CA.L2-3.12.1—Security Control Assessment
Level 2
800-171: 3.12.1
>Control Description
Periodically assess the security controls in organizational systems to determine if the controls are effective in their application.
>Cross-Framework Mappings
>Assessment Interview Topics
Questions assessors commonly ask
Process & Governance:
- •What is your security control assessment policy and schedule?
- •How do you determine which controls to assess and how frequently?
- •Who is responsible for conducting or overseeing security control assessments?
- •What methodology or framework guides your security assessments?
- •How do you ensure assessors are qualified and independent?
Technical Implementation:
- •What tools support security control assessment (scanners, audit tools)?
- •How do you technically verify control implementation?
- •What automated assessment tools do you use?
- •What testing methods verify control effectiveness (penetration testing, vuln scanning)?
- •How do you document and track assessment findings?
Evidence & Documentation:
- •What system security plans (SSPs) document security controls?
- •What assessment reports demonstrate control testing?
- •What POA&M documents track remediation of deficiencies?
- •What continuous monitoring reports show ongoing control effectiveness?
- •What assessment procedures and test plans can you provide?
- •What evidence shows assessments are conducted by qualified personnel?
Ask AI
Configure your API key to use AI features.