Security Assessment
Security Assessment is the family that keeps the whole program honest: your System Security Plan, your ongoing self assessment, and your Plan of Action and Milestones. It is where the other 13 families get documented and tracked.
The 4 Security Assessment requirements
14 assessment objectives across this family.
- 3.12.1Security Control AssessmentPeriodically assess the security controls in organizational systems to determine if the controls are effective in their application.5 pt✕ POA&M
- 3.12.2Operational Plan Of ActionDevelop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems.3 pt✕ POA&M
- 3.12.3Security Control MonitoringMonitor security controls on an ongoing basis to ensure the continued effectiveness of the controls.5 pt✕ POA&M
- 3.12.4System Security PlanDevelop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems.✕ POA&M
Build Security Assessment, and all 14 families, with an officer
The Level 2 Accelerator walks all 110 requirements with you, generates your SSP, POA&M, and Audit Room from real evidence, includes the full Level 1 platform, and puts a credentialed officer alongside you for 180 days. Filed in 180 days, or we work free until you are.
No credit card. Phase 2 begins Nov 10, 2026, when applicable DoD solicitations start requiring a current Level 2 status to win the award.
Questions, answered
How many CMMC Level 2 requirements are in Security Assessment?+
The Security Assessment family (CA) has 4 of the 110 CMMC Level 2 requirements, assessed against 14 objectives from NIST SP 800-171A.
What is the Security Assessment family about?+
Security Assessment is the family that keeps the whole program honest: your System Security Plan, your ongoing self assessment, and your Plan of Action and Milestones. It is where the other 13 families get documented and tracked.