3.11.1 — Assess Your Risks
What It Says
Section titled “What It Says”Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI.
What It Actually Means
Section titled “What It Actually Means”Conduct formal risk assessments at a defined frequency (annually is standard). Using a methodology like NIST SP 800-30: identify threats (external attackers, insider threats, natural disasters), identify vulnerabilities (technical and procedural), assess likelihood and impact, and calculate risk. Results feed your POA&M, security investments, and control priorities. This isn’t a one-time exercise — risks change as your environment, contracts, and the threat landscape evolve.
Pass or Fail
Section titled “Pass or Fail”Your assessor needs a “yes” to every row:
| # | Question | What “yes” looks like |
|---|---|---|
| 1 | Is the risk assessment frequency defined? | Policy specifies: at least annually and after significant changes |
| 2 | Are risk assessments conducted with the defined frequency? | Dated risk assessment document showing threats, vulnerabilities, likelihood, impact, and risk ratings |
What to Have Ready on Assessment Day
Section titled “What to Have Ready on Assessment Day”Documents they’ll review: Risk assessment policy; risk assessment methodology documentation; risk assessment results; risk register; system security plan; POA&M showing risk-driven priorities
People they’ll talk to: Personnel with risk assessment and vulnerability management responsibilities; information security personnel
Live demos they’ll ask for: “Show me your most recent risk assessment document.” “What methodology did you use?” “How do results feed your security priorities?” “When was it last updated?”
The Assessor’s Playbook
Section titled “The Assessor’s Playbook”These are the actual questions. Have answers ready.
- “Show me your risk assessment. When was it last conducted?”
- “What methodology did you use?”
- “How do risk assessment results feed your security priorities?”
- “Are risks tracked and updated over time?”
Where Companies Trip Up
Section titled “Where Companies Trip Up”No formal assessment. Security decisions based on gut feeling rather than documented analysis. Conduct a formal risk assessment per NIST SP 800-30.
One-and-done. Assessed two years ago and never updated. Risks change — reassess annually and after significant changes.
No action on findings. Risks identified but nothing changes. Risk assessment results should feed your POA&M and investment priorities.
How to Talk About This
Section titled “How to Talk About This”Connected Requirements
Section titled “Connected Requirements”| Requirement | Why it matters here |
|---|---|
| 3.11.2 — Scan for Vulnerabilities | Vulnerability scanning feeds the technical vulnerability identification |
| 3.11.3 — Fix What You Find | Remediation prioritized by risk assessment results |
| 3.12.2 — Track Every Gap | POA&M driven by risk assessment findings |
Implementation (coming soon)
Section titled “Implementation (coming soon)”Step-by-step setup for Microsoft 365 / Entra ID, AWS, Azure, and GCP — console steps, CLI commands, and evidence screenshots.
CMMC Practice ID: RA.L2-3.11.1 | SPRS Weight: 3 points | POA&M Eligible: No