← All Domains

CA — Security Assessment

Stokes Frederick Co

SPRS Score: -131

Objective Progress 14 / 14 (100.0%)
CMMC Practices MET 4 / 4
Domain Score Impact 0

CMMC scoring changes when all assessment objectives for a practice are MET; objective progress updates as each objective is assessed.

CA.L2-3.12.1 DoD Weight: 5 Earned: 5 Basic
MET
Requirement: Periodically assess the security controls in organizational systems to determine if the controls are effective in their application.

Assessment Objectives (2)

  • 3.12.1[a]
    Determine if: the frequency of security control assessments is defined.
    Update objective finding / evidence
    MET
  • 3.12.1[b]
    Determine if: security controls are assessed with the defined frequency to determine if the controls are effective in their application.
    Update objective finding / evidence
    MET
📝 Assessment Methods (Examine / Interview / Test)
Examine: [SELECT FROM: Security assessment and authorization policy; procedures addressing security assessment planning; procedures addressing security assessments; security assessment plan; security plan; other relevant documents or records].
Interview: [SELECT FROM: Personnel with security assessment responsibilities; personnel with information security responsibilities].
Test: [SELECT FROM: Mechanisms supporting security assessment, security assessment plan development, and security assessment reporting].
CA.L2-3.12.2 DoD Weight: 3 Earned: 3 Basic
MET
Requirement: Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems

Assessment Objectives (3)

  • 3.12.2[a]
    Determine if: deficiencies and vulnerabilities to be addressed by the plan of action are identified.
    Update objective finding / evidence
    MET
  • 3.12.2[b]
    Determine if: a plan of action is developed to correct identified deficiencies and reduce or eliminate identified vulnerabilities.
    Update objective finding / evidence
    MET
  • 3.12.2[c]
    Determine if: the plan of action is implemented to correct identified deficiencies and reduce or eliminate identified vulnerabilities.
    Update objective finding / evidence
    MET
📝 Assessment Methods (Examine / Interview / Test)
Examine: [SELECT FROM: Security assessment and authorization policy; procedures addressing plan of action; security plan; security assessment plan; security assessment report; security assessment evidence; plan of action; other relevant documents or records].
Interview: [SELECT FROM: Personnel with plan of action development and implementation responsibilities; personnel with information security responsibilities].
Test: [SELECT FROM: Mechanisms for developing, implementing, and maintaining plan of action].
CA.L2-3.12.3 DoD Weight: 5 Earned: 5 Basic
MET
Requirement: Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls.

Assessment Objectives (1)

  • 3.12.3
    Determine if: security controls are monitored on an ongoing basis to ensure the continued effectiveness of those controls.
    Update objective finding / evidence
    MET
📝 Assessment Methods (Examine / Interview / Test)
Examine: [SELECT FROM: Security planning policy; organizational procedures addressing security plan development and implementation; procedures addressing security plan reviews and updates; enterprise architecture documentation; security plan; records of security plan reviews and updates; other relevant documents or records].
Interview: [SELECT FROM: Personnel with security planning and plan implementation responsibilities; personnel with information security responsibilities].
Test: [SELECT FROM: Organizational processes for security plan development, review, update, and approval; mechanisms supporting the security plan].
CA.L2-3.12.4 DoD Weight: 0 Earned: 0 Basic
MET
Requirement: Develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems.

Assessment Objectives (8)

  • 3.12.4[a]
    Determine if: a system security plan is developed.
    Update objective finding / evidence
    MET
  • 3.12.4[b]
    Determine if: the system boundary is described and documented in the system security plan.
    Update objective finding / evidence
    MET
  • 3.12.4[c]
    Determine if: the system environment of operation is described and documented in the system security plan.
    Update objective finding / evidence
    MET
  • 3.12.4[d]
    Determine if: the security requirements identified and approved by the designated authority as non-applicable are identified.
    Update objective finding / evidence
    MET
  • 3.12.4[e]
    Determine if: the method of security requirement implementation is described and documented in the system security plan.
    Update objective finding / evidence
    MET
  • 3.12.4[f]
    Determine if: the relationship with or connection to other systems is described and documented in the system security plan.
    Update objective finding / evidence
    MET
  • 3.12.4[g]
    Determine if: the frequency to update the system security plan is defined.
    Update objective finding / evidence
    MET
  • 3.12.4[h]
    Determine if: system security plan is updated with the defined frequency.
    Update objective finding / evidence
    MET
📝 Assessment Methods (Examine / Interview / Test)
Examine: [SELECT FROM: Security planning policy; procedures addressing security plan development and implementation; procedures addressing security plan reviews and updates; enterprise architecture documentation; security plan; records of security plan reviews and updates; other relevant documents or records].
Interview: [SELECT FROM: Personnel with security planning and plan implementation responsibilities; personnel with information security responsibilities].
Test: [SELECT FROM: Organizational processes for security plan development, review, update, and approval; mechanisms supporting the security plan].