CA.L2-3.12.3

CA.L2-3.12.3: Security Control Monitoring

Monitor security controls on an ongoing basis.

Annual testing is not enough. Controls can fail between assessments. CA.L2-3.12.3 requires you to monitor your security controls on an ongoing basis. This does not mean constant hands-on testing, but it does mean you have a mechanism to detect control failures. Continuous monitoring complements CA.L2-3.12.1 (periodic assessments) and feeds findings into CA.L2-3.12.2 (remediation plans).

Family Security Assessment
Practice CA.L2-3.12.3
Difficulty Medium
Key evidence Monitoring tools, logs, alerts, documented responses

What the assessor is actually evaluating

The assessor will check for:

  1. Active monitoring mechanisms: You should have tools or processes that check control status regularly. Examples include automated compliance scanning, firewall rule audits, access control audits, or log file reviews.

  2. Monitoring frequency and evidence: The assessor will ask “How often do you monitor?” and “Show me the monitoring results from the past 30 days.” They want to see that monitoring is active and generating results.

  3. Response to monitoring findings: If monitoring detects a control failure (e.g., a firewall rule changed, an access control violation, or a configuration drift), there should be a documented response. The assessor will ask how you handle alerts and whether you have records of actions taken.

What a realistic SSP definition looks like

Example SSP Language: CA.L2-3.12.3

The organization monitors security controls on an ongoing basis through automated tools and periodic manual reviews. Critical controls are monitored continuously. Monitoring results are reviewed daily by IT staff and monthly by leadership. Any detected failures or deviations are documented and remediated within 24 hours.

Automated monitoring: SIEM tool monitors firewall rules, access control logs, and authentication events in real-time. Dashboards are reviewed daily. Periodic reviews: IT manager performs monthly manual reviews of password policies, encryption configurations, and system logs. Results are documented in a checklist. Alerting: Critical control failures trigger automated alerts to IT staff. Non-critical findings are batched into monthly reports. Response: Any detected failure is logged in a ticket system with immediate investigation and remediation.

How to present your evidence

Evidence checklist
  • Monitoring policy document (which controls, frequency, tools, responsible roles)
  • Monitoring tools and configurations (SIEM dashboards, compliance scanner screenshots)
  • Monitoring logs and results from the past 30-90 days
  • Alert records for any detected control failures or deviations
  • Response documentation (tickets or log entries showing investigation and remediation)

Common failures

What gets flagged

No documented monitoring process. Controls exist, but you have no process for checking them. Assessors will ask "How do you know your controls are working?" and you cannot provide an answer.

Monitoring tools exist but are not actively used. You have a SIEM or scanner, but you do not review the data regularly. Logs are not being analyzed.

Monitoring is infrequent or inconsistent. Checks happen sporadically. A month passes with no monitoring activity, then you check once and nothing is seen for another month.

Monitoring alerts are ignored. The SIEM detects a control failure, but the alert goes unread. There is no documented response or remediation.

What makes assessors move on satisfied

Continuous or near-continuous monitoring: dashboards reviewed daily, alerts acted on within hours. A balanced mix of automated and manual monitoring, both documented with evidence.

If you use an MSP/MSSP

MSP monitoring oversight

If your MSP monitors controls on your behalf, request real-time access to monitoring dashboards or weekly summary reports. Ensure the monitoring scope covers all your critical controls. Ask how often alerts are reviewed and what the response time is. You are responsible for ensuring adequate monitoring is in place, even if an MSP performs the work.

Get assessment room tips in your inbox

Short, practical breakdowns of what assessors actually ask and how to answer. No compliance jargon, no sales pitch. Subscribe free on Substack.

Assessment room tips

Keep answers short. Show the evidence, don't describe it. Let the assessor drive. For more on how to present in the assessment room, see How to Present Evidence in the Assessment Room.

Q&A: What the assessor asks

Assessor: "How do you monitor your security controls between formal assessments?"
"We use our SIEM to monitor firewall rules, access logs, and authentication events daily. Every month, our IT manager performs a manual review of password policies and encryption settings. [Pull up SIEM dashboard and monthly checklist template]"
Assessor: "Show me monitoring results from the past 30 days."
"Here's the SIEM dashboard with recent activity, compliance scan results, and the most recent monthly review checklist. [Pull up SIEM dashboard and monthly checklist]"
Assessor: "Did the monitoring detect any issues?"
"Two findings: one user account that was not disabled after termination, and one firewall rule modified without approval. Both were fixed within hours. [Pull up tickets showing the alerts, investigation notes, and remediation details]"

This guide is for reference only and does not replace official CMMC documentation or professional compliance advice.

New practice breakdowns and assessment tips every week. Follow on Substack to stay current as the November 2026 deadline gets closer.

← Writing Your SSP: System Security Plan Guide (CA.L2-3.12.4) All Practices CA.L2-3.12.2: Plan of Action →