Control Reference: CA.L2-3.12.1
CA.L2-3.12.1:"Periodically assess the security controls in organizational systems to determine if the controls are effective in their application."
This control is derived fromNIST SP 800-171, Requirement 3.12.1, which mandates organizations to performregular security control assessmentsto ensure compliance and effectiveness.
Assessment Criteria & Justification for the Correct Answer:
Evidence Review & Assessment Timeline:
The organization's procedureexplicitly statesthat security control assessments must be conductedquarterly(every three months).
Since the Lead Assessor only has access to thefirst-quarter report, the second-quarter report is missing at the time of assessment.
CMMC Audit Requirements:
For an assessor to rate a control asMET, sufficient evidence must bereadily availableat the time of evaluation.
Since the second-quarter report is missingat the time of assessment, the Lead Assessorcannot verify compliancewith the organization's own stated frequency of assessment.
Why the Answer is NOT A, C, or D:
A (Sufficient, MET)→Incorrect: The control assessment frequency is quarterly, but the evidence for Q2 is not available. Compliance cannot be confirmed.
C (Sufficient, and re-rate later)→Incorrect: If evidence is not available during the audit, the controlcannot be rated as MET initially. There is no provision in CMMC 2.0 to "conditionally" pass a control pending future evidence.
D (Insufficient, but re-rate later)→Incorrect: Once a control is ratedNOT MET, it staysNOT METuntil a re-assessment is conducted in a new audit cycle. The assessordoes not adjust ratings retroactivelybased on future evidence.
Official CMMC 2.0 References Supporting the Answer:
CMMC Assessment Process (CAP) Guide (2023):
"For a control to be rated as MET, the assessed organization must provide sufficient evidence at the time of the assessment."
"If evidence is missing or incomplete, the finding shall be rated as NOT MET."
NIST SP 800-171A (Security Requirement Assessment Guide):
"Evidence must be current, relevant, and sufficient to demonstrate compliance with stated periodicity requirements."
Since the procedure mandatesquarterly assessments, missing evidence means compliancecannot be validated.
DoD CMMC Scoping Guidance:
"Assessors shall base their determination on the evidence provided at the time of assessment. If required evidence is not available, the control shall be rated as NOT MET."
Final Conclusion:
Thecorrect answer is Bbecause the required evidence (the second-quarter report) is not availableat the time of assessment, making itinsufficientto validate compliance. The Lead Assessormust rate the control as NOT METin accordance with CMMC 2.0 assessment rules.
