As rapidly changing technologies and vulnerabilities materialize daily, organizations must have a security plan of action and milestones documented. This plan of action and milestones or POAM should be proactively followed by an assessment of the controls within the systems environment, and the resultant remediation procedure to mitigate any discovered instabilities, deficiencies, and emerging vulnerabilities.

Assessment Tools

3.12.1Periodically assess the security controls in organizational systems to determine if the controls are effective in their application.

The following are suggested methods and tools for risk and security control assessment:

  • Automated Questionnaires – Automated questionnaires allow an organization to assess the security stance of an information system as a whole, rather than focusing on individual controls in a checklist-type assessment. Further information on automated support can be found in NISTIR 8011-1 – Automation Support for Security Control Assessments.
  • Security Ratings – Third-party tools are available to evaluate an organization’s security posture and produce a scorecard showing a breakdown of the system architecture.
  • Vulnerability Assessment Platforms – This type of tool analyzes security controls within the asset inventory to identify vulnerabilities within IT or OT infrastructure. The Center for Internet Security provides a self-assessment tool to help organizations improve their cyber defense posture regardless of size or resources. This tool is available at
  • NIST Cybersecurity Framework – This framework allows for a system designed to identify and respond to cyber risks, utilizing five major components: Identity, Protect, Detect, Respond, and Recover.


3.12.2Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems.

Plans of action are critically essential in any information security project. They not only prove proactive commitment to interested parties to implement or augment controls to improve security posture and fulfill requirements, but also provide the organization with a way to plan for and track actions taken.

Also known as a “POAM” (Plan of Action & Milestones), this tool should include the following components:

  • The area(s) of non-compliance with NIST 800-171, specifying the weakness or vulnerability that needs correction;
  • Those within the organization responsible for implementing the correction;
  • Resources required to solve the vulnerability;
  • Dates for implementation, including milestones, if implementation will take place in phases;
  • Status (Not Started, In Process, Complete);
  • Final completion date.

Continuous Monitoring

3.12.3Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls.

It is imperative to have a  solid and incessant system-level continuous monitoring strategy, in accordance with the organization’s system infrastructure needs,  to facilitate ongoing awareness of the security and privacy posture necessary for making informed risk management decisions. Continuous security controls monitoring maintains authorizations of systems in highly dynamic environments of operation with ongoing changing business needs, threats, and vulnerabilities, and with the unceasing changes in technologies.

One major tool for achieving continuous monitoring is a properly configured gateway firewall with IDS, IPS, and application firewall with content filtering, containerization of subnets, Antivirus/Antispyware software administration, and proper global policies within a domain with POLP.

The following are three suggested methods for monitoring cybersecurity control:

  • Regular review of security metrics;
  • Implementation and use of vulnerability assessment tools;
  • Penetration testing to validate security configurations.

Infrastructure monitoring tools include Security Incident and Event Management Systems (SIEM), Intrusion Detection (IDS), and Behavioral Analytics (BA) systems.


3.12.4Develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems.

System Security Plans may be contained in a single document, or they may be comprised of a collection of documents pertaining to the system environment, security implementation, internal and external controls, references to policies and procedures, and non-technical defense-in-depth strategies.

The SSP is a “living document” used to maintain current information that will be used by an assessor to evaluate an information system’s security posture.

Need Help?

If you are an Organization Seeking Certification (OSC) and are overwhelmed by the enormity and complexity of CMMC, consider professional services to help you plan, implement, and maintain compliance and ensure uninterrupted eligibility for DoD work.

FoxGuard Solutions delivers reliable, secure, and configurable solutions to solve technology and compliance challenges faced by critical infrastructure entities.  With over four decades of experience, our team focuses on delivering customized cybersecurity and compliance solutions.

Our services will help guide your organization through the Discovery, Planning, Execution, and Maintenance phases necessary to allow your organization to attain Cybersecurity Maturity Model Certification (CMMC).  Our team of experts will partner with you to review existing policies, processes, procedures, and technical controls to identify any gaps with CMMC requirements.  An execution plan will be created that aligns with your needs, budget, and timeline, and which outlines a recommended approach to attain CMMC.

As a Microsoft Gold Certified Partner, FoxGuard Solutions has experience in delivering both on-premise as well as cloud-based solutions to assist you with your compliance needs.

FoxGuard Solutions is ISO 9001 and ISO 27001 certified and is a CMMC Registered Provider Organization

Please visit for more information.