CA.L2-3.12.3 — Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls.
What this control requires
Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls.
Source: CMMC L2 v2.13 CA.L2-3.12.3 / NIST SP 800-171 R2 3.12.3 (official control text).
Why this matters
Security controls degrade over time. Configurations drift, patches lag, users bypass restrictions, and threats evolve. Without continuous monitoring, organizations operate blind—unaware that yesterday's compliant firewall rule was deleted, last month's MFA enrollment dropped to 60%, or this quarter's phishing simulations stopped running. This control mandates systematic, recurring measurement of every implemented safeguard to detect failure before adversaries exploit it. The goal is not annual checkbox audits but operational awareness: knowing in real-time whether controls protect what they're supposed to protect, so leadership can act on degradation immediately rather than discover breaches retroactively.
What evidence assessors expect
Assessors typically look for: screenshot, CSV export, PDF. FORCE coaches you through the exact implementation steps and captures each artifact in-platform.
Related controls
See your live posture on CA.L2-3.12.3.
FORCE shows where you stand on this control and walks you through closing it.
Start a free trial tenant →