This post shows how small and mid-size organizations can automate periodic risk assessments and reporting required by NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2 control RA.L2-3.11.1 for Controlled Unclassified Information (CUI), including recommended tools, concrete workflows, example metrics, and practical evidence artifacts to produce repeatable, auditable outcomes.
What RA.L2-3.11.1 requires and the compliance objective
Control RA.L2-3.11.1 expects organizations handling CUI to perform periodic risk assessments that identify threats, vulnerabilities, and potential impacts to CUI and to maintain evidence of those assessments and resulting actions. Key objectives are (1) regular discovery and classification of CUI-bearing assets, (2) threat and vulnerability identification using measurable scoring, (3) documented risk acceptance and remediation decisions, and (4) producing repeatable reports for assessors. Implementation notes: frequency should be defined in policy (e.g., continuous monitoring + quarterly formal assessment), methodology must be documented (scoring formula, data sources), and artifacts retained for the assessment window required by contract or regulation.
Automation architecture and recommended toolset
Design an automation pipeline that integrates five layers: asset inventory and CUI tagging (CMDB / cloud inventory), scanning and telemetry collection (vulnerability scanners, CSPM, endpoint agents), risk scoring (automated calculators that combine CVSS, exploitability, exposure), orchestration (SOAR / workflows + ticketing), and reporting/GRC (automated evidence packages and dashboards). For small businesses practical tool choices include: AWS Config + AWS Systems Manager for cloud/onβprem inventory, open-source OpenVAS or Nessus Essentials for vulnerability scans, Unfettered or OSQuery for endpoints, Elastic Stack or Splunk for logs, and a lightweight GRC like Airtable/Smartsheet or an affordable GRC platform (LogicGate, Drata, Secureframe) to store artifacts and produce reports.
Asset discovery and classification (practical steps)
Start by automating discovery: enable AWS Config rules, Azure Resource Graph, and an on-prem CMDB (e.g., ServiceNow Express or simple CMDB in Git + CSV). Tag assets that store or process CUI with a consistent taxonomy (e.g., csm.cui=true; cui_sensitivity=moderate/high). Create a scheduled job (cron or cloud scheduler) that exports inventory JSON nightly. Build a small script (Python + boto3/jq) that merges inventory with an authoritative list of CUI owners to produce an "assets-with-CUI" dataset used by scanners. Evidence for auditors: inventory export, tag change events, and owner confirmation emails or tickets.
Vulnerability scanning, configuration checks, and automated scoring
Automate weekly vulnerability scans for CUI-tagged assets and continuous CSPM (e.g., Prisma Cloud or open-source Scout2/Azure Security Center). Normalize outputs to a common schema (host, vuln_id, CVSSv3, first_seen, last_seen). Compute a weighted risk score per finding: example formula RiskScore = CVSS_base * AssetCriticalityWeight * ExposureFactor, where AssetCriticalityWeight is 1.5 for internet-facing CUI hosts and ExposureFactor is 1.2 for credentials available in code. Implement this as a lambda/container job that writes results to your GRC datastore. Use thresholds to auto-create remediation tickets (e.g., RiskScore > 7 -> create Jira ticket with SLA 7 days) and to escalate to the CISO when persistent for >30 days.
Orchestration, remediation verification, and evidence chain
Integrate scanners and ticketing with orchestration: use a SOAR or simple automation scripts that create tickets (Jira/ServiceNow) with attachments (scan export), assign owners, and trigger remediation playbooks (Ansible/Terraform apply). After remediation, schedule an automatic re-scan to verify closure; attach re-scan outputs to the ticket and mark the risk as mitigated in the GRC. Preserve a timestamped audit trail: ticket ID, remediation commit hashes (Git), change control approvals, and post-remediation scan results. This chain is a primary artifact for demonstrating RA.L2-3.11.1 compliance during assessments.
Metrics, dashboards, and reporting
Define a small set of measurable metrics that map to compliance objectives: percentage of CUI assets inventoried, average time-to-remediate (MTTR) for high-risk items, number of high-risk findings per month, percent of findings verified after remediation, and a rolling residual risk trend (weighted average RiskScore across CUI assets). Implement dashboards (Grafana/PowerBI) pulling from your GRC DB to show trends and produce automated monthly PDF reports. For audits, include a quarterly formal assessment report that synthesizes continuous monitoring data plus any tabletop or threat modeling results.
Small-business example scenario
Example: a 40-person contractor uses AWS and two on-prem Windows servers that store CUI. Implementation steps: 1) Tag S3 buckets and EC2 instances containing CUI; 2) enable AWS Config and schedule nightly exports; 3) run Nessus weekly against private subnets and configure GuardDuty for threat detection; 4) ingest scan results into an Airtable GRC and apply a scoring lambda that computes the RiskScore; 5) auto-create Jira tickets for RiskScore > 6 with remediation SLAs; 6) produce a monthly risk report (PDF) that the security officer signs and stores. Cost-effective choices (Nessus Essentials, AWS native services, Airtable) make this feasible without enterprise GRC budgets.
Risks of not automating and compliance tips / best practices
Failing to implement automated periodic assessments increases the likelihood of undetected vulnerabilities, lateral movement, CUI exposure, contract loss, and negative findings in a CMMC assessment. Best practices: codify assessment frequency and scoring in policy, keep your asset tags authoritative, retain raw scan outputs and remediation records for the required retention period, and test your pipeline quarterly (tabletop + simulated incidents). For small teams, prioritize automation for discovery, critical scanning, and ticketing first β manual reporting can be layered in while you build out full orchestration.
In summary, meeting RA.L2-3.11.1 in a practical, auditable way requires an automation pipeline that starts with reliable CUI asset identification, feeds regular scanning and telemetry into an automated risk-scoring engine, ties findings to remediation workflows and verification, and surfaces measurable metrics in periodic reports; small businesses can implement this using a mix of cloud-native services, affordable scanners, and lightweight GRC tools to produce consistent evidence for assessors while materially reducing risk to CUI.
