CMMC Level 2
Control 3.12.3
Monitor Security Controls on an Ongoing Basis
CMMC-RP Certified Team
24+ Years Experience
CMMC-AB RPO #1449
Official Requirement
Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls.
What This Means in Plain English
Security controls must be continuously monitored, not just checked once a year. Use automated tools to verify that controls remain effective and alert you when they degrade or fail.
How Petronella Implements This Control
Petronella Technology Group implements this control through:
- Arctic Wolf SIEM providing continuous monitoring of security events and control effectiveness
- CrowdStrike Falcon and Sophos XDR monitoring endpoint protection status in real-time
- Microsoft Secure Score tracking cloud security posture continuously
- Automated compliance dashboards in ComplianceArmor showing control status
- Weekly security posture reviews by the security team assessing control health
Assessment Guidance
Assessors will review continuous monitoring mechanisms and dashboards, verify that control failures are detected and alerted, check that monitoring covers all critical security controls, and confirm that monitoring results inform security decisions.
Common Implementation Gaps
- No continuous monitoring -- controls only checked during annual assessments
- SIEM deployed but dashboards not reviewed regularly
- No automated alerting when controls degrade
- Monitoring coverage gaps (some controls not monitored)
- Monitoring data not used to inform remediation decisions
Cross-Framework Mapping
| Framework | Mapped Controls |
|---|---|
| NIST SP 800-53 | CA-7 |
| PCI DSS | Req 11.5 - Deploy a change-detection mechanism |
Need Help Implementing 3.12.3?
Our CMMC-RP certified team can assess your current compliance posture and build a remediation plan.
Schedule a Compliance Assessment Calculate your SPRS score