3.12.1 — Test Your Controls

The One-Liner

A policy on paper that isn’t enforced in practice will fail. Test before the assessor does.

What It Says

Periodically assess the security controls in organizational systems to determine if the controls are effective in their application.

What It Actually Means

Don’t wait for the assessor to test your controls — test them yourself. At a defined frequency (annually at minimum), verify that each security control is implemented and working as intended. This means: run compliance scans, test access controls, verify logging is working, confirm patching is current, check physical security, review policies against practice. Document findings and remediate gaps.

---

Pass or Fail

Your assessor needs a “yes” to every row:

#	Question	What “yes” looks like
1	Is the assessment frequency defined?	Policy specifies at least annual self-assessment
2	Are controls assessed at the defined frequency?	Dated assessment records showing what was tested, findings, and remediation actions

---

What to Have Ready on Assessment Day

Documents they’ll review: Security assessment policy; self-assessment procedures and schedule; assessment results and findings; remediation records; compliance scan results; system security plan

People they’ll talk to: Personnel with security assessment responsibilities; information security personnel; management with oversight

Live demos they’ll ask for: “Show me the results from your last self-assessment.” “What did you find? What did you fix?” “How often do you assess — show me the schedule.”

---

The Assessor’s Playbook

These are the actual questions. Have answers ready.

• “How often do you assess your own security controls?”
• “Show me the results from your last self-assessment.”
• “What did you find? What did you fix?”
• “Is the assessment documented?”

Real-World Example

A defense contractor conducts an annual self-assessment in Q1, walking through all 110 NIST 800-171 controls. For each control, they verify: Is the policy documented? Is the technical control implemented? Does it work as intended? Compliance scans (Defender, Intune) supplement manual checks. Findings are documented in a report and fed into the POA&M. A quarterly spot-check covers a subset of high-priority controls between annual assessments. The assessor reviews the self-assessment report from the most recent Q1, checks that findings were tracked, and verifies that remediation actions were completed.

---

Where Companies Trip Up

No self-assessment. Never tested own controls — discovered gaps during the formal assessment. Conduct at least annual self-assessments.

Paper only. Policies reviewed but technical controls not tested. Verify that controls work in practice, not just on paper.

No follow-up. Assessment finds gaps but nothing changes. Every finding needs a remediation action.

---

How to Talk About This

To a CEO or Board

We regularly test our own controls — annually with a full self-assessment and quarterly spot-checks. We find and fix problems before the assessor does.

To an Engineering Team

Annual self-assessment: all 110 controls. Quarterly spot-checks: high-priority subset. Compliance scans supplement manual checks. Findings documented and fed into POA&M. Remediation tracked to closure.

---

Connected Requirements

Requirement	Why it matters here
3.12.2 — Track Every Gap	Assessment findings feed the POA&M
3.12.3 — Monitor Continuously	Continuous monitoring between periodic assessments
3.12.4 — Maintain the SSP	Assessment may reveal SSP updates needed

---

Implementation (coming soon)

Step-by-step setup for Microsoft 365 / Entra ID, AWS, Azure, and GCP — console steps, CLI commands, and evidence screenshots.

---

CMMC Practice ID: CA.L2-3.12.1 | SPRS Weight: 5 points | POA&M Eligible: No