NIST SP 800-171 & CMMC 2.0 Control 3.12.3 Requirement:

Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls.

NIST SP 800-171 & CMMC 2.0 3.12.3 Requirement Explanation:

For security controls to remain effective they must be reviewed to determine if they are accomplishing the intended goal. As your systems, businesses process, and people change the effectiveness of your controls may diminish. Ongoing monitoring ensure that issues with your security controls are identified and corrected. Provide a plan for monitoring and assessing the state of security controls on a recurring basis that occurs more frequently than the periodic assessments discussed in CA.2.158. This monitoring and assessing plan may take the form of a checklist.

Example NIST SP 800-171 & CMMC 2.0 3.12.3 Implementation:

Create a checklist of tasks for you to perform on a monthly basis that allows you to monitor the effectiveness of your secuirty controls. The checklist can include checking reports from your anti-malware software, SIEM, and other security tools.

NIST SP 800-171 & CMMC 2.0 3.12.3 Scenario(s):

- Scenario 1:

You want to review CMMC practice AC.1.002 to ensure its effectiveness. The practice says "Limit information system access to the types of transactions and functions that authorized users are permitted to execute.". To monitor the effectiveness of this control, you review Microsoft 365 security group memberships monthly. You check to see if any unauthorized accounts have been created, if any accounts are inactive, and if any accounts have been added to the administrators group.

Discover Our NIST SP 800-171 & CMMC 2.0 Solutions:


Compliance Accelerator

Power through compliance. Meet and maintain your NIST SP 800-171 & CMMC 2.0 compliance requirements.

Quantum Assessor

Transform your business. Create new revenue streams and provide scalability for your NIST SP 800-171 and CMMC 2.0 services.

Supply Chain Verifier

Trust is everything. Verify, monitor, and support subcontactor compliance.