How to Meet NIST SP 800-171 REV.2 / CMMC 2.0 Level 2 - Control - RA.L2-3.11.3

Requirement

NIST SP 800-171 REV.2 / CMMC 2.0 Level 2 - Control - RA.L2-3.11.3 – Remediate vulnerabilities in accordance with risk assessments.

Understanding the Requirement

This control requires that an organization not only identify vulnerabilities but prioritize and remediate them based on the results of a risk assessment. Under the NIST SP 800-171 REV.2 / CMMC 2.0 Level 2 framework, you must track discovered vulnerabilities, apply mitigation where appropriate (patching, configuration changes, compensating controls), and formally document both remediation actions and any accepted residual risk so that the most critical issues are closed first and nothing is lost in the process.

Technical Implementation

• Establish a regular scanning cadence and asset inventory. Maintain an up‑to‑date inventory of hardware, software, and cloud services and run authenticated vulnerability scans at least monthly (or more often for internet‑facing assets). Tie each scan result to an asset owner so remediation has a clear accountable party.
• Perform a risk-based triage of findings. Map scanner severity to business impact and exploitability (e.g., critical asset + remote code execution = high priority). Use a simple risk matrix (Likelihood x Impact) so non‑technical decision makers can approve prioritized actions quickly.
• Use a POA&M to document remediation and exceptions. Create a Plan of Action and Milestones (POA&M) entry for every finding: include description, risk rating, remediation steps, assigned owner, target completion date, and status. Record accepted risks with justification and compensating controls.
• Apply fixes in a controlled manner. For software/OS patches, follow a small staging/test → deploy → verify workflow. For configuration changes, use change control with backout plans. Automate patch deployment where possible to reduce manual effort and time-to-remediate.
• Measure and report progress. Track key metrics such as mean time to remediate (MTTR) by severity, percent of critical vulnerabilities remediated within SLA, and open POA&M items. Review these in regular security or IT ops meetings and escalate overdue items to leadership.

Example in a Small or Medium Business

A 60-person engineering firm runs monthly authenticated vulnerability scans against its on-prem servers and cloud workloads. The scans flag several issues: an unpatched web server, outdated third‑party library on a development host, and low‑severity missing SMB settings on a file server. The IT manager maps the findings to business risk and identifies the web server as high priority because it hosts customer data and is internet accessible. They create POA&M entries for each item, assign the web server remediation to a system administrator with a two‑day SLA, schedule the library update in the next sprint, and document a compensating network segmentation rule for the file server with a 30‑day remediation target. The team tests the web server patch in a staging environment, deploys it after smoke tests, and updates the POA&M to “verified.” For the third‑party library, they also record that an application owner accepted a short delay because of planned code changes, capturing the acceptance rationale and residual risk. At the monthly leadership review, the IT manager presents MTTR and current POA&M status and requests additional contractor support to accelerate backlog items.

Summary

Meeting RA.L2-3.11.3 combines policy and practical steps: adopt a repeatable scanning schedule, perform risk-based triage, document remediation and exceptions in a POA&M, apply fixes through controlled processes, and measure progress with clear metrics. For SMBs this approach keeps remediation focused on the most business‑impacting vulnerabilities, creates accountability through assigned owners and deadlines, and preserves an audit trail of accepted risks so you can demonstrate compliance and maintain a manageable security posture.