Security Assessment

Security Assessment is the self-governance family. Don’t wait for the assessor to find problems — test your own controls, track your gaps, monitor continuously, and keep the SSP current.

The Big Picture

The SSP (3.12.4) is the single most important document for your CMMC assessment. Without a current, accurate SSP, the assessment cannot proceed. The POA&M (3.12.2) shows you’re honest about gaps and working to close them. An empty POA&M is as suspicious as a missing one.

The Cycle

Test (3.12.1) — Periodically assess whether your controls work in practice. Annual self-assessment at minimum, with quarterly spot-checks.

Track (3.12.2) — Every gap goes in the POA&M with an owner, target date, and remediation plan. Living document reviewed monthly.

Monitor (3.12.3) — Continuous monitoring between assessments. Compliance dashboards, alerts for control degradation, regular posture reviews.

Document (3.12.4) — The SSP: your complete, current description of the CUI boundary, environment, control implementations, and connections. Updated within 30 days of any change.

---

All 4 Requirements

Ref	Short Name	What It Covers
3.12.1	Test Your Controls	Periodic self-assessment of control effectiveness
3.12.2	Track Every Gap	POA&M with owners, milestones, and target dates
3.12.3	Monitor Continuously	Ongoing monitoring between periodic assessments
3.12.4	Maintain the SSP	System Security Plan — complete, current, specific