This playbook shows how to assign clear roles, build a practical training program, and run effective tabletop exercises to demonstrate compliance with RA.L2-3.11.1 (periodic risk assessment) from NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2; included are concrete steps, small-business examples, technical checks, and evidence you can collect for audits.
Assign roles and ownership that map to RA.L2-3.11.1
Start by documenting a small, clear RACI for risk assessment activities—Risk Owner (business unit), System Owner (IT), Information System Security Officer (ISSO) or equivalent, Authorizing Official (contract signatory), and an Assessment Lead (the person who runs the assessment). For a small business (20–100 people) you can combine roles: for example, the IT manager can be System Owner and Assessment Lead while the Operations Director serves as Risk Owner. Put these assignments in your System Security Plan (SSP) and a simple Roles & Responsibilities spreadsheet with contact info and signatures.
Role definitions and minimum responsibilities
Define responsibilities precisely so auditors can see who did what. Minimum responsibilities: Risk Owner approves risk tolerance and business impact ratings; System Owner maintains asset inventory and implements mitigations; Assessment Lead runs the assessment and produces the risk report; ISSO documents control gaps in the SSP and updates POA&Ms; leadership signs off on remediation priorities. Include required artifacts for each role (signed assessment report, change requests, POA&M entries). A one-page RACI matrix and an email naming the individuals are sufficient evidence for many assessments.
Build targeted training so staff can support and participate in assessments
Design training with three tracks: leadership (risk tolerance, decision-making, POA&M approval), technical staff (asset inventory, vulnerability scanning, log sources), and end users (recognition of incidents, data handling for CUI). For technical staff include hands-on modules: how to update an asset inventory, how to run authenticated vulnerability scans, basics of CVSS scoring, and how to collect evidence for the assessment (exported vulnerability scan CSV, change control records). For small shops, a 90‑minute annual leadership briefing plus 2–4 hour technical workshops per year is realistic.
Training curriculum, metrics, and evidence
Use measurable outcomes: a post-training quiz score threshold (e.g., 80%), training completion records, and signed attendance sheets. For tech training include labs (for example: run an nmap host discovery on your subnet: nmap -sn 10.0.1.0/24 to verify asset lists, or export Nessus/OpenVAS scan results). Maintain training records for 3 years in a centralized folder (PDF certificates, LMS export, or signed rosters) to demonstrate continuous competency during audits.
Plan and run tabletop exercises that validate the risk-assessment process
Tabletop exercises are practical, low-cost ways to validate your RA.L2-3.11.1 processes. Pick scenarios that stress controls tied to CUI handling: (1) targeted phishing that results in credential theft and exfiltration of design files; (2) ransomware hitting a file server with CUI; (3) insider exfiltration. For each tabletop define objectives that map back to RA.L2-3.11.1: identify assets at risk, validate detection and reporting paths, confirm decision points for risk acceptance, and generate POA&M entries for remediation gaps identified during the exercise.
Design, run, and capture actionable outputs
Run a 2–4 hour tabletop with a facilitator, scribe, core participants (Risk Owner, System Owner, IT, HR, Legal, Facilities). Use timed injects (e.g., at T+30 minutes “SIEM alert shows large outbound transfer from file server”), force decisions (accept risk, mitigate, or escalate), and record outputs: decisions, mitigation actions, owners, and deadlines. Produce an After-Action Report (AAR) that maps each finding to an SSP control and creates POA&M entries (example: POA&M RA-001 – Missing file-server access logging; owner: IT Manager; target date: 60 days). That AAR + signed attendance list is strong compliance evidence.
Technical implementation details and tooling for small businesses
Practical technical steps: start with an authoritative asset inventory (hostname, IP, owner, business function, CUI presence, and criticality). Run authenticated vulnerability scans monthly and record results; map CVE/CVSS to business impact for risk scoring (e.g., risk = likelihood * impact where likelihood is derived from CVSS exploitability and exposure). Use a simple risk register (spreadsheet or light GRC tool) with columns: ID, asset, vulnerability, likelihood score (1–5), impact score (1–5), risk score, mitigation, owner, status. Integrate log sources (endpoint logs, firewall, file-share audit logs) into a basic SIEM or log collector so detection capability can be demonstrated during tabletop scenarios.
Risks of failing to implement RA.L2-3.11.1 effectively
Failing to assign roles, train staff, and run tabletop exercises leaves you blind to where CUI is exposed and slows incident response decisions. Consequences include loss of DoD contracts, suspension from bidding, actual CUI breach with required notifications, fines, and reputational damage. Practically, auditors will flag incomplete SSPs, missing POA&Ms, and lack of evidence that risk assessments were performed or that leadership accepted residual risk—these are common failure points in CMMC pre-assessments.
Summary: to meet RA.L2-3.11.1, assign and document clear role ownership, train three targeted groups (leadership, technical, end user), and execute regular tabletop exercises that produce signed AARs and POA&M updates; pair these activities with concrete technical artifacts (asset inventory, vulnerability scans, log data) and you'll have a repeatable, auditable process that both reduces real risk and demonstrates compliance for small-business environments.
