RA.L2-3.11.3 requires organizations to prioritize and remediate vulnerabilities using informed risk assessments — not simply by blind CVSS numbers — so that resources focus on reducing real risk to Controlled Unclassified Information (CUI) and mission-critical systems; this post lays out a step-by-step, practical approach for small businesses implementing CMMC 2.0 Level 2 / NIST SP 800-171 Rev.2 alignment.
Why this control matters — the risk of not implementing
Failing to prioritize and remediate vulnerabilities based on risk exposes small businesses to targeted attacks that can lead to CUI loss, contract termination, regulatory penalties, and expensive incident response. For example, a 30-person defense subcontractor that applies patches only when a scanner flags an item may miss an exploitable internet-facing zero-day on an unpatched VPN appliance — an attacker can pivot to CUI, and the organization can lose DoD work. Compliance is also about evidence: auditors will want to see a documented risk-based process, remediation SLAs, and records of accepted risk.
Practical implementation steps (Compliance Framework specific)
1) Establish and maintain an authoritative asset inventory and classification
Begin with a CMDB or lightweight inventory (CSV + version control) listing system name, owner, business function, location (on-prem, AWS/GCP/Azure), whether it processes/store/transmits CUI, and technical attributes (OS, public IP, installed apps). Tag assets by criticality (e.g., Critical, High, Medium, Low) using business impact criteria: systems storing CUI or providing mission-critical services = Critical. For small businesses, use AWS Config / Systems Manager inventory, or run an initial discovery with Nmap/Angry IP Scanner and import results into a ticketing system (Jira, ServiceNow, GitHub Issues) or an asset tracker like Snipe-IT.
2) Continuous discovery and vulnerability scanning cadence
Implement vulnerability scanning tuned for risk: internet-facing assets scanned weekly, internal servers monthly, and development environments quarterly. Use a mix of authenticated and unauthenticated scans. Tools: Tenable Nessus/IO, Qualys Free Trial, OpenVAS, or cloud-native tools (AWS Inspector, Azure Security Center). Configure authenticated scans for servers (SSH/WinRM) to get accurate patch-level findings. For containerized workloads, scan images in CI with Trivy or Clair and block builds with critical findings.
3) Use risk-based scoring (don’t rely on raw CVSS alone)
Adopt a risk formula that combines CVSS base score, exploitability (public exploit available? exploit-db/Metasploit), asset criticality, and exposure (internet-facing, privileged access). Example: RiskScore = min(10, CVSS_Base + 2 * AssetCriticality + ExposureModifier), where AssetCriticality maps: Critical=3, High=2, Medium=1, Low=0. ExposureModifier = +2 if internet-facing, +1 if accessible to large user groups. Flag as Critical if RiskScore >= 9. Document and publish the formula in your vulnerability management policy so auditors can trace decisions.
4) Define remediation SLAs and automate workflows
Create measurable SLAs: Critical (RiskScore >= 9): remediate or mitigate within 7 days; High (7–8.9): 14 days; Medium (4–6.9): 30 days; Low (<4): track and remediate as capacity allows. Automate ticket creation from the scanner into your issue tracker with templated remediation steps and owner assignments. For Windows servers, integrate scanner output with WSUS/Intune and use PowerShell DSC or Ansible to push patches; for Linux, use Ansible playbooks. After remediation, require a re-scan within 48–72 hours and close tickets only on verified remediation.
5) Document risk acceptance and compensating controls
Not all vulnerabilities can be patched immediately (legacy software, vendor dependencies). Implement a formal risk acceptance process: require a written waiver containing justification, compensating controls (network segmentation, MFA, restricted ACLs), expiration date (e.g., 90 days), and approval from an Authorizing Official. Example: a legacy SCADA device cannot be patched; isolate it on a VLAN, restrict admin access to jump servers with MFA, and schedule a replacement roadmap with budgeted dates. Retain all approvals as evidence for compliance audits.
Operational details, metrics, and integrations
Track and report metrics: Mean Time To Remediate (MTTR) by severity, percent of assets with critical findings, age distribution of open vulnerabilities, and trends per month. Integrate vulnerability data with SIEM (Splunk/Elastic) and EDR (CrowdStrike, Microsoft Defender) to detect active exploitation. For small teams, a dashboard in Grafana fed by periodic exports from scanners is a low-cost visibility solution. Maintain scan logs, ticket histories, and signed risk acceptances for at least the retention period required by your contract (often 3–5 years for DoD-related work).
Compliance tips and best practices
Keep the process simple and repeatable: document the vulnerability management policy, run table-top exercises for incident scenarios tied to high-risk findings, and train system owners on remediation expectations. Use playbooks for common remediation actions (apply patch KB, disable service, rotate credential) that technicians can follow. During audits, present the CMDB, scan schedules, sample tickets, re-scan evidence, and risk acceptance artifacts. Automate wherever possible but ensure human review for high-risk decisions.
In summary, meeting RA.L2-3.11.3 means building a risk-based vulnerability management program that links asset criticality, threat/exploitability intelligence, and measurable remediation SLAs — documented, auditable, and repeatable. For a small business, start with a clear inventory, pragmatic scanning cadence, a documented scoring and SLA system, automated ticketing, and a formal risk acceptance workflow; these elements reduce exposure to real threats and provide the compliance evidence required for NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2.
