CA.3.161 Periodically assess the security controls in organizational systems to determine if the controls are effective in their application.

CMMC Practice CA.3.161: Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls. 

Links to Publicly Available Resources

CMMC CLARIFICATION (Ref CMMC – Appendix B)

You should provide a plan for monitoring and assessing the state of security controls on a recurring basis that occurs more frequently than the periodic assessments discussed in CA.2.158. This process provides a mechanism to assess the overall security posture of your organization. As a result the process not only maintains awareness of vulnerabilities and threats, but also informs management of the effectiveness of the security controls in determining if security controls are current and for management to make an acceptable risk decision.