This guide walks a small business through implementing periodic risk assessments for Controlled Unclassified Information (CUI) to satisfy NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2 control RA.L2-3.11.1, translating compliance language into a practical, repeatable process that produces evidence for auditors and actionable remediation for IT staff.
What RA.L2-3.11.1 requires and why it matters
RA.L2-3.11.1 mandates periodic risk assessments tailored to the organization's environment, focusing on risks to CUI and the associated systems and processes. For organizations subject to the Compliance Framework this means documenting a methodology, executing assessments on a defined cadence (and after significant changes), scoring risks, and producing artifacts such as a risk register and POA&M entries that map to NIST SP 800-171 controls. Failing to do this increases chance of CUI exposure, contract loss, or failing a CMMC assessment.
Step-by-step implementation
Step 1 — Define scope and inventory CUI
Identify where CUI resides (endpoints, servers, cloud buckets, email, third-party systems), who accesses it, and data flows. Small-business example: a 12-person defense subcontractor finds CUI in an Office 365 tenant, two EC2 instances, a contractor laptop, and a file share. Create a CUI inventory spreadsheet (or use a GRC tool) that records asset owner, location, classification, and business process. This is the baseline scope for every assessment.
Step 2 — Select and document a risk assessment methodology
Choose a methodology and document it in your System Security Plan (SSP): NIST SP 800-30 for process guidance, qualitative (High/Medium/Low) or quantitative (using CVSS and expected loss estimates). For many small businesses, a hybrid approach works: use CVSS for technical vulnerabilities and a qualitative matrix for business impact. Record how you calculate likelihood (historical incidents, threat intelligence, exploitability) and impact (loss of confidentiality/integrity/availability, contract penalties, reputation). This documented methodology is evidence for RA.L2-3.11.1.
Step 3 — Identify threats and vulnerabilities with technical controls
Run authenticated vulnerability scans (Nessus, OpenVAS) against servers and endpoints, perform configuration checks (CIS Benchmarks, AWS CIS Foundations, Azure Security Center), review identity and access configurations (IAM roles, MFA absence), and map findings to CUI assets. Example technical items: missing TLS 1.2+, weak S3 bucket permissions, endpoint OSs with unpatched CVEs, shared local admin accounts. Capture vulnerability IDs, CVSS scores, and contextual notes (e.g., whether the asset stores CUI in plaintext).
Step 4 — Analyze and score risks, produce a risk register
Combine asset criticality, vulnerability severity, and threat likelihood to produce a prioritized risk register. Use a risk matrix (e.g., Likelihood: Rare→Almost Certain; Impact: Low→Severe) and assign a risk owner for each entry. For instance, a public S3 bucket containing CUI scored as High likelihood × Severe impact = Critical risk; immediate mitigation required. Document residual risk after compensating controls (encryption at rest, VPC service endpoints, IAM restrictions) and obtain management sign-off for any accepted risks.
Step 5 — Remediation planning and POA&M tracking
For each risk, create a Plan of Action & Milestones (POA&M) entry with target dates, resources required, and mitigation steps (e.g., apply critical patch, enable MFA for all users, implement least privilege). Use ticketing systems (JIRA, ServiceNow, GitHub Issues) to assign tasks and produce evidence of remediation. Small-business tip: prioritize quick wins such as changing IAM policies, revoking unused accounts, and enabling cloud provider encryption keys (AWS KMS, Azure Key Vault with AES-256) before larger architectural changes.
Step 6 — Schedule cadence, triggers, and evidence collection
Set a regular assessment cadence (at least annually is minimum; many organizations choose quarterly for vulnerability scans and semi-annual full risk reviews) and define triggers: environment changes, contracts with new DoD clauses, major software updates, or an incident. Collect and retain evidence: scan logs, meeting minutes showing risk acceptance, updated SSP pages, POA&M entries, and remediation tickets. If using cloud, configure continuous monitoring (AWS Config rules, Azure Policy) to generate alerts and evidence automatically.
Compliance tips, best practices, and risk of non-compliance
Best practices: integrate the risk assessment outputs into the SSP and CMMC audit evidence bundle; automate data collection where possible; document methodology and scoring rationale; involve leadership for risk acceptance; and run tabletop exercises to validate assumptions. Real-world scenario: a small company that failed to reassess after onboarding a subcontractor experienced a misconfigured file share that exposed CUI, leading to contract termination. The primary risks of not implementing RA.L2-3.11.1 are data breach of CUI, failed CMMC assessments, corrective action demands from contracting officers, loss of contracts, and reputational damage.
In summary, implementing RA.L2-3.11.1 for CUI under NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2 is a structured process: scope and inventory CUI, document a repeatable methodology, run technical scans and threat analysis, score and register risks, remediate with tracked POA&Ms, and maintain a regular cadence with evidence. For small businesses the focus should be on pragmatic controls (patching, MFA, encryption, access reviews), clear documentation, and automation where feasible to sustain compliance and reduce the likelihood of CUI compromise.
