3.12 — Security Assessment

Security Assessment (CA) Policy

Establishes requirements for periodically assessing security controls and monitoring organizational systems — covering 4 controls per NIST SP 800-171 Rev 2.

Family: 3.12 — CAControls: 4Owner: Kit E. Floyd, Jr.Last Review: April 3, 2026
SELF-ASSESSMENT

Control statuses below reflect an internal self-assessment prepared with AI assistance. Statuses marked "Implemented" may be organizational claims without verifiable evidence. See POA&M for known gaps.

Policy Statement

OCSI shall periodically assess security controls in organizational systems to determine if controls are effective in their application, develop and implement plans of action to correct deficiencies, and monitor security controls on an ongoing basis. external MSSP provides independent assessment services aligned with their 5-phase cybersecurity methodology.

Control Implementation
ControlRequirementImplementationStatus
3.12.1Periodically assess the security controls in organizational systems to determine if the controls are effective in their applicationNOT IMPLEMENTED. No formal security control assessment has been conducted. No external MSSP or C3PAO has been engaged. This self-assessment (AI-assisted) is the only review performed to date. A formal assessment methodology must be established. Not Implemented
3.12.2Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systemsPARTIAL. POA&M document exists (POA&M) with 13 open items identified during this honest review. However, this is the first formal gap analysis — no prior deficiency tracking existed. POA&M process needs formalization with assigned owners, timelines, and regular review cadence. Partial
3.12.3Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controlsNOT IMPLEMENTED. No continuous monitoring program exists. Audit logs exist in localStorage but are not reviewed on any schedule. No external MSSP monitoring. No automated alerting. Security headers are set but not verified on a recurring basis. Not Implemented
3.12.4Develop, document, and periodically update system security plansPARTIAL. System Security Plan (SSP) exists and has been updated with honest control statuses. However, no formal review cadence is established and no prior SSP versions exist. SSP needs a defined update schedule and version tracking. Partial
Assessment Cycle (Not Yet Initiated)
PhaseActivityFrequencyOutput
1. AssessmentEvaluate 110 NIST 800-171 controlsAnnually (comprehensive), Quarterly (targeted)Assessment report
2. RemediationAddress identified gapsPer findings timelineUpdated POA&M
3. TestingVerify control effectivenessPost-remediationTest results
4. MonitoringOngoing surveillanceContinuousMonitoring reports
5. Incident ResponseIR capability validationAnnual tabletop + as neededExercise results
CMMC 2.0 Readiness: Significant gaps remain. 13 open POA&M items must be resolved, an external MSSP must be engaged, and a formal assessment process must be established before C3PAO Level 2 assessment is feasible. No assessment cycle has been completed to date.

© 2026 OUTSOURCE Consulting Services, Inc. — CUI // SP-CA // NIST 800-171 3.12