Skip to main content

CA.L2-3.12.4Develop and update system security plans

Develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems.

Verbatim NIST SP 800-171 Rev 2 requirement text (3.12.4).

Unscored gate (3.12.4)Not POA&M-eligible — must fix before assessment8 assessment objectives

How it's scored

Unscored — but without it, no assessment can be completed.

Special scoring rule (DoD Assessment Methodology v1.2.1):

Annex A value is 'NA'. The absence of a system security plan results in a finding that 'an assessment could not be completed due to incomplete information and noncompliance with DFARS clause 252.204-7012.' An up-to-date SSP must exist at the time of assessment; this requirement can never be on a POA&M (32 CFR 170.21(a)(2)(iii)(C)).

Source: DoD Assessment Methodology v1.2.1 Annex A; 32 CFR 170.24(c)(2)(i)(B)(5); 32 CFR 170.21(a)(2)(iii)(C)

CA.L2-3.12.4 can never sit on a POA&M, regardless of your score: it is one of the six requirements 32 CFR 170.21(a)(2) excludes from Plans of Action & Milestones at conditional certification. It must be fully implemented before a Level 2 assessment can succeed.

What an assessor checks: the 8 assessment objectives

NIST SP 800-171A determination statements, verbatim. A CMMC Level 2 assessor marks CA.L2-3.12.4 MET only when every applicable objective is satisfied — and examines evidence, not assertions.

ObjectiveDetermination statement
3.12.4[a]a system security plan is developed.
3.12.4[b]the system boundary is described and documented in the system security plan.
3.12.4[c]the system environment of operation is described and documented in the system security plan.
3.12.4[d]the security requirements identified and approved by the designated authority as non-applicable are identified.
3.12.4[e]the method of security requirement implementation is described and documented in the system security plan.
3.12.4[f]the relationship with or connection to other systems is described and documented in the system security plan.
3.12.4[g]the frequency to update the system security plan is defined.
3.12.4[h]system security plan is updated with the defined frequency.

Where do you stand on CA.L2-3.12.4?

The free Muster Score walks all 110 requirements — including every objective above — and computes your exact SPRS score in your browser. No signup, no upload, and your answers never leave your device.

Get your free Muster Score →

Requirement and objective text: NIST SP 800-171 Rev 2 / SP 800-171A (verbatim). Scoring: DoD Assessment Methodology v1.2.1; POA&M eligibility: 32 CFR 170.21. Muster is independent and not affiliated with the U.S. Department of Defense or the Cyber AB; this page is compliance information, not legal advice or a certification.