reviews. Critical controls are monitored continuously. Monitoring results are reviewed daily by IT staff and monthly by leadership. Any detected failures or deviations are documented and remediated within 24 hours.”

Supporting details:

  • Automated monitoring: SIEM tool monitors firewall rules, access control logs, and authentication events in real-time. Dashboards are reviewed daily.
  • Periodic reviews: IT manager performs monthly manual reviews of password policies, encryption configurations, and system logs. Results are documented in a checklist.
  • Alerting: Critical control failures trigger automated alerts to IT staff. Non-critical findings are batched into monthly reports.
  • Response: Any detected failure is logged in a ticket system with immediate investigation and remediation.

How to present your evidence

  • Monitoring policy document: Describes which controls are monitored, the frequency, tools used, and roles responsible for monitoring.
  • Monitoring tools and configurations: Show the SIEM, compliance scanner, or other tools used for monitoring. Provide screenshots of dashboards or monitoring interfaces.
  • Monitoring logs and results: Pull monitoring data from the past 30-90 days showing active checks. Include automated scan reports, SIEM logs, or manual review checklists.
  • Alert records: If monitoring detected any control failures or deviations, show the alerts and related findings.
  • Response documentation: For any findings from monitoring, show the ticket or log entry documenting the response and how the issue was remediated.
Assessment room tips

Keep answers short. Show the evidence, don't describe it. Let the assessor drive. For more on how to present in the assessment room, see How to Present Evidence in the Assessment Room.

Assessor: “How do you monitor your security controls between formal assessments?”

You: “We use our SIEM tool to monitor firewall rules, access logs, and authentication events daily. Every month, our IT manager performs a manual review of password policies and encryption settings.” [Pull up SIEM dashboard and monthly checklist template]

Assessor: “Show me monitoring results from the past 30 days.”

You: [Pull up SIEM dashboard showing recent activity, compliance scan results, and the most recent monthly review checklist]

Assessor: “Did the monitoring detect any issues?”

You: “Two findings: one user account that was not disabled after termination, and one firewall rule that was modified without approval. Both were fixed within hours.” [Pull up tickets showing the alerts, investigation notes, and remediation details]

Get assessment room tips in your inbox

Short, practical breakdowns of what assessors actually ask and how to answer. No compliance jargon, no sales pitch. Subscribe free on Substack.

Common failures

No documented monitoring process: Controls exist, but you have no process for checking them. Assessors will ask “How do you know your controls are working?” and you cannot provide an answer.

Monitoring tools exist but are not actively used: You have a SIEM or scanner, but you do not review the data regularly. Logs are not being analyzed.

Monitoring is infrequent or inconsistent: Checks happen sporadically. A month passes with no monitoring activity, then you check once and nothing is seen for another month.

Monitoring alerts are ignored: The SIEM detects a control failure, but the alert goes unread. There is no documented response or remediation.

Continuous or near-continuous monitoring: Dashboards are reviewed daily. Alerts are acted on within hours. This demonstrates proactive control management.

Balanced automated and manual monitoring: Some controls are checked automatically. Others are audited manually on a schedule. Both types of evidence are documented.

If you use an MSP/MSSP

If your MSP monitors controls on your behalf, request real-time access to monitoring dashboards or weekly summary reports. Ensure the monitoring scope covers all your critical controls. Ask how often alerts are reviewed and what the response time is. You are responsible for ensuring adequate monitoring is in place, even if an MSP performs the work.

This guide is for reference only and does not replace official CMMC documentation or professional compliance advice.

New practice breakdowns and assessment tips every week. Follow on Substack to stay current as the November 2026 deadline gets closer.

← CA.L2-3.12.4: System Security Plan All Practices CA.L2-3.12.2: Plan of Action →