Requirement
NIST SP 800-171 REV.2 / CMMC 2.0 Level 2 - Control - CA.L2-3.12.3 – Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls.
Understanding the Requirement
This control from NIST SP 800-171 REV.2 / CMMC 2.0 Level 2 requires you to continually check that your security controls are still working as intended. As systems, processes, and personnel change, controls can lose effectiveness; you must have a recurring monitoring plan (more frequent than periodic assessments) — often a checklist — to detect and correct control failures before they cause harm.
Technical Implementation
- Create a monthly monitoring checklist. Build a concise checklist that an assigned person can complete each month. Include items such as reviewing endpoint protection status, SIEM/alert queue backlog, firewall rule changes, patch levels, and access control changes. Keep it versioned and dated so you have an audit trail.
- Define measurable indicators and thresholds. For each control, set simple metrics (e.g., % of endpoints with current AV signatures, number of failed privileged logins, time-to-patch for critical updates). Establish thresholds that trigger action — for example, if >5% of endpoints report outdated definitions, open a remediation ticket.
- Use tools to automate data collection. Configure your EDR/AV, SIEM or cloud logging, MFA reports, and MDM dashboards to produce monthly reports. Automate log exports and a summary dashboard so the checklist reviewer spends time validating exceptions rather than collecting raw data.
- Assign roles and escalation paths. Specify who performs the checklist (IT admin), who reviews results (security lead or manager), and how issues are escalated (ticketing system, SLA for remediation). Document responsibilities so monitoring doesn’t become “someone’s idea.”
- Document findings and remedial actions. Record each monthly review, items flagged, remediation steps taken, and verification that fixes worked. Use your ticketing system or a simple spreadsheet with dates and owners to maintain evidence for audits.
- Validate control effectiveness beyond logs. Periodically (quarterly) supplement the monthly checklist with lightweight tests: validate least privilege by sampling accounts, run vulnerability scans for patch verification, and perform failover tests for critical detection systems.
Example in a Small or Medium Business
A 40-person engineering firm implements CA.L2-3.12.3 by creating a one-page monthly monitoring checklist stored in their ticketing system. The IT lead exports a weekly SIEM summary, endpoint protection health report, and Microsoft 365 admin center activity report. Each month they verify endpoint status (are signatures up to date?), review any high-severity SIEM alerts from the prior 30 days, and audit a sample of administrative group memberships for unauthorized changes. If the checklist shows an outdated patch or a suspicious login, the IT lead creates a ticket assigned to the system administrator with a 72-hour SLA. All remediation steps, screenshots, and verification notes are attached to the ticket. The security lead reviews the completed checklist and remediation results at the monthly operations meeting and signs off, providing a simple paper trail for external assessors. Over time, the firm tightens thresholds (for example, reducing acceptable time-to-patch) and automates report exports to reduce manual effort.
Summary
Meeting CA.L2-3.12.3 is practical for SMBs when you combine a short, repeatable monitoring checklist with automated data collection, clear metrics, and assigned owners. Policy defines what to check and how often; technical measures (SIEM, EDR, MDM, account auditing) supply the evidence; and documented remediation closes the loop. This combination ensures controls remain effective as your environment changes and provides the records needed for compliance and continuous improvement.
