Control Description Data Protection Classification
Level 1 Level 2 Level 3 Level 4
SA-1 Periodically assess the security controls in organizational systems to determine if the controls are effective in their application. required required required essential
SA-2 Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems. required required required essential
SA-3 Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls. recommended recommended required essential