Part of a Collection
This article is part of the collection: The 14 CMMC Domains: A Comprehensive Guide
CMMC Domains
CMMC Deep Dive: Security Assessment (CA)
A guide to the Security Assessment (CA) domain, covering how to verify the effectiveness of your security controls.
Published: June 25th, 2024By: CMMC Dashboard TeamLast updated: August 7th, 2025
Security Assessment
CA
SSP
POA&M
This article is part of our series on The 14 CMMC Domains.
The Security Assessment (CA) domain is about checking your work. It requires organizations to periodically assess their own security controls to ensure they are effective and to develop plans to fix any identified weaknesses.
Why It Matters
Implementing a control is not a one-time event. Systems change, new threats emerge, and configurations can drift. Regular assessment ensures that your security posture remains strong over time.
Key Practices
- CA.L2-3.12.1: Periodically assess security controls to determine their effectiveness.
- CA.L2-3.12.2: Develop and implement plans of action (POA&Ms) to correct deficiencies.
- CA.L2-3.12.3: Monitor security controls on an ongoing basis.
- CA.L2-3.12.4: Develop, document, and periodically update a System Security Plan (SSP).
What Assessors Look For
- A System Security Plan (SSP) that accurately describes your environment and how all CMMC controls are met.
- A Plan of Action & Milestones (POA&M) that tracks all identified deficiencies.
- Evidence of periodic self-assessments.
- Proof of continuous monitoring activities.