| Control ID |
Control Description | Data Protection Classification | ||||||
| Level 1 | Level 2 | Level 3 | Level 4 | |||||
| SA-1 | Periodically assess the security controls in organizational systems to determine if the controls are effective in their application. | required | required | required | essential | |||
| SA-2 | Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems. | required | required | required | essential | |||
| SA-3 | Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls. | recommended | recommended | required | essential | |||