3.12.1 — Test your controls | NIST 800-171 Control

You periodically check that your controls actually work.

What it actually means

Don't assume your controls work — verify them periodically. A self-assessment against the 110 requirements (which is what generates your SPRS score) is exactly this. The point is to confirm controls are effective in practice, not just configured.

Pass or fail — an assessor needs a "yes" to each

Controls are assessed periodically for effectiveness.
Results are documented.
Findings feed your POA&M.

What to have ready

Self-assessment results (e.g., SPRS scoring)
Assessment cadence/policy
Findings -> POA&M linkage

Where teams trip up

Never re-assessing after the first time
Assuming configured = effective
No documentation of the assessment

See where this control puts your score

Run all 110 requirements free in about 10 minutes.

Calculate your SPRS score →

Connected requirements

3.12.2 — Plan to fix deficiencies 3.12.3 — Monitor continuously

← Back to the Control Library