Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of “Controlled Unclassified Information” (CUI).

Risk arises from anything that can reduce an organization’s assurance of mission/business success; cause harm to image or reputation; or harm individuals, other organizations, or the Nation. By assessing risks to your organization you can devise plans to mitigate identified risks.

Conduct a risk assessment to identify risks to your company's business operations. This includes reviewing how common threats such as natural disasters and cyber attacks can impact your business operations and your “Controlled Unclassified Information” (CUI). Document your findings in a risk assessment report. Periodically perform risks assessments, perhaps annually.