Call now for cybersecurity help: 888-646-1616
Josh Ablett

Security Assessment (CA) Guide [For CMMC Level 2.0 Compliance]

January 17, 2024

Welcome to our Security Assessment (CA) Guide for CMMC Level 2.0.

We made this for small and midsize businesses with DoD contracts. We will guide you through the important steps of doing security assessments. You'll get simple instructions, helpful advice, and what you need to meet the CMMC Level 2.0 standards.

Security Assessment Control is a key part of meeting CMMC rules. It's all about checking and improving your business's security. This protects Controlled Unclassified Information (CUI) and keeps your business safe.

Need help with Security Assessment or other CMMC areas? You can set up a free consultation with us. We're here to help your business meet CMMC Level 2.0 in a way that's manageable and keeps your information safe.


“Periodically assess the security controls in organizational systems to determine if the controls are effective in their application.”

Level Of Effort: High

This control involves checking the security measures in your computer systems to ensure they're working well. The aim is to find and fix any security issues early.

For instance, if you use encryption on your computers as required by SC.L2-3.13.11 – CUI ENCRYPTION, you need a way to check if someone forgets to encrypt a new computer.

Most CMMC controls require some verification to confirm your systems are working and are configured correctly. Here are a few ways to do this:

  1. Collect and review all your evidence at least once a year. Although CMMC certification is every three years, reviewing our CMMC control articles ensures you follow your SSP and are prepared for audits.
  2. Work with a managed MSSP (managed security service provider) or SOC (security operations center) service. As discussed in AU.L2-3.3.1 – SYSTEM AUDITING, these services check your environment for harmful or suspicious activity, aiding in this rule.
  3. Consider a penetration test. While it's not confirmed if CMMC guidance will require it, many experts suggest it. In a penetration test, ethical hackers attempt to breach your system and then report on its security. These tests are thorough but can be expensive, ranging from $7,000 to $20,000.

Remember, whichever methods you choose, maintaining documentation and evidence is crucial.


“Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational information systems.”

Level Of Effort: High

Having a solid plan to handle security problems and stop hackers from getting into your company's computer systems is essential for CMMC 2.0. This plan should tell you what to do when security checks find issues, helping keep your systems safe. 


Create a Plan of Action and Milestones (POAM): A detailed plan to address security flaws. You can use a spreadsheet or project management software for this. Make sure to include:

  • The specific CMMC control that's relevant
  • The actions you plan to take
  • The person or team responsible
  • Deadlines for each action
  • Milestones to track progress
  • Current status of each action


  • The POAM Document: Keep this document updated as your main record of what actions are being taken, who’s responsible, and how things are progressing. It serves as a comprehensive overview of your efforts to secure your systems.

Here’s an example of how you can organize your POAM:

CMMC ControlActionMilestonesDue DateOwnerStatus
3.1.17Protect wireless access using authentication and encryption.Upgrade to FIPS-validated equipment9/15/24AliceIn progress
3.1.18Control connection of mobile devices.Implement a new device management protocol10/1/24MikeIn progress
3.1.19Encrypt CUI on mobile devices.Device mgmt settings10/15/24AliceNot started
3.1.20Verify and control/limit connections to external systems.Complete external connection audit12/1/24MikeNot started

Important Note: You will not be able to qualify for CMMC certification if you still have open items on your POAM. All POAM items must be addressed before you can qualify for CMMC certification.  


“Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls.”

Level Of Effort: None

Always watch your computer security to ensure it's working well. Imagine it like a security camera that's always recording, helping you stay safe.

This is important if you follow all the advice in AU.L2-3.3.1 – SYSTEM AUDITING.


“Develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems”

Level Of Effort: High

This control focuses on creating and keeping a detailed plan. It should describe your computer system's limits, how it works, its security features, and its connections to other systems. It's like a playbook that guides you through your security strategies.

While there's no 'official' SSP template, you can find many free and paid ones online. However, paying for a template may not be very helpful as they can be costly and only get you started.

You can either:

  1. Work with a skilled consultant to help organize and write your SSP, or
  2. Write it yourself.

If you choose to write the SSP, here's what to do:

  • Begin with the free NIST template, and then
  • Greatly expand the section starting on page 3. Explain in detail how you've implemented each of the 110 controls.

For example, let's look at AC.L2-3.1.18 – MOBILE DEVICE CONNECTION.

The NIST template only asks for the following:

To write an acceptable SSP, you could write details like the following:

For work-related tasks like handling emails or documents, mobile devices need to be set up to keep CUI (Controlled Unclassified Information) safe.

We use a tool called Mobile Application Management in Microsoft 365 GCC High to manage these devices. This tool lets them be used only for accessing CUI through email, OneDrive, or SharePoint.

Here's how we've set up the Mobile Application Management:

  • If a phone gets lost or stolen, we can erase any company data on it right away.
  • The device has to have encryption to make sure it's secure before it can connect.
  • To open any app, you need to use a PIN, thumbprint, or FaceID for extra security.
  • The apps won't work on devices that have been jailbroken or rooted.

What you put in your plan depends on what you’ll implement.

Here's a helpful tip: It's good to decide early on how you'll handle the SSP in your project. But, it's best to create the document near the end of your CMMC work. Trying to write it while making changes can be tough.

Need Help With Other CMMC Controls? 

Leave a Reply

Your email address will not be published. Required fields are marked *

Do you think we might be a
good match?

We help over 100 of the best financial services, healthcare, and manufacturing companies across the U.S. with their cybersecurity.
Copyright 2024 Adelia Associates, LLC | All Rights Reserved