Requirement
NIST SP 800-171 REV.2 / CMMC 2.0 Level 2 - Control - RA.L2-3.11.1 ā Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of āControlled Unclassified Informationā (CUI).
Understanding the Requirement
This control requires your organization to run recurring risk assessments that identify how threats and vulnerabilities affect business operations, assets, and peopleāespecially where systems process, store, or transmit Controlled Unclassified Information. Under NIST SP 800-171 REV.2 / CMMC 2.0 Level 2 you must define how often assessments occur and then perform them at that cadence, producing documented findings that support mitigation planning. The goal is to convert identified risks into prioritized, trackable actions so CUI and operations remain protected.
Technical Implementation
-
Define frequency and triggers: Establish a written policy that sets the baseline cadence (e.g., annual) and additional triggers for re-assessment (major system changes, new CUI processing, security incidents, mergers/acquisitions, or significant staffing changes). Keep this frequency reasonable for an SMBāannual reviews plus on-change assessments are common and practical.
-
Create and maintain a CUI-aware asset inventory: List systems, servers, endpoints, cloud services, and data stores that process or hold CUI. Record owner, location, data type, and criticality. This inventory is the starting point for scoped assessments and keeps the size of each assessment manageable for an SMB.
-
Select a simple risk assessment method and templates: Use a qualitative matrix (Likelihood x Impact) or a basic quantitative spreadsheet if you have the data. Provide templates for threat identification, vulnerability listing, risk scoring, and recommended mitigations. Reuse the same template each cycle so results are comparable over time.
-
Perform assessments with the right people and tools: Involve employees with information security responsibilities and system/network administrators to identify threats, vulnerabilities, and existing controls. Use vulnerability scan results, patch status, change records, backup tests, and access logs as evidence. Document decisions and supporting evidence in a risk assessment report.
-
Assign risk owners and remediation plans: For each identified risk, designate an owner, remediation action, priority, target completion date, and residual risk level. Track actions in a simple ticketing or spreadsheet tracker and report status to leadership at each assessment cycle.
-
Integrate continuous monitoring and a review loop: Use lightweight monitoring (anti-malware alerts, cloud provider security dashboards, automated backups and integrity checks) to surface changes between formal assessments. Schedule lessons-learned reviews after incidents and update the assessment frequency or scope if needed.
Example in a Small or Medium Business
BrightWorks Engineering is a 45-person design firm that occasionally handles CUI from a defense contractor. They set an annual risk assessment schedule and added immediate reassessments for any contract changes or after security incidents. The IT lead created a CUI inventory showing which project folders, on-prem file servers, and a selected cloud collaboration service store CUI. Using a simple Likelihood x Impact template, the security owner and system administrator identified top threats (ransomware, accidental disclosure, and cloud misconfiguration) and documented existing controls (encrypted drives, off-site backups, and MFA for cloud access). The assessment flagged that local backups were not encrypted and that a contractor account had excessive permissions; the team assigned owners and deadlines to encrypt backups and reduce permissions. They documented the report, presented it to management, and added remediation items to their ticket tracker. After implementing changes, BrightWorks scheduled a follow-up review in six months and committed to an annual formal reassessment thereafter.
Summary
By defining assessment frequency, maintaining a CUI-aware inventory, using repeatable templates, involving appropriate staff, and tracking remediation with assigned owners, an SMB can meet RA.L2-3.11.1 in a practical, sustainable way. The combination of clear policy and straightforward technical stepsāscoped assessment, documented findings, prioritized remediation, and continuous monitoringāturns periodic risk assessment from a compliance checkbox into an actionable risk management cycle that protects operations, assets, and people handling CUI.
