CMMC practice RA.L2-3.11.1, grounded in NIST SP 800-171 Rev 2 Section 3.11.1, requires organizations to periodically assess the risk to their operations, assets, and individuals that arises from operating systems that handle CUI. The organization must first define how frequently these assessments will occur, then actually conduct them on that schedule. A risk assessment typically involves identifying threats and vulnerabilities, evaluating the likelihood and impact of exploitation, and determining the overall risk level to inform security decisions. The output is a documented risk assessment report that captures findings and supports risk-based prioritization of security controls. Both the definition of frequency and the execution of assessments at that frequency are distinct assessment objectives that must each be satisfied.
Where it stops · what it isn't
- —This practice does not require the organization to remediate identified vulnerabilities — that is addressed by RA.L2-3.11.2 and related practices
- —This practice does not mandate a specific risk assessment methodology, framework, or tool — organizations may use NIST SP 800-30, OCTAVE, or equivalent approaches
- —This practice does not cover continuous automated monitoring as a substitute for a formal, documented periodic risk assessment process
- —This practice does not address the assessment of supplier or third-party risk — supply chain risk management is a separate consideration
- —This practice does not define what risk level is acceptable — risk tolerance and risk acceptance decisions are organizational policy matters beyond this practice's scope
Connected concepts in the graph
Every cubelet sits in a knowledge graph. Here's what this one connects to.
ENABLESra-l2-3.11.2ca-l2-3.12.4