Family 3.12 4 requirements
Security Assessment.
Plan it. Test it. Track the gaps.
The big picture
This family is the meta-control: the SSP, the assessment cadence, the POA&M, and the boundary monitoring that proves your other 106 controls actually work.
Theme 1
All practices.
3.12.1 — 3.12.4Security control assessments, plans of action, ongoing monitoring, and the system security plan itself.
- 3.12.1 Test Your Controls. Periodically assess whether your security controls actually work in practice. 3.12.2 Track Every Gap. Maintain a POA&M with owners, target dates, milestones, and resource allocation for every known gap. 3.12.3 Monitor Continuously. Ongoing monitoring of security controls between periodic assessments — dashboards, alerts, regular reviews. 3.12.4 Maintain the SSP. Keep the System Security Plan current — describe boundaries, controls, connections, and update whenever anything changes.