Security assessment.
The document the rest of the program hangs on.
Security Assessment is one of the smaller Level 2 families — just 4 requirements — and the one most likely to already be underway informally, because it’s where the System Security Plan lives. CA.L2-3.12.4 requires the SSP itself; the other three requirements are about periodically checking that the practices described in it are actually working. This page is not the assessment event that CMMC calls an assessment (see The Levels and The Assessment) — it’s the family of ongoing internal practices that produce the document an assessor reads first.
This page explains the family. It does not replace the requirement text or assessment objectives.
01What this family protects
CA protects the organization’s own ability to know whether its security controls are actually working — and to write that knowledge down where an assessor, a new IT hire, or the organization itself a year from now can find it. Without a current SSP, every other family’s implementation lives only in the memory of whoever set it up. CA is what turns that memory into a document.
02The rule says
All 4 requirements, condensed to their operative sentence. NIST SP 800-171 Rev. 2 §3.12 has the full text and discussion for each.
| § | Requirement |
|---|---|
| 3.12.1 | Periodically assess the security controls in organizational systems to determine if the controls are effective in their application. |
| 3.12.2 | Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems. |
| 3.12.3 | Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls. |
| 3.12.4 | Develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems. |
At Level 2, six requirements are categorically excluded from a POA&M regardless of score or point value — and CA.L2-3.12.4 is one of them. The SSP requirement itself has to be MET; it cannot be an open item with a completion date. 32 CFR 170.21(a)(2). See The Levels for the rest of the POA&M mechanics.
03In practice
The SSP (3.12.4) is the anchor document: it describes the system boundary, the environment the system operates in, how each Level 2 requirement is implemented (or planned, where a POA&M item is open), and how the system connects to anything else — an ESP’s tooling, a prime’s portal, a cloud service. NIST does not prescribe a specific format or template; what matters is that the information required is actually there and kept current as things change.
Periodic assessment (3.12.1) means checking, on some defined cadence, that the controls described in the SSP are actually operating as described — not assuming they still are because they did once. Ongoing monitoring (3.12.3) is the lighter-weight, more continuous cousin of the same idea: dashboards, periodic log review, or vulnerability-scan cadence that catches drift between formal assessments.
Plans of action (3.12.2) is where gaps found during assessment or monitoring get tracked to closure — the practice that produces a POA&M when Level 2 scoring allows one. A plan of action can live inside the SSP or as a separate document; either is fine, as long as it’s traceable.
04Where it fails
The usual gap is an SSP that describes an environment from a year or two ago: a server that’s been decommissioned, an MSP relationship that’s since changed, a CAD/CAM system that moved to a new vendor. None of that is a crisis on its own, but an assessor comparing the document to the live environment will notice, and every mismatch becomes a question about what else in the SSP is stale.
A second gap is treating 3.12.1’s periodic assessment as something that only happens once, right before a certification assessment, rather than as a standing internal practice. The rule says “periodically,” not “once, under deadline pressure.”
05What evidence may look like
The SSP itself, with a visible revision history; a record of internal assessment activity (a checklist, a completed worksheet, meeting notes from a review session); a plan-of-action document or tracker showing open items and target dates; and evidence that monitoring is actually happening — a dashboard export, a log-review cadence, or a vulnerability-scan report with a date on it.
06At the shop
Blanchard Tool & Machining is the desk’s fictional composite (any resemblance to an actual company is coincidental). Blanchard built its SSP with help from its regional MSP, who already had most of the network diagram and asset list from onboarding work. The engineering lead added the CAD/CAM and drawing-flow detail, since that’s the part the MSP couldn’t describe from the outside. Blanchard reviews the SSP every quarter alongside a short internal checklist — not a full re-assessment, just a check that nothing material has changed since the last update — and updates the document the same week if something has.
07Commonly confused with
The Assessment. CA is the family of ongoing internal practices — assessing, monitoring, planning corrective action, maintaining the SSP. “The assessment” is the specific certification or self-assessment event where a C3PAO, DIBCAC, or the organization itself scores those practices against the 110 requirements. CA feeds the assessment; it isn’t the same thing as it.
A POA&M. The SSP (3.12.4) describes the system as it is, or is planned to be. A POA&M tracks specifically what is not yet MET and the plan to close it. The SSP references the POA&M where relevant; it is not the same document, and 3.12.4 itself can never be the thing a POA&M is tracking.
08Cross-desk links
None load-bearing for this family. The SSP and its assessment practices are specific to the CMMC program’s own machinery, covered in full on this desk’s System and Levels pages.
09Sources
| Document | What it’s for |
|---|---|
| NIST SP 800-171 Rev. 2, §3.12 | Full requirement text and discussion for all 4 CA requirements, including the SSP requirement. |
| NIST CUI SSP template | A non-mandatory starting template for the 3.12.4 System Security Plan. |
| 32 CFR 170.21(a)(2) | The Level 2 POA&M rule, including the six categorical exclusions that make CA.L2-3.12.4 non-POA&M-able. |
| 32 CFR 170.4 | Defines “CMMC Level 2 security requirement” and ties the 800-171 R2 families to the CMMC Program. |