The scenario describes a situation where a contractor has a documented Plan of Action and Milestones (POA&M) but fails in its execution. The CMMC practice CA.L2-3.12.2 requires organizations to both "Develop and implement plans of action." The contractor has successfully developed the plan, as evidenced by the documented POA&M. However, the statement that "remediating measures are not always taken, and when taken, they are not always practical" points to a direct failure in the implementation phase. This directly violates the assessment objective that requires the developed plan of action to be effectively implemented to correct deficiencies and reduce vulnerabilities.

A. This is incorrect because the scenario explicitly details a failure to consistently and practically execute the remediation measures, which is a core part of the practice.

B. This is incorrect because a change management plan is associated with the Configuration Management (CM) domain (e.g., CM.L2-3.4.1), not the Security Assessment (CA) domain's POA&M practice.

D. This is incorrect because the scenario states the contractor "documents specific vulnerabilities and deficiencies in an audit report" and has a POA&M, indicating this objective has been met.

---

1. U.S. Department of Defense (DoD), CMMC Model Version 2.0, CMMC Level 2 Assessment Guide (December 2021).

Reference: Page 151, Practice CA.L2-3.12.2, Assessment Objectives.

Content: This guide specifies the assessment objectives for CA.L2-3.12.2, which are derived from NIST SP 800-171. The objectives include "[a] A plan of action is developed to correct deficiencies," "[b] A plan of action is developed to reduce or eliminate vulnerabilities," and "[c] The plan of action is implemented." The scenario clearly shows a failure in objective [c].

2. National Institute of Standards and Technology (NIST), Special Publication (SP) 800-171 Rev. 2, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations (February 2020).

Reference: Page 26, Section 3.12.2.

Content: This document is the source for the CMMC Level 2 requirement. It states, "Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems." The dual requirement of "develop" and "implement" is foundational.

3. National Institute of Standards and Technology (NIST), Special Publication (SP) 800-171A, Assessing Security Requirements for Controlled Unclassified Information (June 2018).

Reference: Page 101, Section 3.12.2, Assessment Procedures.

Content: This guide provides procedures for assessing the implementation of NIST SP 800-171 controls. For 3.12.2, it specifies checking if "b. the plan of action is implemented." The evidence in the scenario demonstrates this procedure would result in a "not met" finding.