The Defense Compliance ReportCMMC 2.0 & the Defense Industrial Base
July 13, 2026 update: The Department of War suspended CMMC Phase II third-party expansion. Phase I self-assessments remain in force. DFARS 252.204-7012 safeguarding duties, the continuous monitoring obligation, and False Claims Act exposure are all unchanged.

CMMC Continuous Monitoring: Requirements, Cadence, and Evidence

By The Defense Compliance Report Editorial Team · an independent trade publication on CMMC 2.0 and DIB compliance

· Regulatory and implementation status last verified

CMMC continuous monitoringis a requirement that’s easy to skip — and easy for an assessor to catch. It comes down to seven words in NIST SP 800-171 Revision 2: monitor security controls on an ongoing basis.No fixed schedule. No named tool. So here’s the bottom line first: at CMMC Level 2, continuous monitoring (security requirement CA.L2-3.12.3) means keeping your security controls provably effective over time — you set risk-based cadences, keep evidence they actually ran, and act when something fails. That “no fixed schedule, no named tool” flexibility is exactly what makes this hard — and exactly what some vendors use to sell you more than you need. This page fixes that.

The 30-second answer

QuestionBottom line
Is CMMC continuous monitoring required?Yes, for Level 2, under security requirement CA.L2-3.12.3 (NIST SP 800-171 Rev. 2, §3.12.3).
Does it mean watching every control 24/7?No blanket Level 2 rule says that. Cadence is risk-based, though a few specific activities are explicitly real-time.
Is a SIEM mandatory?No specific SIEM product is named as universally required. Your architecture may still make SIEM-like capability the practical answer.
Who sets the frequency?You do, for most activities — and you have to defend it. Where the assessment guide says “periodically,” the interval can’t exceed one year.
What proves it?Defined scope, named owners, cadence, records that the activity ran, outputs, actions taken, and current documentation.
Did the July 2026 Phase II pause remove the duty?No. It changed how CMMC gets written into new procurements; it did not turn off NIST SP 800-171 or DFARS 252.204-7012.

July 2026 implementation update — read this before you panic or relax

On July 13, 2026, the Department of War suspended the transition to CMMC Phase II— the phase that would have expanded Level 2 third-party (C3PAO) assessment requirements across applicable procurements beginning November 10, 2026 — and launched a 60-day review of the program (U.S. Department of War release, July 13, 2026). Here’s what it actually did and didn’t change:

Official action (July 13, 2026)What it means operationallyWhat you must verify
Transition to Phase II suspended; pending/future CMMC milestones pausedThe former November 10, 2026 date is not an active deadlineWhether your solicitation still references a Phase II requirement
Phase I self-assessment requirements remainLevel 1 (Self) and Level 2 (Self) obligations continueYour current level and self-assessment status in SPRS
DFARS 252.204-7012 unaffectedYou still safeguard covered defense information and report cyber incidentsThat your NIST SP 800-171 implementation is current
New designations limited to Level 1 (Self) / Level 2 (Self); existing L2 (C3PAO) and L3 to be removed by modificationNo blanket rush to book a C3PAOYour actual amendment or modification, in writing
Enforcement continues via self-assessments and select government-led assessmentsYour self-assessment carries real weight right nowThat your posted score is accurate and supportable

Translation for this page: the government paused a verification mechanism, not the requirement to protect the information. Continuous monitoring still lives in NIST SP 800-171 Rev. 2, and it’s still what makes your annual affirmation truthful.

Two operative facts you can act on today: New procurement designations are limited during the suspension — contracting officers are also directed to amend active solicitations and to remove Level 2 (C3PAO) and Level 3 requirements from existing contracts by modification before the next option period. And a press release does not automatically rewrite an executed contract — read your actual solicitation or modification and ask the contracting officer how the suspension applies to that award in writing. The required level shows up in the solicitation itself: DFARS 252.204-7025 is where CMMC level requirements are disclosed.

The program’s future is genuinely unsettled — a 60-day CMMC Reform Task Force is reviewing it, and the associated public Request for Information closes August 14, 2026. That’s a reason to get your monitoring house in order now, not a reason to wait.

The Defense Compliance Reportis the independent trade publication and decision resource for CMMC and Defense Industrial Base compliance — explaining the CMMC Final Rule with primary-source citation on every claim and mapping a contractor’s level, CUI scope, assessment type, and timeline to the right provider category.

We are not affiliated with the Cyber AB, the Department of War or Department of Defense, DCMA DIBCAC, NIST, or any U.S. government agency. This is educational research, not legal, contractual, or compliance advice.

This page is for contractors handling CUI who are implementing or sustaining Level 2; Affirming Officials and control owners who need proof between assessments; and small and midsize DIB companies deciding whether they actually need new tooling or managed monitoring.

This page is not the full answer forFCI-only companies whose requirement is Level 1; Level 3 organizations weighing enhanced NIST SP 800-172 requirements; or anyone trying to figure out which level a specific contract requires. If that’s you, start with Find My CMMC Path instead.


What does CMMC continuous monitoring actually require?

At CMMC Level 2, security requirement CA.L2-3.12.3requires an organization to monitor its security controls on an ongoing basis so they stay effective — mapped directly to NIST SP 800-171 Revision 2, §3.12.3. The official discussion ties “ongoing” to a frequency sufficient to support risk-based decisions; it does not assign every contractor one universal daily, weekly, or monthly schedule.

Strip away the jargon and the requirement asks you to prove three things, continuously:

  1. You know what’s in scope. Which security controls, and the systems and services that support them, need watching.
  2. You check that they still work. Not “did we turn this on once,” but “is it still doing its job today.”
  3. You act when they don’t. Monitoring that produces a dashboard nobody responds to is observation, not control management.

The source language is worth reading once, because it’s the whole ballgame. NIST SP 800-171 Rev. 2 states the control as: “Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls.” The discussion adds that the terms continuous and ongoingimply assessing and analyzing security controls “at a frequency sufficient to support risk-based decisions,” and points to NIST SP 800-137 (Information Security Continuous Monitoring) for further guidance.

Here’s the part that matters for your budget — the line between what the requirement and its official discussion call for and what they do not mandate:

What CA.L2-3.12.3 and its official discussion call forWhat CA.L2-3.12.3 does not mandate
Ongoing awareness that controls stay effectiveOne single cadence applied to every control
Someone accountable for the activityA specific named vendor or product
A frequency sufficient for risk-based decisionsAround-the-clock analyst coverage for every Level 2 org
Actionable output (reports, alerts, dashboards)One government-approved dashboard
A response when a control is failingOne mandatory monitoring-plan template
Documentation kept current as the system changes (supported by the SSP requirement, CA.L2-3.12.4)A federally fixed universal log-retention period

Note on sourcing: The CMMC Level 2 Assessment Guide explains how the requirements are assessed and states that it does not create independent legal obligations. We use its definitions and assessment objectives throughout, and we label our own operating recommendations as editorial.


Did the July 2026 Phase II suspension make continuous monitoring optional?

No. The July 13, 2026 action suspended the transition to Phase II third-party assessments and paused pending CMMC milestones, while Phase I self-assessment requirements and DFARS 252.204-7012 safeguarding duties remained in force. It changed how CMMC is written into new procurements; it did not switch off the underlying obligation to protect CUI or maintain applicable controls.

We get why this question is on your mind. When the headline says “CMMC suspended,” it’s tempting to close the tab and move on. Don’t. The suspension is narrower than the headline, and the part that touches continuous monitoring is fully intact.

The reform review is directly relevant to this page: the CMMC Reform Task Force is charged with recommending “realistic, scalable security measures” and is gathering industry input through a public Request for Information (U.S. Department of War, July 13, 2026). Published legal analyses of that RFI note it seeks input on recognizing commercially available security products — but those are recommendations to be made, not rules in force. Don’t let an unconfirmed RFI response change your current implementation.

Want to pressure-test where you stand? Run your environment against our CMMC Readiness Checklist, mapped to the 14 security-requirement families. It's a lower-friction first step than any quote. No CUI, no login.

Run the CMMC Readiness Checklist

Primary sources: U.S. Department of War release, July 13, 2026; 32 CFR Part 170 (§170.15, §170.16); DFARS 252.204-7012.


Does “continuous” mean 24/7 — and do I need a SIEM?

No blanket Level 2 rule requires analysts to watch every control 24/7, and CMMC does not name a SIEM as a universally mandatory product. A few activities areexplicitly real-time — for example, SI.L2-3.14.5 requires real-time scanning of files from external sources as they’re downloaded, opened, or executed — while the broader monitoring in CA.L2-3.12.3 is risk-based and organization-defined.

It’s the question that comes up more than any other on continuous monitoring, and it usually lands the moment an MSP quote shows up with a 24/7 SOC line item. So let’s separate the four things that get blended together:

Now the honest part. Continuous monitoring is a recurring operating cost, not a one-time purchase — and if you’re a very small shop with a handful of in-scope systems, you may not need a full SIEM at all. The logging and monitoring controls can be met with centralized logging plus documented, repeatable manual review, named owners, retained evidence, and tested response. That combination won’t satisfy every one of the 110 Level 2 requirements by itself — but for the audit and monitoring objectives, it can hold up. “We collect logs” isn’t enough on its own; a defined, evidenced review process is.

Past a handful of systems — multiple clouds, real log volume, internet-facing services, no security staff after hours — a SIEM (or managed detection and response, MDR) often becomes the more sustainable choice. Whether it’s cheaper than manual review is a scoped cost decision for your environment, not a CMMC requirement. Buy for the specific capability you’re missing, not for the phrase “continuous monitoring.”

A quick reality check on tools

A SIEM can give you: centralized visibility, cross-system correlation, alerting, investigation timelines, log-health monitoring, and clean evidence export.

A SIEM does not, by itself, give you: correct scope, complete log sources, sane alert logic, a responsible analyst, a documented response, retained evidence, an accurate System Security Plan (SSP), or clarity on which controls your provider owns versus you.

If you run Microsoft 365 GCC High,Microsoft Sentinel is available in Azure Government and can support GCC High workloads — but connector, feature, region, and data-type support varies, so verify every required log source against Microsoft’s current government-cloud documentation before you assume coverage. It’s a common starting point, not a guarantee.

Before you buy anything, build the plan first. If you're not sure whether this belongs with your internal team, an MSSP, or a GRC platform, map your situation first — it routes you to a category, not a sales pitch. Do not enter CUI, credentials, vulnerabilities, or contract-controlled files.

Map My Situation with Find My CMMC Path

Primary sources: NIST SP 800-171 Rev. 2, §3.14.5 (SI.L2-3.14.5), §3.12.3 (CA.L2-3.12.3); 32 CFR §170.14 (Level 3 requirements from NIST SP 800-172, Feb 2021).


Which security requirements support CMMC continuous monitoring?

CA.L2-3.12.3 is the core Level 2 security requirement for ongoing security-control monitoring. Level 2 contains 110 security requirements across 14 families, and a group of requirements across multiple families create the specific monitoring, logging, scanning, alerting, and detection duties that make continuous monitoring real. Several of them carry the maximum 5-point deduction in the DoD scoring methodology, so neglecting them hits your SPRS score hard.

We built this map to put four things in one operating view: the plain-English activity mapped to the actual NIST SP 800-171 Rev. 2 requirement, its CMMC Level 2 identifier, what the source says about timing, the kind of evidence that supports it, and the failure mode to watch for.

How we chose these rows. We include a security requirement when its text or assessment objectives involve monitoring, scanning, alerting, recurring assessment, detecting unauthorized use, or keeping monitored implementations accurate. This is a selected operating subsetof the 110 Level 2 requirements — not the full set. CA.L2-3.12.3 is the core; the rest support it.

How to read the timing column.It reflects the language in NIST SP 800-171 Rev. 2 or the CMMC Level 2 Assessment Guide. Where the source states no interval, that’s noted — and setting a defensible cadence is yourcall (see the cadence section below). The “failure mode to check” column is our editorial observation, not a regulatory statement.

The CMMC Continuous Monitoring Requirements Map — verified

Monitoring activityNIST 800-171 Rev. 2CMMC L2 Req.FamilyTiming the source statesPotential evidence examplesFailure mode to check
Monitor that controls stay effective over time (the core requirement)3.12.3CA.L2-3.12.3CA“Ongoing”; frequency organization-definedMonitoring plan, dated review records with owners, dashboards, actions takenDashboards exist, but no decision or fix is shown
Periodically assess the controls3.12.1CA.L2-3.12.1CA“Periodically” (guide: org-set interval ≤ 1 year)Internal assessment plan, test results, findings, corrective actionsThe 3-year assessment is treated as the only review
Create and retain audit logs3.3.1AU.L2-3.3.1AUCreate and retain (ongoing)Logging config, retained logs, written retention policyLogs sit on individual systems; collection gaps go unnoticed
Alert when audit logging fails3.3.4AU.L2-3.3.4AUOn audit-process failure (event-triggered; no staffing interval stated)Alert config, test result, notification, response ticketLogging stops silently and no one is paged
Review and update which events get logged3.3.3AU.L2-3.3.3AUNo fixed interval stated (organization-defined)Approved event catalog, review minutes, change ticketEvent types set once, never revisited
Correlate, analyze, and report audit records3.3.5AU.L2-3.3.5AUNo fixed interval statedCorrelation queries, analyst notes, timelinesData collected that can’t be turned into an investigation
Scan for vulnerabilities3.11.2RA.L2-3.11.2RA“Periodically” + “when new vulnerabilities are identified”Scan scope, scanner config, scan reports over time, remediation ticketsScans miss assets or credentials; findings have no owner
Identify, report, and correct system flaws (patch)3.14.1SI.L2-3.14.1SI“In a timely manner”Patch cadence records, flaw-remediation tickets“Timely” is undefined and drifts into months
Malicious-code protection3.14.2SI.L2-3.14.2SIOngoing protectionCentrally managed AV/EDR deployment and update recordsConsumer AV instead of centrally managed, monitored protection
Monitor security alerts and advisories, and act3.14.3SI.L2-3.14.3SIAs alerts/advisories are issuedAdvisory subscriptions, triage decisions, action recordsAdvisories subscribed to but never dispositioned
Periodic + real-time scans of external files3.14.5SI.L2-3.14.5SIReal-timefor external files + “periodic” system scansOn-access scan config, scan schedule, detection log, update status“Real-time” claimed without testing download/open/execute channels
Monitor systems and inbound/outbound traffic for attacks3.14.6SI.L2-3.14.6SIMonitor (ongoing)Sensor coverage, alert logic, investigations, response ticketsData collected, but no one owns alert disposition
Identify unauthorized use of systems3.14.7SI.L2-3.14.7SINo fixed interval statedBaseline, alerts, investigation, corrective actionAn acceptable-use policy with no detection behind it
Baseline configurations and monitor for drift3.4.1 / 3.4.2CM.L2-3.4.1 / CM.L2-3.4.2CMEstablish and maintain (ongoing)Baseline docs, config-monitoring/SCAP resultsThe baseline is documented once, never compared to reality

Why the score math matters here. Under the DoD NIST SP 800-171 Assessment Methodology used for the Supplier Performance Risk System (SPRS), you start at a perfect 110 and subtract each unmet requirement’s weight (1, 3, or 5 points). Adjusted deductions for partial implementation are limited to a small number of requirements, including IA.L2-3.5.3 (multifactor authentication) and SC.L2-3.13.11 (FIPS-validated cryptography); most others are all-or-nothing (32 CFR §170.24). Several of the monitoring requirements above carry the maximum 5-pointdeduction — CA.L2-3.12.3, CA.L2-3.12.1, AU.L2-3.3.1, AU.L2-3.3.5, RA.L2-3.11.2, SI.L2-3.14.1, SI.L2-3.14.2, SI.L2-3.14.3, SI.L2-3.14.6, and CM.L2-3.4.1/.2 — while others carry 3- or 1-point deductions. Because self-assessments and select government-led assessments are the enforcement mechanisms during the suspension, that score carries real weight right now.

Adjacent, but not continuous-monitoring requirements: CA.L2-3.12.2 is the operational plan of action, and CA.L2-3.12.4 is the SSP — a prerequisite, since without a current SSP an assessment “could not be completed.”

Primary sources: NIST SP 800-171 Rev. 2 (requirement text); CMMC Level 2 Assessment Guide (identifiers and objectives); DoD NIST SP 800-171 Assessment Methodology and 32 CFR §170.24 (scoring).


How often do I have to monitor, and how long do I keep the proof?

Use the cadence the source states first; where the source leaves frequency open, set a risk-based interval you can defend; and add events that trigger an immediate check. Where the CMMC Level 2 Assessment Guide uses “periodically,” it defines the organization-set interval as not exceeding one year. NIST SP 800-171 does not set a single universal log-retention period, but assessment artifacts are subject to a six-year retention rule under 32 CFR Part 170, and DFARS 252.204-7012 imposes a separate 90-day preservation duty after a reported cyber incident.

Cadence confuses people because CMMC uses several timing logics, and vendors tend to flatten them into one scary “everything must be daily.” We group them into five operating types to keep source-stated timing separate from your own cadence and triggers — a DCR framework, not an official taxonomy:

  1. Real-time — required for specific activities (e.g., on-access scanning of external files, SI.L2-3.14.5).
  2. Event-triggered — triggered by a failure, incident, advisory, or anomaly (e.g., audit-failure alerts).
  3. Change-driven — triggered before, during, or after a system change.
  4. Recurring, risk-based — organization-defined, based on your environment.
  5. Annual minimum — where the guide points to at least annual activity, such as security-control assessment and SSP review.

To set a defensible recurring cadence for anything organization-defined, work through these questions: How fast could this control quietly fail? How fast would that failure cause real exposure? How fast could you even detect it? How much does the environment change? Is the activity automated or manual? Is a provider doing it? A monthly control-owner review is a reasonable starting pointfor a small, stable enclave — but “stable” is doing a lot of work in that sentence. A high-change, multi-cloud, internet-facing environment needs faster review, and you should write down whyyou chose what you chose. That written rationale is what turns “we felt like monthly was fine” into a defensible risk decision.

On retention — a nuance worth getting right

NIST SP 800-171 does not set a fixed log-retention period; you define one based on risk and contractual duties. Two separate rules do bite, though:

  • Assessment artifacts: six years. 32 CFR §170.16 and §170.17 require the artifacts used as evidence for a Level 2 assessment to be retained for six years from the CMMC Status Date. That’s about assessment evidence — not a blanket command to warehouse every raw operational log for six years.
  • Cyber-incident data: at least 90 days. DFARS 252.204-7012(e) requires you to preserve and protect images of affected systems and relevant monitoring and packet-capture data for at least 90 days after you submit a cyber-incident report, so DoD can request the media.

Set a written retention policy, retain operational logs for the periods established by your contract terms, applicable law, incident-response needs, your evidence strategy, system capability, and documented risk decisions — and don’t let a vendor talk you into six-year hot storage of everything as if the regulation demands it.

Primary sources: CMMC Level 2 Assessment Guide (“periodically” and “organization-defined”); NIST SP 800-171 Rev. 2 (no fixed retention period); 32 CFR §170.16/§170.17; DFARS 252.204-7012(e).


What evidence proves CA.L2-3.12.3?

The strongest evidence tells a complete operating story: what you set out to monitor, who owned it, when it ran, what it found, who reviewed the output, what you did about it, and which document you updated. A policy or a green dashboard alone is weaker than a traceable chain that connects plan, execution, finding, response, and validation. No single artifact guarantees a MET finding — the applicable assessment objectives have to be satisfied.

Assessors — and your own honest self-assessment — aren’t looking for “we have a tool.” They’re looking for proof the tool is configured, watched, reviewed, and retained. We organize potential evidence into a seven-layer chain (the DCR Evidence-Chain Framework— our editorial mapping of potential evidence to NIST’s examine/interview/test methods, not a federally mandated set of labels):

Evidence layerExamplesQuestion it answers
DesignPolicy, monitoring plan, procedure, responsibility matrixWhat is supposed to happen?
ScopeAsset inventory, boundary diagram, log-source inventory, Customer Responsibility MatrixWhat is covered?
ExecutionScan records, review logs, alert history, meeting notes, test resultsDid it actually happen?
OutputDashboard, report, finding, exception, alertWhat did it reveal?
ResponseTicket, operational plan of action, incident record, change requestWhat did you do about it?
ValidationRescan, closure check, retest, approvalDid the response work?
GovernanceManagement review, risk decision, SSP update, affirmation supportWho accepted the result, and how did it affect compliance?

Structure your evidence so you can support the three ways it gets checked: an assessor can examine the documents, interview the actual owner, and test the mechanism. NIST SP 800-171A (June 2018) defines those assessment methods and lets them be tailored by depth and coverage; the CMMC Level 2 Assessment Guide supplies the specific objectives an assessor works against.

One thing that trips people up: freshness.A screenshot from the day you first turned a control on doesn’t prove it’s been running since. For each artifact, track the period it covers, when it was captured, the source system, who captured it, and the action it led to. Evidence you can’t tie to the period under review is a lot weaker — and may not show the control was actually running.

Turn this into a working evidence register. Our CMMC Readiness Checklist maps it against the 14 families so nothing falls through. Use generic system labels — do not upload or enter CUI, credentials, vulnerability details, or controlled contract files.

Open the CMMC Readiness Checklist

Primary sources: NIST SP 800-171A (June 2018); CMMC Level 2 Assessment Guide; 32 CFR Part 170.


How do you build a CMMC continuous monitoring plan?

A defensible plan turns the requirement into assignable operating tasks: a frozen scope baseline, an inventory of monitored activities, a named owner for each, source-stated timing plus a risk-based cadence you can defend, event and change triggers, the evidence you’ll keep, a response path, validation, and the document you update when something changes. Build it once, and continuous monitoring stops being a vague obligation and becomes a calendar with owners.

Here’s the sequence we’d run, in order:

  1. Freeze a scope baseline. Capture your CMMC Assessment Scope, CUI assets, security protection assets, external service providers (ESPs) and cloud service providers (CSPs), boundaries, CUI flows, and the current SSP version. Everything downstream keys off this.
  2. Build the monitoring inventory. Start with the requirements in the map above, then add anything specific to your environment — remote-access session monitoring, boundary monitoring, incident-response readiness, physical-facility monitoring where it applies.
  3. Assign ownership. For each activity: the accountable internal owner, whoever performs it, a backup, who reviews the output, and who can approve a risk decision or update the SSP. Unowned monitoring is the single most common gap.
  4. Set timing in two layers. Record the source-stated timing first (real-time, periodic, timely, or “no interval stated”), then your organization-defined cadence — with a one-line rationale for why it fits your risk.
  5. Add triggers. Every row should carry an event or change trigger, not just a calendar date: a new vulnerability, an incident, a system change, a missing log source, a new connection.
  6. Define evidence before you execute. Decide what artifact will prove each activity ran, who creates it, whether it’s sensitive, where it lives, how long you keep it, and whether you can reproduce it on request.
  7. Define the response path. Triage, severity, ticketing, when it becomes an operational plan of action, when it becomes an incident, closure validation, and the SSP update.
  8. Test the system, then review effectiveness. Test your audit-failure alert, your escalation, your evidence export, and your change-to-SSP workflow. Then review whether the activity can actually detect and correcta failing control — not just whether a box got checked.

Keep the whole thing in one register your team updates — scope, owner, source timing, your cadence, trigger, evidence, last-run date, next-due date. That register is your CA.L2-3.12.3 evidence.

Not sure whether your team can run this or you need outside help? Map it with Find My CMMC Path — tell it your level, scope, and timeline, and it points you to the right provider category (internal, MSSP, or GRC platform) before you request a single quote. Routing only. No CUI, drawings, or contract details.

Find My CMMC Path

How do continuous monitoring, the assessment, and the annual affirmation fit together?

Continuous monitoring is the ongoing operational work of checking that controls still function. A periodic assessment tests implementation at a point in time. The annual affirmationis a senior official’s formal attestation in SPRS that the organization has implemented — and will maintain — the requirements for its CMMC status. Continuous monitoring is what keeps that affirmation truthful between assessments.

Four different things get collapsed into the marketing phrase “continuous compliance,” and confusing them is how contractors end up over-buying or under-protecting:

ConceptWhat it isTypical outputWhat it is not
CA.L2-3.12.3 ongoing monitoringOperating awareness that controls stay effectiveReports, dashboards, reviews, actionsA one-time assessment
Specific technical monitoringLogging, traffic monitoring, scans, malware scanning, alertingLogs, alerts, scan results, incidentsThe entire monitoring program
Periodic security-control assessmentStructured testing of control effectivenessAssessment plan, results, findingsDay-to-day security operations
Annual affirmationFormal attestation of continuing compliance in SPRSA submitted affirmation recordProof by itself that every control has actually been operated

The affirmation is where the stakes get real. Under 32 CFR §170.22, the Affirming Official— a senior representative with authority over the organization’s compliance — must affirm continuing compliance after each assessment, including any POA&M closeout, and annually thereafter, entered in SPRS. The attestation isn’t “we were compliant on assessment day.” It’s that the organization “has implemented and will maintain implementation” of the applicable requirements across scope. A dashboard full of green boxes with no current evidence, no owner, no change handling, and no remediation doesn’t discharge that responsibility.

And that attestation carries real legal weight. Inaccurate or unsupported self-attestations posted in SPRS remain an area of False Claims Act exposure that the suspension does nothing to diminish. Translation: your affirmation should never outrun what your monitoring evidence can support — and if you’re unsure, that’s a question for federal-contracts counsel, not a checklist.

Here’s the trap to avoid: a Final Level 2 CMMC Status is valid for three years, subject to annual affirmation, and a Conditional Level 2 status carries a 180-day POA&M closeout window (32 CFR §170.17). But a three-year assessment cycle is not a three-year monitoring cycle.Between assessments you’ll have system changes, new vulnerabilities, staff turnover, logging failures, and provider changes. Continuous monitoring is how you keep the thing you affirmed actually true in month 14.

Primary sources: 32 CFR §170.22 (affirmation); 32 CFR §170.17 (status validity); NIST SP 800-171 Rev. 2 §3.12.3.


How do system changes and temporary gaps get handled between assessments?

The official change workflow is a before/during/after sequence: assess the security impact and CUI flow before the change, document the temporary risk and who owns it during implementation, and update the SSP after. When a change could affect continuing compliance, involve the Affirming Official. A gap that appears aftera control was implemented is documented in an operational plan of action — which is not the same as a CMMC assessment POA&M.

Environments change. That’s not a compliance failure; failing to handle the change is. The official CMMC guidance frames it in three stages:

The distinction that saves contractors from a real headache is operational plan of action (OPA) versus CMMC assessment POA&M:

Operational plan of action (OPA)CMMC assessment POA&M
Documents a temporary deficiency that arises after a requirement was implementedDocuments eligible NOT MET findings from a CMMC assessment
Part of routine operations and change handlingTied to a Conditional CMMC Status
You define the operational formatGoverned by 32 CFR §170.21
Should never become a permanent excuse for an unimplemented controlMust close out within 180 days, or the Conditional status expires

Per the CMMC Assessment Guide’s own definitions, a temporary deficiency “is not based on an ‘in progress’ initial implementation” — it arises after implementation and gets tracked in an OPA. When a degraded control fits that temporary-deficiency definition, document it in an OPA with an owner, milestones, and validation. Not every operational hiccup automatically meets the definition — but don’t mislabel ordinary drift as an assessment POA&M, and don’t let an OPA sit open forever as a substitute for actually fixing the control.

Primary sources: DoD CIO CMMC FAQ (before/during/after workflow); CMMC Level 2 Assessment Guide (temporary deficiency / OPA); 32 CFR §170.21 (POA&M closeout).


Which levels require this — and how is Level 3 different?

CA.L2-3.12.3 is a Level 2 security requirement mapped to NIST SP 800-171 Rev. 2. Level 1 (FCI only, 15 requirements from FAR 52.204-21) has separate safeguards that involve ongoing protection and scanning — including real-time external-file scanning — but not the formal continuous-monitoring requirement. Level 3 builds on a Final Level 2 (C3PAO) status and adds 24 enhanced requirements selected from NIST SP 800-172 (February 2021), assessed by the government (DCMA DIBCAC).
LevelInformation protectedHow monitoring shows upAssessment path during current pause
Level 1FCI15 basic safeguards (FAR 52.204-21); some are monitoring-flavored (e.g., malicious-code scanning, SI.L1-b.1.xv), but not CA.L2-3.12.3Annual self-assessment
Level 2CUICA.L2-3.12.3 plus specific supporting requirements in AU, RA, SI, CM, AC, IR, PE, SC, and other applicable familiesLevel 2 self-assessment is the normal new-procurement path during the suspension; verify your actual contract
Level 3Most sensitive CUI vs. advanced threatsLevel 2 baseline + 24 enhanced NIST SP 800-172 (Feb 2021) requirements, with materially higher monitoring and detection expectationsNew Level 3 designations are paused; Level 3 requires a Final Level 2 (C3PAO) first, then DCMA DIBCAC assesses the 24 enhanced requirements

Be precise here, because sloppy sources cause real errors: “continuous monitoring is required at all levels” is too imprecise. Any cybersecurity program at any level has to keep working — but the specific CA.L2-3.12.3 requirement is a Level 2 requirement. Describe Level 1 and Level 3 by their own source language, and never turn a general security principle into a false requirement citation.

One version note that matters: CMMC Level 2 currently assesses against NIST SP 800-171 Revision 2. NIST has since published a Revision 3 in its general series, but CMMC continues to use Revision 2 until future rulemaking incorporates any change. You may choose to prepare for Rev. 3, but keep your traceability to the current Rev. 2 CMMC requirements. Don’t let a tool or consultant quietly swap Rev. 3 control numbers into your Level 2 program.

Primary sources: 32 CFR §170.14 (level requirements; 110 + 24 from NIST SP 800-172, Feb 2021); FAR 52.204-21 (Level 1); DoD CIO CMMC FAQ (Rev. 2 remains the assessment basis).


How do MSPs, MSSPs, CSPs, and other ESPs share continuous-monitoring responsibility?

An external provider can perform monitoring activities, host evidence, or operate security mechanisms — but outsourcing the work doesn’t erase your responsibility to understand scope, implementation, and evidence. Relevant external-service-provider and cloud responsibilities must be represented in your scope and SSP, and shared cloud/ESP responsibilities are documented in a Customer Responsibility Matrix (CRM).

Whether the provider is an MSP, MSSP, CSP, or another external service provider (ESP), ask the same five questions for every monitoring activity they touch:

  1. Who configures the mechanism?
  2. Who watches its health?
  3. Who triages the findings?
  4. Who takes corrective action?
  5. Who preserves and produces the evidence for your assessment?

If the answer to any of those is “we assumed the provider,” that’s a gap. What to request from a provider before you rely on them: a service description, the current shared-responsibility or customer-responsibility matrix, the log sources included, alert severity and response definitions, coverage hours, escalation times, retention and export capability, and how evidence is delivered on request.

Red flags to walk away from:

  • “We handle CMMC for you” with no requirement-level responsibility mapping
  • No named evidence owner
  • No tested audit-failure alert
  • No log-source inventory
  • No right to export your own evidence
  • No responsibility for after-hours alerts despite a “24/7” marketing claim
  • Provider reports that can’t be mapped to an assessment objective

Document who’s responsible in your SSP and, for cloud and external service providers, a CRM — that’s the document an assessor uses to see where your responsibility ends and the provider’s begins.

Primary sources: 32 CFR Part 170 (assessment scope, ESP/CSP treatment, and the Customer Responsibility Matrix).


What does CMMC continuous monitoring cost?

There’s no official universal price for a CMMC continuous-monitoring program. Anyone who quotes a single number for “continuous monitoring” without seeing your scope is guessing. Cost is driven by your asset and log-source count, environment complexity, current maturity, required coverage hours, retention, integrations, staffing, change rate, and whether you buy software, managed operations, or both.

We’d rather give you the drivers than a fake range that falls apart the moment your scope differs from the example:

Cost driverWhy it moves the number
In-scope assets and log sourcesMore deployment, collection, scanning, and evidence
Coverage hoursAfter-hours analyst coverage costs more than business-hours review
Environment diversityHybrid and multi-cloud environments need more integration
Existing native toolsStrong existing tooling can reduce duplication
Internal staffingManaged services replace or supplement internal labor
Evidence maturityReconstructing evidence by hand adds recurring effort
Change rateMore changes mean more impact analysis, testing, and documentation
Enclave strategyA smaller scope can reduce operating complexity but add migration and service cost
Level 3 applicabilityEnhanced requirements can materially change what you need

The honest way to frame it: continuous monitoring is an operating expense, not a one-time project.A certified provider’s value is recurring — monitoring, evidence upkeep, and annual-affirmation support are a monthly line, the operating cost of holding DoD contracts, not a box you check once before an assessment. Build vs. buy vs. managed is a scoped cost decision; the requirement is the same either way.


Which provider category should handle the gap?

Choose a provider category based on the specific gap you can’t close internally. An RPO (Registered Provider Organization) or readiness specialist helps interpret and implement requirements; an MSP or MSSP operates the technology and the monitoring; a GRC platform organizes evidence and workflow; a CUI enclave can reduce scope when CUI is actually confined to it; and a C3PAO (Certified Third-Party Assessment Organization) performs the formal Level 2 certification assessment.

Match the category to the gap:

Your actual gapCategory to evaluate firstDon’t default to
Scope, SSP, requirement interpretation, readiness planRPO / readiness specialistA C3PAO assessment
IT implementation and sustained operationsCMMC-focused MSPGRC software alone
Detection, log review, alert triage, response supportMSSP / managed detection and responseA documentation consultant alone
Evidence organization, ownership, workflow, reportingGRC platform (a supporting layer)A platform marketed as “automatic compliance”
Enterprise is too broad/expensive to secure directlyCUI enclave / secure collaborationBolting tools onto an undefined enterprise scope
Your contract explicitly requires a Level 2 certification and readiness is doneAuthorized C3PAO (check current status)The firm that prepared you for the assessment

This category-fit table is our editorial conclusion based on the role boundaries above — not a Cyber AB ranking or endorsement.

Two guardrails we won’t soften. First, software alone doesn’t satisfy CMMC.A GRC platform can automate evidence, tasks, reminders, control mapping, and reporting — it doesn’t, by itself, operate your technical and procedural controls. Treat it as a supporting layer, not the whole solution. A CUI enclavecan reduce your assessment scope, but only when CUI flows and the supporting assets are genuinely confined to the enclave boundary; it doesn’t automatically remove enterprise systems, security protection assets, connections, personnel, or external providers from scope.

Second, keep readiness and assessment separate. Under the CMMC conflict-of-interest rules (32 CFR §170.8(b)(17)), a firm that served as your consultant to prepare you for a CMMC assessment generally may not then perform that certification assessment — a restriction that runs for three years. A live reminder given the pause: the old “book a C3PAO before November 10, 2026” urgency is no longer valid as a general rule — first confirm what your actual solicitation or contract requires after any amendment.

Not sure whether your gap belongs with an RPO, an MSSP, a GRC platform, a CUI enclave, or — when it's actually required — a C3PAO? The Defense Compliance Report's Find My CMMC Path tool applies The CMMC Path Framework to your level, FCI/CUI handling, assessment type, environment, and timeline, then routes you to a provider category. Do not submit CUI, drawings, credentials, vulnerability details, or contract attachments.

Find My CMMC Path →
Disclosure: The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. We may receive compensation for qualified introductions, sponsorships, or partner referrals when disclosed. Compensation does not control our regulatory analysis, provider-category recommendations, or Cyber AB status verification.

Primary sources: 32 CFR §170.8, §170.9, §170.11 (C3PAO/assessor conflict-of-interest); DoD CIO CMMC FAQ (cost drivers).


Twenty CMMC continuous monitoring failure modes to check

Most failures aren’t caused by missing security tools. They happen because scope, ownership, cadence, evidence, response, and documentation never connect into one operating process — so a control fails quietly and nobody can prove otherwise.

These failure modes recur across the source requirements, the assessment guidance, and the operating evidence chain. If you fix nothing else on this page, check these:

  1. Treating the three-year assessment as the monitoring cadence.
  2. Treating the annual affirmation as a substitute for operational evidence.
  3. Buying a SIEM before defining log sources and owners.
  4. Collecting logs without ever checking collection health.
  5. Building alerts with no one assigned to triage them.
  6. Running scans without closing the findings.
  7. A monitoring plan with no execution history behind it.
  8. Dashboards that can’t produce the underlying evidence.
  9. Not updating the SSP after a system change.
  10. Using an assessment POA&M for ordinary operational gaps (that’s an OPA).
  11. Letting OPAs stay open indefinitely.
  12. Assuming your MSP owns activities that aren’t in the contract.
  13. No documented Customer Responsibility Matrix with your provider.
  14. Screenshots with no dates, scope, or interpretation.
  15. One cadence applied to controls with very different risk.
  16. Calling every control “real-time” with no source behind it.
  17. Assuming native cloud tools are inadequate just because they aren’t branded “SIEM.”
  18. Assuming a purchased platform equals implemented controls.
  19. Letting evidence files contain uncontrolled CUI.
  20. Using the suspended Phase II date to manufacture urgency — internally or from a vendor.

How we researched and verified this guide

We built this guide by reading the primary sources — the CMMC Final Rule, the July 2026 suspension release and implementation memorandum, NIST SP 800-171 Rev. 2, the NIST assessment procedures, the CMMC Level 2 Assessment Guide, the annual-affirmation rule, and the DoD CIO CMMC FAQ — and separating what those sources require from what we recommend. We used vendor and community pages only to understand where contractors get confused, never as regulatory authority.

What we actually verified ():

What we verifiedSource and editionWhere used
July 13, 2026 Phase II suspension; Phase I self-assessments remain; enforcement via self-assessments and select government-led assessmentsU.S. Department of War release, July 13, 2026 (war.gov)Suspension sections
CMMC Level 2 assesses NIST SP 800-171 Revision 2CMMC Level 2 Assessment Guide; DoD CIO CMMC FAQThroughout
Exact text/discussion of CA.L2-3.12.3NIST SP 800-171 Rev. 2 §3.12.3; CMMC Level 2 Assessment GuideRequirement sections
“Periodically” = org-set interval not exceeding one yearCMMC Level 2 Assessment GuideCadence section
SI.L2-3.14.5 real-time scanning of external filesNIST SP 800-171 Rev. 2 §3.14.524/7 / SIEM section
Core monitoring requirements are 5-point deductions; partial credit limited (IA.L2-3.5.3, SC.L2-3.13.11)DoD NIST SP 800-171 Assessment Methodology; 32 CFR §170.24Requirements map
Annual affirmation and Affirming Official role32 CFR §170.22Affirmation section
Six-year assessment-artifact retention (Level 2)32 CFR §170.16 / §170.17Retention section
90-day cyber-incident data preservationDFARS 252.204-7012(e)Retention section
OPA vs. assessment POA&M; 180-day closeout32 CFR §170.4, §170.21; CMMC Assessment GuideChange-handling section
Level 3: Level 2 baseline + 24 enhanced NIST SP 800-172 (Feb 2021) requirements, DIBCAC-assessed32 CFR §170.14Levels section

What we did not do:we did not observe your systems, and we can’t tell you which level a specific contract requires — that’s set by the clause and your CUI handling. Cadence and tooling depend on your environment and documented risk decisions. The CMMC reform review may change procurement policy; we re-verify the status of this page frequently and date every regulatory fact.

This is educational research, not legal, contractual, or compliance advice. Confirm scope and applicability with a CMMC Registered Practitioner or Registered Provider Organization (RP/RPO), or a qualified federal-contracts attorney.


CMMC continuous monitoring FAQ

Is CMMC continuous monitoring required?
Yes, for Level 2, under security requirement CA.L2-3.12.3 (NIST SP 800-171 Rev. 2, §3.12.3). Several other Level 2 requirements also impose specific monitoring, scanning, alerting, review, testing, and change activities.
Does CMMC continuous monitoring mean 24/7?
Not as a blanket Level 2 rule. Some activities are explicitly real-time — like scanning files from external sources (SI.L2-3.14.5) — and Level 3 carries higher expectations, but Level 2 does not require around-the-clock analyst coverage of every control.
Is a SIEM required for CMMC Level 2?
No specific SIEM product is named as universally mandatory. You still have to satisfy the underlying audit, monitoring, alerting, investigation, evidence, and response objectives — which a SIEM commonly helps with, but which very small, stable environments can meet with centralized logging plus documented manual review.
How often must CMMC controls be monitored?
Use the source-stated cadence where one exists. Where cadence is organization-defined, set and document a frequency sufficient for risk-based decisions and add event and change triggers. Where the CMMC Level 2 Assessment Guide uses “periodically,” the interval may not exceed one year.
Is monitoring once a year enough?
Not for the whole program. Some activities have an at-least-annual floor, but real-time, event-triggered, change-driven, and recurring risk-based activities require more frequent execution.
What is the difference between continuous monitoring and a CMMC assessment?
Continuous monitoring operates the security program between assessment points. An assessment evaluates whether requirements are implemented correctly, operating as intended, and producing the desired outcome, at a point in time.
Is the annual affirmation the same as continuous monitoring?
No. The affirmation is a senior official’s formal attestation in SPRS (32 CFR §170.22). Continuous monitoring produces the operational basis and evidence that make that attestation truthful.
Did the July 2026 Phase II suspension remove monitoring requirements?
No. It suspended the transition to third-party assessments and paused pending milestones. Phase I self-assessment requirements and DFARS 252.204-7012 safeguarding duties remain in force.
Does CMMC Level 1 require CA.L2-3.12.3?
No. CA.L2-3.12.3 is a Level 2 requirement. Level 1 (FCI only) has separate safeguards, some of which involve ongoing protection and scanning (for example, SI.L1-b.1.xv).
Does CMMC use NIST SP 800-171 Revision 2 or Revision 3?
CMMC assessments currently use Revision 2. Any move to Revision 3 would require future rulemaking.
What evidence should we retain?
Retain evidence that shows design, scope, execution, output, response, validation, and governance. Separately, artifacts used as assessment evidence are subject to the six-year retention rule in 32 CFR Part 170, and cyber-incident data must be preserved for at least 90 days under DFARS 252.204-7012(e). There is no single fixed routine log-retention duration in NIST SP 800-171.
Can an MSP or MSSP perform continuous monitoring?
Yes, it can perform defined activities — but you remain responsible for understanding scope, shared responsibilities, evidence, escalation, and everything the provider does not cover. Document it in your SSP and a Customer Responsibility Matrix.
Is an operational plan of action the same as a CMMC POA&M?
No. An operational plan of action documents a temporary deficiency that arises after a requirement was implemented. A CMMC assessment POA&M is tied to Conditional status and must close out within 180 days under 32 CFR §170.21.
Can the same company prepare us and then assess us?
Generally not for the same assessment. The CMMC conflict-of-interest rules (32 CFR §170.8(b)(17)) restrict a firm that served as your assessment-preparation consultant from performing that certification assessment, and that restriction runs for three years.
Should we buy a SIEM before building a monitoring plan?
Usually not. Define the required outcomes, scope, log sources, ownership, response, and evidence first — then decide whether your current tools already satisfy them or you have a specific capability gap to fill.

The bottom line, and your next move

Continuous monitoring is the difference between “we passed once” and “we can prove we still work” — and during the suspension, with self-assessments and select government-led assessments carrying the enforcement weight, the second one is what protects your contracts and your annual affirmation. You now know the exact requirement (CA.L2-3.12.3), the group of requirements around it, which cadences the source sets versus which you set, what evidence holds up, and where the real risks are.

Need help deciding what type of CMMC provider you need? Tell us your level, scope, and timeline, and we'll match you with source-checked CMMC provider options. It starts by mapping your situation to the right provider category. Do not submit CUI, drawings, credentials, vulnerability scans, contract-controlled files, or sensitive system details. Routing only.

Find My CMMC Path →
Disclosure:The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. We may receive compensation for qualified introductions, sponsorships, or partner referrals when disclosed. Compensation does not control our regulatory analysis, provider-category recommendations, or Cyber AB status verification. This is educational research, not legal, contractual, or compliance advice — confirm scope and applicability with a CMMC Registered Practitioner (RP/RPO) or a qualified federal-contracts attorney.

Primary sources referenced on this page