NIST 800-171 • LEVEL 2 • SECURITY ASSESSMENT AND MONITORING
3.12.1 — Security Assessment
By assessing the security requirements, organizations determine whether the necessary safeguards and countermeasures are implemented correctly, operating as intended, and producing the desired outcome. Security assessments identify weaknesses in the system and provide the essential information needed to make risk-based decisions. Security assessment reports document assessment results in sufficient detail as deemed necessary by the organization to determine the accuracy and completeness of the reports. Security assessment results are provided to the individuals or roles appropriate for the types of assessments being conducted.
CMMC Practice Mapping
Assessment Objectives
- the security requirements for the system and its environment of operation are assessed {{ insert: param, A.03.12.01.ODP.01 }} to determine if the requirements have been satisfied.
Practitioner Notes
A security assessment is a formal check to see if your security controls are actually working the way they are supposed to. Think of it as a health checkup for your cybersecurity program -- you are testing whether the protections you put in place are doing their job.
Example 1: Hire a C3PAO or an independent assessor to run a NIST 800-171 assessment against your environment. They will interview staff, review documentation, and test controls -- for instance, verifying that your GPO for password complexity (minimum 14 characters, complexity enabled) is actually applied to all workstations by running gpresult /r on a sample of machines.
Example 2: Use Microsoft Secure Score in the M365 admin center as a self-assessment tool. It evaluates your tenant configuration against security best practices and gives you a numerical score with specific recommendations -- like enabling Safe Attachments in Exchange Online or blocking legacy authentication protocols.
The assessment should result in a written report documenting what was tested, what passed, and what needs attention.