NIST SP 800-171 Rev.2 control 3.11.1 (mapped to CMMC 2.0 Level 2 RA.L2-3.11.1) requires organizations to conduct risk assessments that identify risks to organizational operations, assets and individuals associated with the processing, storage, or transmission of Controlled Unclassified Information (CUI); this post provides a practical, audit-ready checklist and implementation guidance tailored to small businesses working under the Compliance Framework.
Understanding RA.L2-3.11.1 and audit expectations
At its core RA.L2-3.11.1 expects an organization to have a documented risk assessment process, periodically perform risk assessments focused on systems that handle CUI, and retain evidence that the organization analyzed threats, vulnerabilities, likelihoods, impacts, and produced risk treatment actions (or accepted residual risk). Auditors will look for a consistent methodology, current asset and CUI inventories, measurable scoring, assigned risk owners, treatment plans (POA&Ms), and artifacts that prove assessment activities occurred on schedule (reports, meeting minutes, scan outputs, signatures).
Audit-ready checklist — essential artifacts and implementation notes
For Compliance Framework practice, prepare the following minimum artifacts before an audit: (1) Risk Assessment Policy & Methodology mapped to NIST SP 800-30/800-171; (2) Current asset inventory with CUI mapping (CMDB or spreadsheet); (3) Recent risk assessment report(s) showing scope, findings, scoring and residual risk; (4) Risk Register / Risk Tracker with owners, status and mitigation dates; (5) POA&M entries for unresolved findings; (6) Evidence of vulnerability scans and remediation verification; (7) Signed risk acceptance memos where risk is accepted; (8) Meeting notes or minutes for risk review meetings. Implementation notes: record timestamps, tool outputs and the identity of reviewers/approvers to make evidence tamper-evident for auditors.
Step 1 — Prepare: scope, methodology and asset/CUI inventory
Begin by defining scope: list systems, cloud services, endpoints, third-party connections that store, process or transmit CUI. For small businesses a simple CMDB (Excel/CSV or a lightweight database) is acceptable if it contains hostname, IP, owner, CUI type, location, and criticality. Use discovery tools and AD queries to validate inventory (example PowerShell: Get-ADComputer -Filter * -Property Name,OperatingSystem | Select Name,OperatingSystem | Export-Csv assets.csv). Tag items that handle CUI so audits can quickly confirm coverage. Document the assessment cadence (annual full assessment, quarterly focused reviews, ad hoc after major changes).
Step 2 — Identify threats and vulnerabilities (technical and non-technical)
Collect evidence from vulnerability scanners (Nessus, Qualys, or open-source alternatives), patch management reports, configuration baseline checks, and threat intelligence feeds. Include non-technical threats such as supply-chain vendor access, remote work practices, and insider risk. Use CVSS v3.1 scores to quantify vulnerability severity, and map vulnerabilities to affected CUI systems. Example small-business scenario: a subcontractor uses remote desktop into a CUI server—document vendor MFA posture, RDP exposure, and any compensating controls (bastion host, IP allowlists).
Step 3 — Analyze and score risk (practical scoring and thresholds)
Use a simple numeric model (Likelihood 1–5 × Impact 1–5) and define thresholds (e.g., 1–6 low, 7–12 medium, 13–25 high). Define impact criteria in business terms: confidentiality loss, operational outage, regulatory/contractual breach, and financial cost. Record both inherent and residual risk: inherent risk before controls and residual after applying controls. A practical rule: any residual risk scoring ≥ 15 (high) needs documented mitigation with milestones or a signed executive risk acceptance. Example: Exposed RDP to a CUI server (likelihood 4, impact 5 = 20) — mitigation could be remove direct access, require VPN + MFA, or accept with mitigation timeline documented.
Step 4 — Treat, document and retain evidence
Create a Risk Treatment Plan/POA&M entry for each medium/high risk that includes owner, mitigation tasks, target dates, and verification steps. Evidence for auditors should include: original scan output (exported CSV/PDF), remediation ticket/activity in your tracker (e.g., Jira/Trello, with timestamps), retest results showing reduced CVSS or closed vulnerability, and a signed closure memo. Update the SSP/SSP-Lite to reflect residual risk decisions and control implementations. For continuous monitoring, integrate scheduled scans and SIEM alerts; retain logs and scan snapshots for the audit evidence window (commonly 12–36 months per contract requirements).
Compliance tips, best practices and consequences of non-implementation
Compliance tips: appoint a named risk owner for CUI (often the ISSO/IT manager in small businesses), run tabletop exercises to validate response to a high-risk scenario, automate data collection where possible (scheduled scans, automated inventory exports), and maintain a single risk register. Best practices include mapping each risk finding back to the specific NIST/CMMC control it affects, keeping risk treatment timelines realistic, and having executive sign-off on accepted residual risks. The risks of not implementing this requirement include loss of DoD or federal contracts, DFARS noncompliance exposure, actual CUI breaches, contractual penalties, and reputational damage that can sink a small business.
Finally, prepare for auditors by packaging a risk assessment binder (or digital folder) with: the methodology, latest risk assessment report, asset and CUI inventory, raw scan outputs, risk register/POA&M, evidence of remediation and retests, and signed acceptance/approval forms—organized chronologically and indexed so an auditor can verify timelines and reviewer identities quickly.
In summary, an audit-ready RA.L2-3.11.1 checklist centers on a clear methodology, validated CUI asset inventory, documented threat/vulnerability analysis, numeric risk scoring with residual risk decisions, actionable treatment plans with evidence of mitigation and retest, and retained artifacts with owner sign-offs—practical steps that a small business can implement with modest tooling and disciplined documentation to meet NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2 requirements.
