Skip to content

RA.L2-3.11.1 Risk Assessments

Risk Assessment 1 of 3 in family

Assess Your Risks.

Formal risk assessments at defined intervals — threats, vulnerabilities, likelihood, impact.

The one-liner

If you haven't formally assessed risks to your CUI environment, you're guessing what to protect.

Practice names: DoD CIO CMMC Model Overview v2.0 (CC BY 4.0).

3.11.1 — Assess Your Risks

Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI.

Conduct formal risk assessments at a defined frequency (annually is standard). Using a methodology like NIST SP 800-30: identify threats (external attackers, insider threats, natural disasters), identify vulnerabilities (technical and procedural), assess likelihood and impact, and calculate risk. NIST SP 800-30 frames this as a four-step cycle — prepare for the assessment, conduct it, communicate the results, and maintain it over time — and that structure is the one to follow. You can enter the analysis from any of three angles — threat-oriented (start from who might attack), asset/impact-oriented (start from what you can’t afford to lose), or vulnerability-oriented (start from known weaknesses); pairing two of them catches risks a single lens misses. Scope it beyond your own walls: risk introduced by external parties counts too, including service providers, contractors operating systems on your behalf, and outsourcing arrangements. For a DIB contractor, that puts your MSP and the cloud service providers holding your CUI inside the assessment, not outside it. That supplier, ESP, and product exposure is exactly what cybersecurity supply chain risk management (C-SCRM, NIST SP 800-161r1) is built to assess — and its intent is to fold that analysis into the broader risk assessment, not run it as a separate exercise. And keep the distinction straight — a risk assessment is not a vulnerability assessment. The vulnerability scan in 3.11.2 is one input, telling you what weaknesses exist; the risk assessment pairs that with threat and likelihood analysis to determine which of them actually matter. Results feed your POA&M, security investments, and control priorities. This isn’t a one-time exercise — risks change as your environment, contracts, and the threat landscape evolve.


Your assessor needs a “yes” to every row:

#QuestionWhat “yes” looks like
1Is the risk assessment frequency defined?Policy specifies: at least annually and after significant changes
2Are risk assessments conducted with the defined frequency?Dated risk assessment document showing threats, vulnerabilities, likelihood, impact, and risk ratings

Documents they’ll review: Risk assessment policy; risk assessment methodology documentation; risk assessment results; risk register; system security plan; POA&M showing risk-driven priorities

People they’ll talk to: Personnel with risk assessment and vulnerability management responsibilities; information security personnel

Live demos they’ll ask for: “Show me your most recent risk assessment document.” “What methodology did you use?” “How do results feed your security priorities?” “When was it last updated?”


These are the actual questions. Have answers ready.

  • “Show me your risk assessment. When was it last conducted?”
  • “What methodology did you use?”
  • “How do risk assessment results feed your security priorities?”
  • “Are risks tracked and updated over time?”

No formal assessment. Security decisions based on gut feeling rather than documented analysis. Conduct a formal risk assessment per NIST SP 800-30.

One-and-done. Assessed two years ago and never updated. Risks change — reassess annually and after significant changes.

No action on findings. Risks identified but nothing changes. Risk assessment results should feed your POA&M and investment priorities.



RequirementWhy it matters here
3.11.2 — Scan for VulnerabilitiesVulnerability scanning feeds the technical vulnerability identification
3.11.3 — Fix What You FindRemediation prioritized by risk assessment results
3.12.2 — Track Every GapPOA&M driven by risk assessment findings