Security Assessment is the family that tells an assessor whether your compliance program is actually governable. The other families describe what controls should exist. This family describes how you evaluate them, how you track what is still missing, how you monitor them over time, and how you document the environment those controls are supposed to protect. That is why the CA family often has an outsized impact on assessment outcomes even though it contains only four controls.

This is also the family where documentation quality becomes inseparable from technical reality. A C3PAO is not just assessing your Conditional Access policies, DLP rules, or endpoint controls in isolation. They are also assessing whether your organization can explain those controls clearly in an SSP, verify them through a periodic assessment process, track deficiencies in a governed POA&M, and monitor whether they remain effective over time. If those foundational artifacts are weak, the assessor has a harder time validating every other family.

GCC High provides several useful supporting inputs for this family. Compliance Manager can help structure control assessments and evidence collection. Secure Score can support ongoing posture monitoring. Defender and Sentinel can provide continuous signals that feed a monitoring program. But the core of the family is still customer-owned. You cannot configure your way to compliance here. The CA family depends on documentation, governance, assessment discipline, and a clear understanding of your own system boundary.

This is Part 12 of the NIST 800-171 GCC High Configuration Guide. It assumes you already have a functioning Microsoft GCC High tenant, understand the shared responsibility model, and are implementing against NIST SP 800-171  Rev. 2.

Security Assessment family overview

The Security Assessment family includes four controls focused on periodically assessing security controls, developing and implementing Plans of Action and Milestones, monitoring security controls on an ongoing basis, and developing and maintaining the System Security Plan.

At a practical level, this family breaks into two implementation groups. Most of the family is primarily customer-owned because the real work involves assessment methodology, POA&M governance, SSP development, and review discipline. One control is more clearly shared because Microsoft provides monitoring inputs and security telemetry that can support a continuous monitoring program, even though your organization still has to define what is monitored, how often it is reviewed, and what triggers action.

Operationally, the family clusters around four governance functions: assess, document, track, and monitor. That is why this family often feels like the control layer above the other control layers. It does not replace the technical families. It is what makes them assessable.

If the other control families describe how your environment is protected, the CA family describes how your organization proves that protection is real, current, and governed.

CA controls and CMMC scope

The CA family applies across the full CMMC assessment boundary because every in-scope control, system, interconnection, and supporting process ultimately needs to be described, assessed, monitored, and, when necessary, corrected.

That makes this family unusually boundary-sensitive. If the organization has not defined the boundary clearly, the SSP becomes vague, the control assessment becomes incomplete, the POA&M misses relevant deficiencies, and the monitoring program loses credibility. In practice, many issues in the CA family are not caused by missing documents alone. They are caused by a mismatch between what the organization says is in scope and what the real environment actually includes.

This is especially important in enclave architectures. An enclave can reduce the number of systems that require full CMMC implementation, but only if the SSP, assessment plan, monitoring program, and POA&M all reflect that scoped architecture accurately. If one artifact treats the enclave narrowly and another quietly assumes a broader environment, the inconsistency usually becomes visible during the assessment.

How security assessment works in GCC High

Before walking through the individual controls, it helps to understand the architecture you are actually using in GCC High.

Compliance Manager is often the most natural Microsoft starting point for this family because it can map Microsoft 365-related controls to frameworks such as NIST 800-171 and organize evidence collection around those requirements. It can be genuinely useful, especially for platform and tenant controls, but it has important limits. It does not replace the organization’s full control assessment process, and it does not fully assess customer-only or non-Microsoft portions of the environment.

Secure Score is more useful for continuous monitoring than for formal assessment. It can surface posture changes, control gaps, and improvement actions across Microsoft 365 workloads. But like Compliance Manager, it is an input, not the control itself.

Defender and Sentinel support this family indirectly by generating the telemetry that helps an organization monitor whether certain technical controls remain effective over time. They can support ongoing monitoring of configuration drift, alert failures, device compliance, suspicious changes, and other indicators that help validate control effectiveness.

Still, the most important artifacts in this family usually do not originate in a Microsoft portal at all. The SSP, POA&M, assessment plan, assessment results report, monitoring strategy, revision history, and leadership review records are all fundamentally organizational documents.

The three CA controls that are primarily customer-owned

3.12.1 Periodically assess security controls

CA.L2-3.12.1

This control requires the organization to periodically assess its security controls to determine whether they are effective in their application.

That wording matters because the control is not just asking whether the organization reviewed a checklist. It is asking whether the organization evaluated whether controls are actually working as intended. A strong control assessment program therefore looks at both implementation and effectiveness. It compares what the SSP says is true against what the environment, evidence, and personnel can actually demonstrate.

For most CMMC environments, NIST SP 800-171A is the natural assessment reference because it provides the official assessment objectives and methods behind the standard. In practical terms, that usually means using some combination of examine, interview, and test for each control. Document review alone is rarely enough. A control may be described properly on paper and still be weak in practice.

A mature implementation usually starts with an assessment plan that defines scope, cadence, methods, assessors, evidence requirements, and reporting expectations. The strongest teams then produce an assessment results report that identifies what was assessed, what evidence was reviewed, what gaps were found, and what actions need to follow.

Compliance Manager can support this work well for Microsoft-specific portions of the environment, but it is not sufficient by itself. Physical security, personnel processes, media handling, incident testing, and many customer-owned controls still require manual assessment outside the Microsoft platform.

This control often fails when the organization has never conducted a formal control assessment, conducts one only once during initial implementation, or relies entirely on platform scoring without manually evaluating how customer-owned controls operate.

3.12.2 Develop and implement Plans of Action and Milestones

CA.L2-3.12.2

This control requires the organization to develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities.

In practice, this means every meaningful deficiency identified during a control assessment, continuous monitoring review, incident investigation, or risk assessment should flow into a governed remediation process unless it is corrected immediately. For most organizations, that governed remediation process is the POA&M.

A strong POA&M is not just a list of open issues. It is a management document that shows the control or requirement affected, the deficiency observed, the corrective action planned, the owner, the milestones, the target completion date, the current status, and the evidence required for closure. It should show motion. If the same items remain open month after month with no updated milestones, due dates, or escalation, the POA&M becomes hard to defend.

This is also one of the places where CMMC-specific judgment matters. Not every deficiency can be deferred safely, and not every open item is appropriate for a POA&M at assessment time. Some issues, especially critical ones, have to be fully implemented rather than parked as future work. That is why the POA&M process needs both governance discipline and assessment awareness.

The strongest implementations review POA&M status at least monthly, assign each item to a specific individual rather than a generic team, and require evidence before an item is marked complete. Executive visibility helps too, especially when remediation depends on budget, staffing, or competing operational priorities.

This control usually fails when there is no formal POA&M, when deficiencies are tracked informally in email or side notes, when dates and ownership are vague, or when completed items have no supporting proof of closure.

3.12.4 Develop, document, and periodically update the System Security Plan

CA.L2-3.12.4

This is often the single most important document control in the entire assessment.

The SSP is the foundational description of the environment being assessed. It tells the assessor what is in scope, how the boundary is defined, what systems and interconnections matter, how each requirement is implemented, and where responsibility sits between Microsoft and your organization. If the SSP is weak, inaccurate, or stale, every other assessment activity becomes harder.

That is why this control deserves more than generic treatment.

The SSP is the primary reference your C3PAO uses to understand your environment and validate every other family in the assessment.

A CMMC-ready SSP should describe the system identification details, the system boundary, the environment of operation, the implementation of each NIST 800-171 requirement, the relationships with other systems, and the revision history that shows the document is maintained over time.

For GCC High environments, the SSP must clearly distinguish between what Microsoft provides at the platform layer and what your organization implements through tenant configuration or operational process.

This distinction is critical during assessment. The platform inherits certain protections through Microsoft’s FedRAMP High authorization, but tenant configuration, identity governance, endpoint enforcement, monitoring, and operational procedures remain the customer’s responsibility. A strong SSP explains both sides clearly so the assessor can see where Microsoft responsibility ends and organizational responsibility begins.

This is where generic writing hurts the most. Statements like “MFA is enabled” or “audit logging is configured” are usually too thin to be useful. A strong SSP describes the actual policies, groups, environments, exceptions, tools, and governance choices used in the environment. It gives the assessor something concrete to validate.

System boundary description is especially important. If the boundary is unclear, every control conversation becomes harder. The assessor needs to understand where CUI enters, where it is stored, what endpoints and workloads are in scope, what external systems connect to the boundary, and where Microsoft responsibility ends and customer responsibility begins.

This control often fails when the SSP does not describe all 110 controls, does not clearly define the system boundary, uses overly generic implementation language, or has not been updated to reflect the current environment.

The CA control that depends on both Microsoft inputs and your monitoring process

3.12.3 Monitor security controls on an ongoing basis

CA.L2-3.12.3

This control requires security controls to be monitored on an ongoing basis to ensure their continued effectiveness.

This is the bridge between point-in-time assessment and operational awareness. A periodic control assessment may tell you what the environment looked like at the time of the review. Continuous monitoring helps you know whether important controls are still operating as expected today.

For GCC High environments, Secure Score, Compliance Manager, Defender telemetry, Sentinel analytics, audit logs, compliance reports, and related platform signals can all support this control. But those tools are only useful when the organization has a monitoring strategy behind them. That strategy should define what is monitored, who reviews it, how often it is reviewed, what thresholds matter, and what actions follow when something drifts or degrades.

That last point matters. Continuous monitoring is not the same thing as leaving dashboards available in a portal. A tool can be deployed and still not be part of a functioning monitoring program if no one reviews it, tracks trends in the data, discusses the results, or acts on what the monitoring reveals.

A strong implementation usually identifies a set of key indicators across the control families. Those might include Secure Score trends, device compliance levels, MFA coverage, logging failures, drift in Conditional Access or endpoint baselines, DLP policy issues, stale vulnerabilities, or similar indicators tied to control effectiveness. It then assigns those indicators to a review cadence and a responsible role.

This is also one of the areas where Sentinel can add real value. Custom analytics rules or drift detections can help surface changes that indicate a control may no longer be operating the way the SSP describes.

This control often weakens when the organization confuses available telemetry with actual monitoring. If Secure Score exists, Sentinel collects logs, and Compliance Manager has a score, but nobody reviews those outputs consistently or ties them to corrective action, the monitoring program is hard to defend.

PowerShell reference for the CA family

Because the Security Assessment family is driven primarily by documentation, governance, and review discipline, PowerShell is most useful here for validating the technical inputs that support ongoing monitoring and portions of the control assessment process. The commands below focus on common evidence points assessors may ask for, including Secure Score trends, improvement actions, device compliance visibility, Intune configuration coverage, and Sentinel monitoring rules.

Export current Secure Score state (supports 3.12.3)

This command exports the current Secure Score snapshot for the tenant.

# Connect to Microsoft Graph (GCC High)
Connect-MgGraph -Environment USGov -Scopes "SecurityEvents.Read.All"

# Export current Secure Score
Get-MgSecuritySecureScore -Top 1 |
    Select-Object CurrentScore,
                  MaxScore,
                  @{N="Percentage";E={[math]::Round(($_.CurrentScore / $_.MaxScore) * 100, 1)}},
                  CreatedDateTime |
    Export-Csv -Path "CA_3.12.3_SecureScore_Current.csv" -NoTypeInformation

This is useful for showing the current state of Microsoft 365 security posture monitoring.

Export Secure Score trend history (supports 3.12.3)

This command exports recent Secure Score history so the organization can show how posture has changed over time.

# Connect to Microsoft Graph (GCC High)
Connect-MgGraph -Environment USGov -Scopes "SecurityEvents.Read.All"

# Export Secure Score trend history
Get-MgSecuritySecureScore -Top 90 |
    Select-Object CreatedDateTime,
                  CurrentScore,
                  MaxScore,
                  @{N="Percentage";E={[math]::Round(($_.CurrentScore / $_.MaxScore) * 100, 1)}} |
    Sort-Object CreatedDateTime |
    Export-Csv -Path "CA_3.12.3_SecureScore_Trend.csv" -NoTypeInformation

This helps demonstrate that the organization is not relying on a single score snapshot but is reviewing posture over time.

Export Secure Score improvement actions (supports 3.12.3)

This command exports improvement actions that may support ongoing monitoring and corrective action workflows.

# Connect to Microsoft Graph (GCC High)
Connect-MgGraph -Environment USGov -Scopes "SecurityEvents.Read.All"

# Export Secure Score improvement actions
Get-MgSecuritySecureScoreControlProfile -All |
    Select-Object ControlCategory,
                  Title,
                  MaxScore,
                  ImplementationStatus,
                  UserImpact,
                  Rank |
    Sort-Object MaxScore -Descending |
    Export-Csv -Path "CA_3.12.3_SecureScore_Actions.csv" -NoTypeInformation

This is useful for showing which Microsoft 365 posture items remain open and may require corrective action.

Export device compliance summary and detail (supports 3.12.3)

These commands export both a summarized and detailed view of managed device compliance states.

# Connect to Microsoft Graph (GCC High)
Connect-MgGraph -Environment USGov -Scopes "DeviceManagementManagedDevices.Read.All"

# Summarize device compliance states
$AllDevices = Get-MgDeviceManagementManagedDevice -All
$ComplianceSummary = $AllDevices |
    Group-Object ComplianceState |
    Select-Object Name, Count

$ComplianceSummary |
    Export-Csv -Path "CA_3.12.3_Device_Compliance_Summary.csv" -NoTypeInformation

# Export detailed device compliance data
$AllDevices |
    Select-Object DeviceName,
                  UserPrincipalName,
                  ComplianceState,
                  OperatingSystem,
                  IsEncrypted,
                  LastSyncDateTime |
    Export-Csv -Path "CA_3.12.3_Device_Compliance_Detail.csv" -NoTypeInformation

This helps support monitoring of endpoint control health over time.

Export Intune configuration profiles (supports 3.12.1 and 3.12.3)

This command exports the set of Intune device configuration profiles that may support both control assessment and continuous monitoring.

# Connect to Microsoft Graph (GCC High)
Connect-MgGraph -Environment USGov -Scopes "DeviceManagementConfiguration.Read.All"

# Export Intune configuration profiles
Get-MgDeviceManagementDeviceConfiguration -All |
    Select-Object DisplayName,
                  Id,
                  LastModifiedDateTime,
                  @{N="Type";E={$_.AdditionalProperties.'@odata.type'}} |
    Export-Csv -Path "CA_3.12.1_Config_Policies.csv" -NoTypeInformation

This is useful when validating which configuration artifacts are actually present in the tenant during a control assessment.

Export Sentinel monitoring rules (supports 3.12.3)

This command exports Sentinel analytics rules that may support monitoring for control drift or security control effectiveness.

# Connect to Azure Government
Connect-AzAccount -Environment AzureUSGovernment

$WorkspaceName = "your-sentinel-workspace"
$ResourceGroup = "your-resource-group"

# Export Sentinel monitoring rules
Get-AzSentinelAlertRule -WorkspaceName $WorkspaceName -ResourceGroupName $ResourceGroup |
    Select-Object DisplayName,
                  Kind,
                  Severity,
                  Enabled,
                  LastModifiedUtc |
    Export-Csv -Path "CA_3.12.3_Sentinel_Monitoring_Rules.csv" -NoTypeInformation

This helps demonstrate that the organization has monitoring logic in place beyond passive dashboard review.

Export Log Analytics retention settings (supports 3.12.3)

This command exports retention settings for the Sentinel Log Analytics workspace.

Get-AzOperationalInsightsWorkspace -ResourceGroupName $ResourceGroup -Name $WorkspaceName |
    Select-Object Name, RetentionInDays, Sku |
    Export-Csv -Path "CA_3.12.3_LogRetention.csv" -NoTypeInformation

This is useful for showing how long monitoring data is retained in support of the ongoing monitoring program.

What evidence your C3PAO will usually want to see

For the CA family, assessors typically want to see that the organization has a full governance cycle, not just isolated documents.

That usually includes the assessment plan, completed assessment reports, the current SSP, SSP revision history, the current POA&M, historical POA&M updates, the continuous monitoring strategy, examples of monitoring outputs, evidence of monitoring review, and evidence that deficiencies identified through assessments or monitoring are actually being tracked and corrected.

Assessors also tend to compare these artifacts against each other closely. If the SSP describes one boundary, the assessment plan assesses a different one, and the monitoring program watches only part of it, those inconsistencies usually surface quickly. The strongest evidence packages are internally consistent and clearly current.

The most common CA findings in real assessments

One of the most damaging weaknesses in this family is an incomplete or inaccurate SSP. When the SSP is vague, outdated, or missing critical boundary and control implementation detail, the assessor loses the document that anchors the rest of the review. That tends to create downstream findings across multiple families because the assessor cannot reconcile what the organization says with what the environment shows.

Another common issue is the absence of a real periodic control assessment process. Organizations may have implemented controls and collected evidence during initial deployment, but they have never revisited whether those controls remain effective. In those cases, the security program looks static rather than governed.

POA&M governance is another recurring weakness. Deficiencies are often known informally, but not tracked in a living document with dates, owners, milestones, and closure evidence. In other cases, a POA&M exists but is stale, overly broad, or missing the governance discipline that makes it useful.

Continuous monitoring also commonly looks thinner in practice than it sounds on paper. Tools are deployed, dashboards exist, and alerts are technically available, but the organization has not defined a true review cycle or corrective action process. This creates the appearance of monitoring without the operational follow-through.

Another recurring issue is an unclear distinction between Microsoft platform responsibility and customer implementation responsibility. During assessments, this confusion most often appears in the SSP and control narratives, where platform capabilities are described generically or where customer-owned configuration and operational controls are not explained in enough detail to verify implementation.

How the CA family supports other control families

Security Assessment is the governance layer for the rest of the framework.

Every control family should be represented in the SSP. Deficiencies in any family should be captured and governed through the POA&M process. Continuous monitoring should help verify whether controls across the environment remain effective between formal assessments. Periodic control assessment should help the organization determine whether its technical, administrative, and procedural controls are actually working the way they are described.

Risk Assessment feeds into CA because risk decisions help shape what is assessed, monitored, and prioritized. Audit and Accountability supports CA because monitoring and assessment depend heavily on reliable evidence and logging. Incident Response supports CA because incidents often expose control weaknesses that should trigger POA&M entries, SSP updates, or targeted reassessments. Configuration Management supports CA because changes to the environment should trigger updates to the SSP and, in some cases, additional assessment activity.

That is why this family matters so much. Security Assessment is not just a paperwork layer. It is the family that proves the organization can understand, document, and govern its own security program.

Get started

Security Assessment is where technical implementation turns into an assessable program. The SSP needs to be current, the POA&M needs to be governed, control assessments need to be periodic and evidence-based, and continuous monitoring needs to do more than produce dashboards.

Secureframe Defense connects directly to your GCC High environment and supports the workflows behind the CA family, including evidence collection and monitoring inputs for 3.12.3, structured remediation tracking for 3.12.2, and support for maintaining assessment-ready documentation tied to 3.12.1 and 3.12.4. When a C3PAO asks how your organization knows its controls are effective and how it tracks what is still incomplete, the goal is not to point to disconnected files and stale reports. The goal is to show a governance process that is current, consistent, and actively used.

See how Secureframe Defense automates CMMC evidence collection for the CA family by scheduling a demo with a product expert.