← All Domains

CA — Security Assessment

new org

SPRS Score: -1203

Objective Progress 0 / 14 (0.0%)
CMMC Practices MET 0 / 4
Domain Score Impact -1013

CMMC scoring changes when all assessment objectives for a practice are MET; objective progress updates as each objective is assessed.

CA.L2-3.12.1 DoD Weight: 5 Deduction: -5 Basic
Not Yet Assessed
Requirement: Periodically assess the security controls in organizational systems to determine if the controls are effective in their application.
MET gate: This control cannot be marked MET until every child objective is MET. Blocking objective statuses: 3.12.1[a] = Not Yet Assessed; 3.12.1[b] = Not Yet Assessed

Assessment Objectives (2)

  • 3.12.1[a]
    Determine if: the frequency of security control assessments is defined.
    Update objective finding / evidence
    Not Yet Assessed
  • 3.12.1[b]
    Determine if: security controls are assessed with the defined frequency to determine if the controls are effective in their application.
    Update objective finding / evidence
    Not Yet Assessed
📝 Assessment Methods (Examine / Interview / Test)
Examine: [SELECT FROM: Security assessment and authorization policy; procedures addressing security assessment planning; procedures addressing security assessments; security assessment plan; security plan; other relevant documents or records].
Interview: [SELECT FROM: Personnel with security assessment responsibilities; personnel with information security responsibilities].
Test: [SELECT FROM: Mechanisms supporting security assessment, security assessment plan development, and security assessment reporting].
CA.L2-3.12.2 DoD Weight: 3 Deduction: -3 Basic
Not Yet Assessed
Requirement: Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems
MET gate: This control cannot be marked MET until every child objective is MET. Blocking objective statuses: 3.12.2[a] = Not Yet Assessed; 3.12.2[b] = Not Yet Assessed; 3.12.2[c] = Not Yet Assessed

Assessment Objectives (3)

  • 3.12.2[a]
    Determine if: deficiencies and vulnerabilities to be addressed by the plan of action are identified.
    Update objective finding / evidence
    Not Yet Assessed
  • 3.12.2[b]
    Determine if: a plan of action is developed to correct identified deficiencies and reduce or eliminate identified vulnerabilities.
    Update objective finding / evidence
    Not Yet Assessed
  • 3.12.2[c]
    Determine if: the plan of action is implemented to correct identified deficiencies and reduce or eliminate identified vulnerabilities.
    Update objective finding / evidence
    Not Yet Assessed
📝 Assessment Methods (Examine / Interview / Test)
Examine: [SELECT FROM: Security assessment and authorization policy; procedures addressing plan of action; security plan; security assessment plan; security assessment report; security assessment evidence; plan of action; other relevant documents or records].
Interview: [SELECT FROM: Personnel with plan of action development and implementation responsibilities; personnel with information security responsibilities].
Test: [SELECT FROM: Mechanisms for developing, implementing, and maintaining plan of action].
CA.L2-3.12.3 DoD Weight: 5 Deduction: -5 Basic
Not Yet Assessed
Requirement: Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls.
MET gate: This control cannot be marked MET until every child objective is MET. Blocking objective statuses: 3.12.3 = Not Yet Assessed

Assessment Objectives (1)

  • 3.12.3
    Determine if: security controls are monitored on an ongoing basis to ensure the continued effectiveness of those controls.
    Update objective finding / evidence
    Not Yet Assessed
📝 Assessment Methods (Examine / Interview / Test)
Examine: [SELECT FROM: Security planning policy; organizational procedures addressing security plan development and implementation; procedures addressing security plan reviews and updates; enterprise architecture documentation; security plan; records of security plan reviews and updates; other relevant documents or records].
Interview: [SELECT FROM: Personnel with security planning and plan implementation responsibilities; personnel with information security responsibilities].
Test: [SELECT FROM: Organizational processes for security plan development, review, update, and approval; mechanisms supporting the security plan].
CA.L2-3.12.4 DoD Weight: 0 Deduction: -0 Basic
Not Yet Assessed
Requirement: Develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems.
MET gate: This control cannot be marked MET until every child objective is MET. Blocking objective statuses: 3.12.4[a] = Not Yet Assessed; 3.12.4[b] = Not Yet Assessed; 3.12.4[c] = Not Yet Assessed; 3.12.4[d] = Not Yet Assessed; 3.12.4[e] = Not Yet Assessed; 3.12.4[f] = Not Yet Assessed ; and 2 more

Assessment Objectives (8)

  • 3.12.4[a]
    Determine if: a system security plan is developed.
    Update objective finding / evidence
    Not Yet Assessed
  • 3.12.4[b]
    Determine if: the system boundary is described and documented in the system security plan.
    Update objective finding / evidence
    Not Yet Assessed
  • 3.12.4[c]
    Determine if: the system environment of operation is described and documented in the system security plan.
    Update objective finding / evidence
    Not Yet Assessed
  • 3.12.4[d]
    Determine if: the security requirements identified and approved by the designated authority as non-applicable are identified.
    Update objective finding / evidence
    Not Yet Assessed
  • 3.12.4[e]
    Determine if: the method of security requirement implementation is described and documented in the system security plan.
    Update objective finding / evidence
    Not Yet Assessed
  • 3.12.4[f]
    Determine if: the relationship with or connection to other systems is described and documented in the system security plan.
    Update objective finding / evidence
    Not Yet Assessed
  • 3.12.4[g]
    Determine if: the frequency to update the system security plan is defined.
    Update objective finding / evidence
    Not Yet Assessed
  • 3.12.4[h]
    Determine if: system security plan is updated with the defined frequency.
    Update objective finding / evidence
    Not Yet Assessed
📝 Assessment Methods (Examine / Interview / Test)
Examine: [SELECT FROM: Security planning policy; procedures addressing security plan development and implementation; procedures addressing security plan reviews and updates; enterprise architecture documentation; security plan; records of security plan reviews and updates; other relevant documents or records].
Interview: [SELECT FROM: Personnel with security planning and plan implementation responsibilities; personnel with information security responsibilities].
Test: [SELECT FROM: Organizational processes for security plan development, review, update, and approval; mechanisms supporting the security plan].