CMMC Continuous Monitoring: Requirements, Cadence, and Evidence
CMMC continuous monitoringis a requirement that’s easy to skip — and easy for an assessor to catch. It comes down to seven words in NIST SP 800-171 Revision 2: monitor security controls on an ongoing basis.No fixed schedule. No named tool. So here’s the bottom line first: at CMMC Level 2, continuous monitoring (security requirement CA.L2-3.12.3) means keeping your security controls provably effective over time — you set risk-based cadences, keep evidence they actually ran, and act when something fails. That “no fixed schedule, no named tool” flexibility is exactly what makes this hard — and exactly what some vendors use to sell you more than you need. This page fixes that.
The 30-second answer
| Question | Bottom line |
|---|---|
| Is CMMC continuous monitoring required? | Yes, for Level 2, under security requirement CA.L2-3.12.3 (NIST SP 800-171 Rev. 2, §3.12.3). |
| Does it mean watching every control 24/7? | No blanket Level 2 rule says that. Cadence is risk-based, though a few specific activities are explicitly real-time. |
| Is a SIEM mandatory? | No specific SIEM product is named as universally required. Your architecture may still make SIEM-like capability the practical answer. |
| Who sets the frequency? | You do, for most activities — and you have to defend it. Where the assessment guide says “periodically,” the interval can’t exceed one year. |
| What proves it? | Defined scope, named owners, cadence, records that the activity ran, outputs, actions taken, and current documentation. |
| Did the July 2026 Phase II pause remove the duty? | No. It changed how CMMC gets written into new procurements; it did not turn off NIST SP 800-171 or DFARS 252.204-7012. |
July 2026 implementation update — read this before you panic or relax
On July 13, 2026, the Department of War suspended the transition to CMMC Phase II— the phase that would have expanded Level 2 third-party (C3PAO) assessment requirements across applicable procurements beginning November 10, 2026 — and launched a 60-day review of the program (U.S. Department of War release, July 13, 2026). Here’s what it actually did and didn’t change:
| Official action (July 13, 2026) | What it means operationally | What you must verify |
|---|---|---|
| Transition to Phase II suspended; pending/future CMMC milestones paused | The former November 10, 2026 date is not an active deadline | Whether your solicitation still references a Phase II requirement |
| Phase I self-assessment requirements remain | Level 1 (Self) and Level 2 (Self) obligations continue | Your current level and self-assessment status in SPRS |
| DFARS 252.204-7012 unaffected | You still safeguard covered defense information and report cyber incidents | That your NIST SP 800-171 implementation is current |
| New designations limited to Level 1 (Self) / Level 2 (Self); existing L2 (C3PAO) and L3 to be removed by modification | No blanket rush to book a C3PAO | Your actual amendment or modification, in writing |
| Enforcement continues via self-assessments and select government-led assessments | Your self-assessment carries real weight right now | That your posted score is accurate and supportable |
Translation for this page: the government paused a verification mechanism, not the requirement to protect the information. Continuous monitoring still lives in NIST SP 800-171 Rev. 2, and it’s still what makes your annual affirmation truthful.
Two operative facts you can act on today: New procurement designations are limited during the suspension — contracting officers are also directed to amend active solicitations and to remove Level 2 (C3PAO) and Level 3 requirements from existing contracts by modification before the next option period. And a press release does not automatically rewrite an executed contract — read your actual solicitation or modification and ask the contracting officer how the suspension applies to that award in writing. The required level shows up in the solicitation itself: DFARS 252.204-7025 is where CMMC level requirements are disclosed.
The program’s future is genuinely unsettled — a 60-day CMMC Reform Task Force is reviewing it, and the associated public Request for Information closes August 14, 2026. That’s a reason to get your monitoring house in order now, not a reason to wait.
The Defense Compliance Reportis the independent trade publication and decision resource for CMMC and Defense Industrial Base compliance — explaining the CMMC Final Rule with primary-source citation on every claim and mapping a contractor’s level, CUI scope, assessment type, and timeline to the right provider category.
We are not affiliated with the Cyber AB, the Department of War or Department of Defense, DCMA DIBCAC, NIST, or any U.S. government agency. This is educational research, not legal, contractual, or compliance advice.
This page is for contractors handling CUI who are implementing or sustaining Level 2; Affirming Officials and control owners who need proof between assessments; and small and midsize DIB companies deciding whether they actually need new tooling or managed monitoring.
This page is not the full answer forFCI-only companies whose requirement is Level 1; Level 3 organizations weighing enhanced NIST SP 800-172 requirements; or anyone trying to figure out which level a specific contract requires. If that’s you, start with Find My CMMC Path instead.
What does CMMC continuous monitoring actually require?
Strip away the jargon and the requirement asks you to prove three things, continuously:
- You know what’s in scope. Which security controls, and the systems and services that support them, need watching.
- You check that they still work. Not “did we turn this on once,” but “is it still doing its job today.”
- You act when they don’t. Monitoring that produces a dashboard nobody responds to is observation, not control management.
The source language is worth reading once, because it’s the whole ballgame. NIST SP 800-171 Rev. 2 states the control as: “Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls.” The discussion adds that the terms continuous and ongoingimply assessing and analyzing security controls “at a frequency sufficient to support risk-based decisions,” and points to NIST SP 800-137 (Information Security Continuous Monitoring) for further guidance.
Here’s the part that matters for your budget — the line between what the requirement and its official discussion call for and what they do not mandate:
| What CA.L2-3.12.3 and its official discussion call for | What CA.L2-3.12.3 does not mandate |
|---|---|
| Ongoing awareness that controls stay effective | One single cadence applied to every control |
| Someone accountable for the activity | A specific named vendor or product |
| A frequency sufficient for risk-based decisions | Around-the-clock analyst coverage for every Level 2 org |
| Actionable output (reports, alerts, dashboards) | One government-approved dashboard |
| A response when a control is failing | One mandatory monitoring-plan template |
| Documentation kept current as the system changes (supported by the SSP requirement, CA.L2-3.12.4) | A federally fixed universal log-retention period |
Did the July 2026 Phase II suspension make continuous monitoring optional?
We get why this question is on your mind. When the headline says “CMMC suspended,” it’s tempting to close the tab and move on. Don’t. The suspension is narrower than the headline, and the part that touches continuous monitoring is fully intact.
The reform review is directly relevant to this page: the CMMC Reform Task Force is charged with recommending “realistic, scalable security measures” and is gathering industry input through a public Request for Information (U.S. Department of War, July 13, 2026). Published legal analyses of that RFI note it seeks input on recognizing commercially available security products — but those are recommendations to be made, not rules in force. Don’t let an unconfirmed RFI response change your current implementation.
Want to pressure-test where you stand? Run your environment against our CMMC Readiness Checklist, mapped to the 14 security-requirement families. It's a lower-friction first step than any quote. No CUI, no login.
Run the CMMC Readiness ChecklistDoes “continuous” mean 24/7 — and do I need a SIEM?
It’s the question that comes up more than any other on continuous monitoring, and it usually lands the moment an MSP quote shows up with a 24/7 SOC line item. So let’s separate the four things that get blended together:
- ▸Explicitly real-time. SI.L2-3.14.5 requires “periodic scans of organizational systems and real-time scans of files from external sourcesas files are downloaded, opened, or executed.” That’s on-access antimalware scanning — required, and genuinely real-time. It is not the same as paying humans to stare at a console overnight.
- ▸Event-triggered. Some alerts must fire on an event — for instance, alerting when the audit-logging process fails (AU.L2-3.3.4). Real-time alerting, not a mandated 24/7 human-staffing interval.
- ▸Risk-based and ongoing. CA.L2-3.12.3 itself. You choose the cadence and defend it.
- ▸Level 3 territory. CMMC Level 3 layers 24 enhanced security requirements selected from NIST SP 800-172 on top of the 110 Level 2 requirements, is assessed by the government (DCMA DIBCAC), and carries materially higher monitoring and detection expectations (32 CFR §170.14). If you’re a Level 2 shop, don’t let a vendor sell you Level 3 posture you don’t need.
Now the honest part. Continuous monitoring is a recurring operating cost, not a one-time purchase — and if you’re a very small shop with a handful of in-scope systems, you may not need a full SIEM at all. The logging and monitoring controls can be met with centralized logging plus documented, repeatable manual review, named owners, retained evidence, and tested response. That combination won’t satisfy every one of the 110 Level 2 requirements by itself — but for the audit and monitoring objectives, it can hold up. “We collect logs” isn’t enough on its own; a defined, evidenced review process is.
Past a handful of systems — multiple clouds, real log volume, internet-facing services, no security staff after hours — a SIEM (or managed detection and response, MDR) often becomes the more sustainable choice. Whether it’s cheaper than manual review is a scoped cost decision for your environment, not a CMMC requirement. Buy for the specific capability you’re missing, not for the phrase “continuous monitoring.”
A quick reality check on tools
A SIEM can give you: centralized visibility, cross-system correlation, alerting, investigation timelines, log-health monitoring, and clean evidence export.
A SIEM does not, by itself, give you: correct scope, complete log sources, sane alert logic, a responsible analyst, a documented response, retained evidence, an accurate System Security Plan (SSP), or clarity on which controls your provider owns versus you.
If you run Microsoft 365 GCC High,Microsoft Sentinel is available in Azure Government and can support GCC High workloads — but connector, feature, region, and data-type support varies, so verify every required log source against Microsoft’s current government-cloud documentation before you assume coverage. It’s a common starting point, not a guarantee.
Before you buy anything, build the plan first. If you're not sure whether this belongs with your internal team, an MSSP, or a GRC platform, map your situation first — it routes you to a category, not a sales pitch. Do not enter CUI, credentials, vulnerabilities, or contract-controlled files.
Map My Situation with Find My CMMC PathWhich security requirements support CMMC continuous monitoring?
We built this map to put four things in one operating view: the plain-English activity mapped to the actual NIST SP 800-171 Rev. 2 requirement, its CMMC Level 2 identifier, what the source says about timing, the kind of evidence that supports it, and the failure mode to watch for.
How we chose these rows. We include a security requirement when its text or assessment objectives involve monitoring, scanning, alerting, recurring assessment, detecting unauthorized use, or keeping monitored implementations accurate. This is a selected operating subsetof the 110 Level 2 requirements — not the full set. CA.L2-3.12.3 is the core; the rest support it.
How to read the timing column.It reflects the language in NIST SP 800-171 Rev. 2 or the CMMC Level 2 Assessment Guide. Where the source states no interval, that’s noted — and setting a defensible cadence is yourcall (see the cadence section below). The “failure mode to check” column is our editorial observation, not a regulatory statement.
The CMMC Continuous Monitoring Requirements Map — verified
| Monitoring activity | NIST 800-171 Rev. 2 | CMMC L2 Req. | Family | Timing the source states | Potential evidence examples | Failure mode to check |
|---|---|---|---|---|---|---|
| Monitor that controls stay effective over time (the core requirement) | 3.12.3 | CA.L2-3.12.3 | CA | “Ongoing”; frequency organization-defined | Monitoring plan, dated review records with owners, dashboards, actions taken | Dashboards exist, but no decision or fix is shown |
| Periodically assess the controls | 3.12.1 | CA.L2-3.12.1 | CA | “Periodically” (guide: org-set interval ≤ 1 year) | Internal assessment plan, test results, findings, corrective actions | The 3-year assessment is treated as the only review |
| Create and retain audit logs | 3.3.1 | AU.L2-3.3.1 | AU | Create and retain (ongoing) | Logging config, retained logs, written retention policy | Logs sit on individual systems; collection gaps go unnoticed |
| Alert when audit logging fails | 3.3.4 | AU.L2-3.3.4 | AU | On audit-process failure (event-triggered; no staffing interval stated) | Alert config, test result, notification, response ticket | Logging stops silently and no one is paged |
| Review and update which events get logged | 3.3.3 | AU.L2-3.3.3 | AU | No fixed interval stated (organization-defined) | Approved event catalog, review minutes, change ticket | Event types set once, never revisited |
| Correlate, analyze, and report audit records | 3.3.5 | AU.L2-3.3.5 | AU | No fixed interval stated | Correlation queries, analyst notes, timelines | Data collected that can’t be turned into an investigation |
| Scan for vulnerabilities | 3.11.2 | RA.L2-3.11.2 | RA | “Periodically” + “when new vulnerabilities are identified” | Scan scope, scanner config, scan reports over time, remediation tickets | Scans miss assets or credentials; findings have no owner |
| Identify, report, and correct system flaws (patch) | 3.14.1 | SI.L2-3.14.1 | SI | “In a timely manner” | Patch cadence records, flaw-remediation tickets | “Timely” is undefined and drifts into months |
| Malicious-code protection | 3.14.2 | SI.L2-3.14.2 | SI | Ongoing protection | Centrally managed AV/EDR deployment and update records | Consumer AV instead of centrally managed, monitored protection |
| Monitor security alerts and advisories, and act | 3.14.3 | SI.L2-3.14.3 | SI | As alerts/advisories are issued | Advisory subscriptions, triage decisions, action records | Advisories subscribed to but never dispositioned |
| Periodic + real-time scans of external files | 3.14.5 | SI.L2-3.14.5 | SI | Real-timefor external files + “periodic” system scans | On-access scan config, scan schedule, detection log, update status | “Real-time” claimed without testing download/open/execute channels |
| Monitor systems and inbound/outbound traffic for attacks | 3.14.6 | SI.L2-3.14.6 | SI | Monitor (ongoing) | Sensor coverage, alert logic, investigations, response tickets | Data collected, but no one owns alert disposition |
| Identify unauthorized use of systems | 3.14.7 | SI.L2-3.14.7 | SI | No fixed interval stated | Baseline, alerts, investigation, corrective action | An acceptable-use policy with no detection behind it |
| Baseline configurations and monitor for drift | 3.4.1 / 3.4.2 | CM.L2-3.4.1 / CM.L2-3.4.2 | CM | Establish and maintain (ongoing) | Baseline docs, config-monitoring/SCAP results | The baseline is documented once, never compared to reality |
Why the score math matters here. Under the DoD NIST SP 800-171 Assessment Methodology used for the Supplier Performance Risk System (SPRS), you start at a perfect 110 and subtract each unmet requirement’s weight (1, 3, or 5 points). Adjusted deductions for partial implementation are limited to a small number of requirements, including IA.L2-3.5.3 (multifactor authentication) and SC.L2-3.13.11 (FIPS-validated cryptography); most others are all-or-nothing (32 CFR §170.24). Several of the monitoring requirements above carry the maximum 5-pointdeduction — CA.L2-3.12.3, CA.L2-3.12.1, AU.L2-3.3.1, AU.L2-3.3.5, RA.L2-3.11.2, SI.L2-3.14.1, SI.L2-3.14.2, SI.L2-3.14.3, SI.L2-3.14.6, and CM.L2-3.4.1/.2 — while others carry 3- or 1-point deductions. Because self-assessments and select government-led assessments are the enforcement mechanisms during the suspension, that score carries real weight right now.
How often do I have to monitor, and how long do I keep the proof?
Cadence confuses people because CMMC uses several timing logics, and vendors tend to flatten them into one scary “everything must be daily.” We group them into five operating types to keep source-stated timing separate from your own cadence and triggers — a DCR framework, not an official taxonomy:
- Real-time — required for specific activities (e.g., on-access scanning of external files, SI.L2-3.14.5).
- Event-triggered — triggered by a failure, incident, advisory, or anomaly (e.g., audit-failure alerts).
- Change-driven — triggered before, during, or after a system change.
- Recurring, risk-based — organization-defined, based on your environment.
- Annual minimum — where the guide points to at least annual activity, such as security-control assessment and SSP review.
To set a defensible recurring cadence for anything organization-defined, work through these questions: How fast could this control quietly fail? How fast would that failure cause real exposure? How fast could you even detect it? How much does the environment change? Is the activity automated or manual? Is a provider doing it? A monthly control-owner review is a reasonable starting pointfor a small, stable enclave — but “stable” is doing a lot of work in that sentence. A high-change, multi-cloud, internet-facing environment needs faster review, and you should write down whyyou chose what you chose. That written rationale is what turns “we felt like monthly was fine” into a defensible risk decision.
On retention — a nuance worth getting right
NIST SP 800-171 does not set a fixed log-retention period; you define one based on risk and contractual duties. Two separate rules do bite, though:
- ▸Assessment artifacts: six years. 32 CFR §170.16 and §170.17 require the artifacts used as evidence for a Level 2 assessment to be retained for six years from the CMMC Status Date. That’s about assessment evidence — not a blanket command to warehouse every raw operational log for six years.
- ▸Cyber-incident data: at least 90 days. DFARS 252.204-7012(e) requires you to preserve and protect images of affected systems and relevant monitoring and packet-capture data for at least 90 days after you submit a cyber-incident report, so DoD can request the media.
Set a written retention policy, retain operational logs for the periods established by your contract terms, applicable law, incident-response needs, your evidence strategy, system capability, and documented risk decisions — and don’t let a vendor talk you into six-year hot storage of everything as if the regulation demands it.
What evidence proves CA.L2-3.12.3?
Assessors — and your own honest self-assessment — aren’t looking for “we have a tool.” They’re looking for proof the tool is configured, watched, reviewed, and retained. We organize potential evidence into a seven-layer chain (the DCR Evidence-Chain Framework— our editorial mapping of potential evidence to NIST’s examine/interview/test methods, not a federally mandated set of labels):
| Evidence layer | Examples | Question it answers |
|---|---|---|
| Design | Policy, monitoring plan, procedure, responsibility matrix | What is supposed to happen? |
| Scope | Asset inventory, boundary diagram, log-source inventory, Customer Responsibility Matrix | What is covered? |
| Execution | Scan records, review logs, alert history, meeting notes, test results | Did it actually happen? |
| Output | Dashboard, report, finding, exception, alert | What did it reveal? |
| Response | Ticket, operational plan of action, incident record, change request | What did you do about it? |
| Validation | Rescan, closure check, retest, approval | Did the response work? |
| Governance | Management review, risk decision, SSP update, affirmation support | Who accepted the result, and how did it affect compliance? |
Structure your evidence so you can support the three ways it gets checked: an assessor can examine the documents, interview the actual owner, and test the mechanism. NIST SP 800-171A (June 2018) defines those assessment methods and lets them be tailored by depth and coverage; the CMMC Level 2 Assessment Guide supplies the specific objectives an assessor works against.
One thing that trips people up: freshness.A screenshot from the day you first turned a control on doesn’t prove it’s been running since. For each artifact, track the period it covers, when it was captured, the source system, who captured it, and the action it led to. Evidence you can’t tie to the period under review is a lot weaker — and may not show the control was actually running.
Turn this into a working evidence register. Our CMMC Readiness Checklist maps it against the 14 families so nothing falls through. Use generic system labels — do not upload or enter CUI, credentials, vulnerability details, or controlled contract files.
Open the CMMC Readiness ChecklistHow do you build a CMMC continuous monitoring plan?
Here’s the sequence we’d run, in order:
- Freeze a scope baseline. Capture your CMMC Assessment Scope, CUI assets, security protection assets, external service providers (ESPs) and cloud service providers (CSPs), boundaries, CUI flows, and the current SSP version. Everything downstream keys off this.
- Build the monitoring inventory. Start with the requirements in the map above, then add anything specific to your environment — remote-access session monitoring, boundary monitoring, incident-response readiness, physical-facility monitoring where it applies.
- Assign ownership. For each activity: the accountable internal owner, whoever performs it, a backup, who reviews the output, and who can approve a risk decision or update the SSP. Unowned monitoring is the single most common gap.
- Set timing in two layers. Record the source-stated timing first (real-time, periodic, timely, or “no interval stated”), then your organization-defined cadence — with a one-line rationale for why it fits your risk.
- Add triggers. Every row should carry an event or change trigger, not just a calendar date: a new vulnerability, an incident, a system change, a missing log source, a new connection.
- Define evidence before you execute. Decide what artifact will prove each activity ran, who creates it, whether it’s sensitive, where it lives, how long you keep it, and whether you can reproduce it on request.
- Define the response path. Triage, severity, ticketing, when it becomes an operational plan of action, when it becomes an incident, closure validation, and the SSP update.
- Test the system, then review effectiveness. Test your audit-failure alert, your escalation, your evidence export, and your change-to-SSP workflow. Then review whether the activity can actually detect and correcta failing control — not just whether a box got checked.
Keep the whole thing in one register your team updates — scope, owner, source timing, your cadence, trigger, evidence, last-run date, next-due date. That register is your CA.L2-3.12.3 evidence.
Not sure whether your team can run this or you need outside help? Map it with Find My CMMC Path — tell it your level, scope, and timeline, and it points you to the right provider category (internal, MSSP, or GRC platform) before you request a single quote. Routing only. No CUI, drawings, or contract details.
Find My CMMC PathHow do continuous monitoring, the assessment, and the annual affirmation fit together?
Four different things get collapsed into the marketing phrase “continuous compliance,” and confusing them is how contractors end up over-buying or under-protecting:
| Concept | What it is | Typical output | What it is not |
|---|---|---|---|
| CA.L2-3.12.3 ongoing monitoring | Operating awareness that controls stay effective | Reports, dashboards, reviews, actions | A one-time assessment |
| Specific technical monitoring | Logging, traffic monitoring, scans, malware scanning, alerting | Logs, alerts, scan results, incidents | The entire monitoring program |
| Periodic security-control assessment | Structured testing of control effectiveness | Assessment plan, results, findings | Day-to-day security operations |
| Annual affirmation | Formal attestation of continuing compliance in SPRS | A submitted affirmation record | Proof by itself that every control has actually been operated |
The affirmation is where the stakes get real. Under 32 CFR §170.22, the Affirming Official— a senior representative with authority over the organization’s compliance — must affirm continuing compliance after each assessment, including any POA&M closeout, and annually thereafter, entered in SPRS. The attestation isn’t “we were compliant on assessment day.” It’s that the organization “has implemented and will maintain implementation” of the applicable requirements across scope. A dashboard full of green boxes with no current evidence, no owner, no change handling, and no remediation doesn’t discharge that responsibility.
And that attestation carries real legal weight. Inaccurate or unsupported self-attestations posted in SPRS remain an area of False Claims Act exposure that the suspension does nothing to diminish. Translation: your affirmation should never outrun what your monitoring evidence can support — and if you’re unsure, that’s a question for federal-contracts counsel, not a checklist.
Here’s the trap to avoid: a Final Level 2 CMMC Status is valid for three years, subject to annual affirmation, and a Conditional Level 2 status carries a 180-day POA&M closeout window (32 CFR §170.17). But a three-year assessment cycle is not a three-year monitoring cycle.Between assessments you’ll have system changes, new vulnerabilities, staff turnover, logging failures, and provider changes. Continuous monitoring is how you keep the thing you affirmed actually true in month 14.
How do system changes and temporary gaps get handled between assessments?
Environments change. That’s not a compliance failure; failing to handle the change is. The official CMMC guidance frames it in three stages:
- ▸Before: perform a security-impact analysis, review the CUI flow, determine whether scope changes, document the change, and flag whether it may be significant.
- ▸During: record temporary risks, assign responsible personnel, maintain any compensating measures, and — where appropriate — open an operational plan of action.
- ▸After: validate the result, update the SSP and diagrams, update provider-responsibility documentation, and close temporary actions only after you’ve verified they worked.
The distinction that saves contractors from a real headache is operational plan of action (OPA) versus CMMC assessment POA&M:
| Operational plan of action (OPA) | CMMC assessment POA&M |
|---|---|
| Documents a temporary deficiency that arises after a requirement was implemented | Documents eligible NOT MET findings from a CMMC assessment |
| Part of routine operations and change handling | Tied to a Conditional CMMC Status |
| You define the operational format | Governed by 32 CFR §170.21 |
| Should never become a permanent excuse for an unimplemented control | Must close out within 180 days, or the Conditional status expires |
Per the CMMC Assessment Guide’s own definitions, a temporary deficiency “is not based on an ‘in progress’ initial implementation” — it arises after implementation and gets tracked in an OPA. When a degraded control fits that temporary-deficiency definition, document it in an OPA with an owner, milestones, and validation. Not every operational hiccup automatically meets the definition — but don’t mislabel ordinary drift as an assessment POA&M, and don’t let an OPA sit open forever as a substitute for actually fixing the control.
Which levels require this — and how is Level 3 different?
| Level | Information protected | How monitoring shows up | Assessment path during current pause |
|---|---|---|---|
| Level 1 | FCI | 15 basic safeguards (FAR 52.204-21); some are monitoring-flavored (e.g., malicious-code scanning, SI.L1-b.1.xv), but not CA.L2-3.12.3 | Annual self-assessment |
| Level 2 | CUI | CA.L2-3.12.3 plus specific supporting requirements in AU, RA, SI, CM, AC, IR, PE, SC, and other applicable families | Level 2 self-assessment is the normal new-procurement path during the suspension; verify your actual contract |
| Level 3 | Most sensitive CUI vs. advanced threats | Level 2 baseline + 24 enhanced NIST SP 800-172 (Feb 2021) requirements, with materially higher monitoring and detection expectations | New Level 3 designations are paused; Level 3 requires a Final Level 2 (C3PAO) first, then DCMA DIBCAC assesses the 24 enhanced requirements |
Be precise here, because sloppy sources cause real errors: “continuous monitoring is required at all levels” is too imprecise. Any cybersecurity program at any level has to keep working — but the specific CA.L2-3.12.3 requirement is a Level 2 requirement. Describe Level 1 and Level 3 by their own source language, and never turn a general security principle into a false requirement citation.
One version note that matters: CMMC Level 2 currently assesses against NIST SP 800-171 Revision 2. NIST has since published a Revision 3 in its general series, but CMMC continues to use Revision 2 until future rulemaking incorporates any change. You may choose to prepare for Rev. 3, but keep your traceability to the current Rev. 2 CMMC requirements. Don’t let a tool or consultant quietly swap Rev. 3 control numbers into your Level 2 program.
How do MSPs, MSSPs, CSPs, and other ESPs share continuous-monitoring responsibility?
Whether the provider is an MSP, MSSP, CSP, or another external service provider (ESP), ask the same five questions for every monitoring activity they touch:
- Who configures the mechanism?
- Who watches its health?
- Who triages the findings?
- Who takes corrective action?
- Who preserves and produces the evidence for your assessment?
If the answer to any of those is “we assumed the provider,” that’s a gap. What to request from a provider before you rely on them: a service description, the current shared-responsibility or customer-responsibility matrix, the log sources included, alert severity and response definitions, coverage hours, escalation times, retention and export capability, and how evidence is delivered on request.
Red flags to walk away from:
- “We handle CMMC for you” with no requirement-level responsibility mapping
- No named evidence owner
- No tested audit-failure alert
- No log-source inventory
- No right to export your own evidence
- No responsibility for after-hours alerts despite a “24/7” marketing claim
- Provider reports that can’t be mapped to an assessment objective
Document who’s responsible in your SSP and, for cloud and external service providers, a CRM — that’s the document an assessor uses to see where your responsibility ends and the provider’s begins.
What does CMMC continuous monitoring cost?
We’d rather give you the drivers than a fake range that falls apart the moment your scope differs from the example:
| Cost driver | Why it moves the number |
|---|---|
| In-scope assets and log sources | More deployment, collection, scanning, and evidence |
| Coverage hours | After-hours analyst coverage costs more than business-hours review |
| Environment diversity | Hybrid and multi-cloud environments need more integration |
| Existing native tools | Strong existing tooling can reduce duplication |
| Internal staffing | Managed services replace or supplement internal labor |
| Evidence maturity | Reconstructing evidence by hand adds recurring effort |
| Change rate | More changes mean more impact analysis, testing, and documentation |
| Enclave strategy | A smaller scope can reduce operating complexity but add migration and service cost |
| Level 3 applicability | Enhanced requirements can materially change what you need |
The honest way to frame it: continuous monitoring is an operating expense, not a one-time project.A certified provider’s value is recurring — monitoring, evidence upkeep, and annual-affirmation support are a monthly line, the operating cost of holding DoD contracts, not a box you check once before an assessment. Build vs. buy vs. managed is a scoped cost decision; the requirement is the same either way.
Which provider category should handle the gap?
Match the category to the gap:
| Your actual gap | Category to evaluate first | Don’t default to |
|---|---|---|
| Scope, SSP, requirement interpretation, readiness plan | RPO / readiness specialist | A C3PAO assessment |
| IT implementation and sustained operations | CMMC-focused MSP | GRC software alone |
| Detection, log review, alert triage, response support | MSSP / managed detection and response | A documentation consultant alone |
| Evidence organization, ownership, workflow, reporting | GRC platform (a supporting layer) | A platform marketed as “automatic compliance” |
| Enterprise is too broad/expensive to secure directly | CUI enclave / secure collaboration | Bolting tools onto an undefined enterprise scope |
| Your contract explicitly requires a Level 2 certification and readiness is done | Authorized C3PAO (check current status) | The firm that prepared you for the assessment |
Two guardrails we won’t soften. First, software alone doesn’t satisfy CMMC.A GRC platform can automate evidence, tasks, reminders, control mapping, and reporting — it doesn’t, by itself, operate your technical and procedural controls. Treat it as a supporting layer, not the whole solution. A CUI enclavecan reduce your assessment scope, but only when CUI flows and the supporting assets are genuinely confined to the enclave boundary; it doesn’t automatically remove enterprise systems, security protection assets, connections, personnel, or external providers from scope.
Second, keep readiness and assessment separate. Under the CMMC conflict-of-interest rules (32 CFR §170.8(b)(17)), a firm that served as your consultant to prepare you for a CMMC assessment generally may not then perform that certification assessment — a restriction that runs for three years. A live reminder given the pause: the old “book a C3PAO before November 10, 2026” urgency is no longer valid as a general rule — first confirm what your actual solicitation or contract requires after any amendment.
Not sure whether your gap belongs with an RPO, an MSSP, a GRC platform, a CUI enclave, or — when it's actually required — a C3PAO? The Defense Compliance Report's Find My CMMC Path tool applies The CMMC Path Framework to your level, FCI/CUI handling, assessment type, environment, and timeline, then routes you to a provider category. Do not submit CUI, drawings, credentials, vulnerability details, or contract attachments.
Find My CMMC Path →Twenty CMMC continuous monitoring failure modes to check
These failure modes recur across the source requirements, the assessment guidance, and the operating evidence chain. If you fix nothing else on this page, check these:
- Treating the three-year assessment as the monitoring cadence.
- Treating the annual affirmation as a substitute for operational evidence.
- Buying a SIEM before defining log sources and owners.
- Collecting logs without ever checking collection health.
- Building alerts with no one assigned to triage them.
- Running scans without closing the findings.
- A monitoring plan with no execution history behind it.
- Dashboards that can’t produce the underlying evidence.
- Not updating the SSP after a system change.
- Using an assessment POA&M for ordinary operational gaps (that’s an OPA).
- Letting OPAs stay open indefinitely.
- Assuming your MSP owns activities that aren’t in the contract.
- No documented Customer Responsibility Matrix with your provider.
- Screenshots with no dates, scope, or interpretation.
- One cadence applied to controls with very different risk.
- Calling every control “real-time” with no source behind it.
- Assuming native cloud tools are inadequate just because they aren’t branded “SIEM.”
- Assuming a purchased platform equals implemented controls.
- Letting evidence files contain uncontrolled CUI.
- Using the suspended Phase II date to manufacture urgency — internally or from a vendor.
How we researched and verified this guide
What we actually verified ():
| What we verified | Source and edition | Where used |
|---|---|---|
| July 13, 2026 Phase II suspension; Phase I self-assessments remain; enforcement via self-assessments and select government-led assessments | U.S. Department of War release, July 13, 2026 (war.gov) | Suspension sections |
| CMMC Level 2 assesses NIST SP 800-171 Revision 2 | CMMC Level 2 Assessment Guide; DoD CIO CMMC FAQ | Throughout |
| Exact text/discussion of CA.L2-3.12.3 | NIST SP 800-171 Rev. 2 §3.12.3; CMMC Level 2 Assessment Guide | Requirement sections |
| “Periodically” = org-set interval not exceeding one year | CMMC Level 2 Assessment Guide | Cadence section |
| SI.L2-3.14.5 real-time scanning of external files | NIST SP 800-171 Rev. 2 §3.14.5 | 24/7 / SIEM section |
| Core monitoring requirements are 5-point deductions; partial credit limited (IA.L2-3.5.3, SC.L2-3.13.11) | DoD NIST SP 800-171 Assessment Methodology; 32 CFR §170.24 | Requirements map |
| Annual affirmation and Affirming Official role | 32 CFR §170.22 | Affirmation section |
| Six-year assessment-artifact retention (Level 2) | 32 CFR §170.16 / §170.17 | Retention section |
| 90-day cyber-incident data preservation | DFARS 252.204-7012(e) | Retention section |
| OPA vs. assessment POA&M; 180-day closeout | 32 CFR §170.4, §170.21; CMMC Assessment Guide | Change-handling section |
| Level 3: Level 2 baseline + 24 enhanced NIST SP 800-172 (Feb 2021) requirements, DIBCAC-assessed | 32 CFR §170.14 | Levels section |
What we did not do:we did not observe your systems, and we can’t tell you which level a specific contract requires — that’s set by the clause and your CUI handling. Cadence and tooling depend on your environment and documented risk decisions. The CMMC reform review may change procurement policy; we re-verify the status of this page frequently and date every regulatory fact.
This is educational research, not legal, contractual, or compliance advice. Confirm scope and applicability with a CMMC Registered Practitioner or Registered Provider Organization (RP/RPO), or a qualified federal-contracts attorney.
CMMC continuous monitoring FAQ
- Is CMMC continuous monitoring required?
- Yes, for Level 2, under security requirement CA.L2-3.12.3 (NIST SP 800-171 Rev. 2, §3.12.3). Several other Level 2 requirements also impose specific monitoring, scanning, alerting, review, testing, and change activities.
- Does CMMC continuous monitoring mean 24/7?
- Not as a blanket Level 2 rule. Some activities are explicitly real-time — like scanning files from external sources (SI.L2-3.14.5) — and Level 3 carries higher expectations, but Level 2 does not require around-the-clock analyst coverage of every control.
- Is a SIEM required for CMMC Level 2?
- No specific SIEM product is named as universally mandatory. You still have to satisfy the underlying audit, monitoring, alerting, investigation, evidence, and response objectives — which a SIEM commonly helps with, but which very small, stable environments can meet with centralized logging plus documented manual review.
- How often must CMMC controls be monitored?
- Use the source-stated cadence where one exists. Where cadence is organization-defined, set and document a frequency sufficient for risk-based decisions and add event and change triggers. Where the CMMC Level 2 Assessment Guide uses “periodically,” the interval may not exceed one year.
- Is monitoring once a year enough?
- Not for the whole program. Some activities have an at-least-annual floor, but real-time, event-triggered, change-driven, and recurring risk-based activities require more frequent execution.
- What is the difference between continuous monitoring and a CMMC assessment?
- Continuous monitoring operates the security program between assessment points. An assessment evaluates whether requirements are implemented correctly, operating as intended, and producing the desired outcome, at a point in time.
- Is the annual affirmation the same as continuous monitoring?
- No. The affirmation is a senior official’s formal attestation in SPRS (32 CFR §170.22). Continuous monitoring produces the operational basis and evidence that make that attestation truthful.
- Did the July 2026 Phase II suspension remove monitoring requirements?
- No. It suspended the transition to third-party assessments and paused pending milestones. Phase I self-assessment requirements and DFARS 252.204-7012 safeguarding duties remain in force.
- Does CMMC Level 1 require CA.L2-3.12.3?
- No. CA.L2-3.12.3 is a Level 2 requirement. Level 1 (FCI only) has separate safeguards, some of which involve ongoing protection and scanning (for example, SI.L1-b.1.xv).
- Does CMMC use NIST SP 800-171 Revision 2 or Revision 3?
- CMMC assessments currently use Revision 2. Any move to Revision 3 would require future rulemaking.
- What evidence should we retain?
- Retain evidence that shows design, scope, execution, output, response, validation, and governance. Separately, artifacts used as assessment evidence are subject to the six-year retention rule in 32 CFR Part 170, and cyber-incident data must be preserved for at least 90 days under DFARS 252.204-7012(e). There is no single fixed routine log-retention duration in NIST SP 800-171.
- Can an MSP or MSSP perform continuous monitoring?
- Yes, it can perform defined activities — but you remain responsible for understanding scope, shared responsibilities, evidence, escalation, and everything the provider does not cover. Document it in your SSP and a Customer Responsibility Matrix.
- Is an operational plan of action the same as a CMMC POA&M?
- No. An operational plan of action documents a temporary deficiency that arises after a requirement was implemented. A CMMC assessment POA&M is tied to Conditional status and must close out within 180 days under 32 CFR §170.21.
- Can the same company prepare us and then assess us?
- Generally not for the same assessment. The CMMC conflict-of-interest rules (32 CFR §170.8(b)(17)) restrict a firm that served as your assessment-preparation consultant from performing that certification assessment, and that restriction runs for three years.
- Should we buy a SIEM before building a monitoring plan?
- Usually not. Define the required outcomes, scope, log sources, ownership, response, and evidence first — then decide whether your current tools already satisfy them or you have a specific capability gap to fill.
The bottom line, and your next move
Continuous monitoring is the difference between “we passed once” and “we can prove we still work” — and during the suspension, with self-assessments and select government-led assessments carrying the enforcement weight, the second one is what protects your contracts and your annual affirmation. You now know the exact requirement (CA.L2-3.12.3), the group of requirements around it, which cadences the source sets versus which you set, what evidence holds up, and where the real risks are.
Need help deciding what type of CMMC provider you need? Tell us your level, scope, and timeline, and we'll match you with source-checked CMMC provider options. It starts by mapping your situation to the right provider category. Do not submit CUI, drawings, credentials, vulnerability scans, contract-controlled files, or sensitive system details. Routing only.
Find My CMMC Path →Primary sources referenced on this page
- NIST SP 800-171 Revision 2 — §3.12.3, §3.14.5, §3.14.6, §3.3.x, §3.11.2, §3.4.x
- NIST SP 800-171A (June 2018) — assessment methods and objectives
- NIST SP 800-137 — Information Security Continuous Monitoring (ISCM)
- CMMC Level 2 Assessment Guide (DoD CIO)
- 32 CFR Part 170 — §170.4, §170.8, §170.9, §170.11, §170.14, §170.16, §170.17, §170.21, §170.22, §170.24
- DoD NIST SP 800-171 Assessment Methodology (SPRS scoring weights)
- DoD CIO CMMC FAQ (change workflow; cost drivers; Rev. 2 assessment basis)
- U.S. Department of War, “Forging the Arsenal of Freedom: Department of War Suspends CMMC Phase II Requirements,” July 13, 2026
- DFARS 252.204-7012 (safeguarding, incident reporting, 90-day preservation); DFARS 252.204-7025 (solicitation notice of CMMC level)