Skip to content
CMMC Level 2 Reference | Ancitus

Risk Assessment

Risk Assessment is the intelligence function. Know your risks, find your vulnerabilities, and fix them in order of severity.

The Pipeline

Section titled “The Pipeline”

Assess (3.11.1) — Formal risk assessment at a defined frequency (annually is standard). Identify threats, vulnerabilities, likelihood, and impact. Results drive your security priorities.

Scan (3.11.2) — Regular vulnerability scans across all CUI systems, plus ad-hoc scans when critical new vulnerabilities are disclosed.

Fix (3.11.3) — Remediate vulnerabilities by risk priority. Critical first. Track every finding to closure.

All 3 Requirements

Section titled “All 3 Requirements”
RefShort NameWhat It Covers
3.11.1Assess Your RisksFormal risk assessments at defined intervals
3.11.2Scan for VulnerabilitiesRegular and event-driven vulnerability scanning
3.11.3Fix What You FindRemediate by risk priority, track to closure