CMMC 2.0 • LEVEL 2 • SECURITY ASSESSMENT

CA.L2-3.12.1Security Assessment

By assessing the security requirements, organizations determine whether the necessary safeguards and countermeasures are implemented correctly, operating as intended, and producing the desired outcome. Security assessments identify weaknesses in the system and provide the essential information needed to make risk-based decisions. Security assessment reports document assessment results in sufficient detail as deemed necessary by the organization to determine the accuracy and completeness of the reports. Security assessment results are provided to the individuals or roles appropriate for the types of assessments being conducted.

NIST 800-171 Mapping

NIST 800-53 Controls

CA-2CA-5CA-7

Assessment Objectives

  • the security requirements for the system and its environment of operation are assessed annually for internal assessments; every 3 years for formal C3PAO assessment (CMMC Level 2 certification cycle)CMMC/STIG to determine if the requirements have been satisfied.

Practitioner Notes

Practitioner commentary coming soon.

Related CMMC 2.0 Practices

CA.L2-3.12.2 Plan of Action and Milestones CA.L2-3.12.3 Continuous Monitoring CA.L2-3.12.4 Develop, Document, and Periodically Update System Security Plans