CA.L2-3.12.1 — Periodically assess the security controls in organizational systems to determine if the controls are effective in their application.

What this control requires

Periodically assess the security controls in organizational systems to determine if the controls are effective in their application.

Source: CMMC L2 v2.13 CA.L2-3.12.1 / NIST SP 800-171 R2 3.12.1 (official control text).

Why this matters

Security controls degrade over time through configuration drift, software updates, personnel changes, and evolving threats. This control requires regular, formal verification that implemented safeguards actually work as intended — not just that a policy exists on paper. Without periodic assessment, organizations operate under false confidence: firewalls may have open ports, encryption keys may be weak, access controls may grant excessive privileges, and backup systems may fail silently. Assessments create an evidence trail proving controls remain effective between compliance audits, enabling risk-based decisions and early detection of vulnerabilities before adversaries exploit them.

What evidence assessors expect

Assessors typically look for: PDF, screenshot, CSV export. FORCE coaches you through the exact implementation steps and captures each artifact in-platform.

Related controls