This post gives a concrete, actionable checklist to satisfy RA.L2-3.11.1 (Periodic Risk Assessment of Operations, Assets and Individuals) under NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2 with practical implementation advice for organizations following the Compliance Framework practice model.
What RA.L2-3.11.1 Requires and Key Objectives
At a high level, RA.L2-3.11.1 requires organizations to perform periodic assessments of risk that explicitly consider operations, assets, and individuals—meaning you must evaluate how business processes, hardware/software (including CUI-bearing assets), and personnel pose or reduce risk to confidentiality, integrity, and availability. The key objectives are to (1) identify and document assets and people with access to Controlled Unclassified Information (CUI), (2) assess threats and vulnerabilities to those assets and individuals, (3) quantify likelihood and impact, and (4) produce prioritized mitigation plans and evidence for auditors and stakeholders.
Scoping: Define Operations, Assets and Individuals
Start by scoping: map operational processes (e.g., order processing, contract execution), list all technical assets (endpoints, servers, cloud workloads, mobile devices, backups), and catalog individuals and roles with CUI access (employees, contractors, third-party vendors). For small businesses, a practical approach is to maintain a single "CUI Inventory" spreadsheet or CMDB entry that tags each asset with: owner, location, CUI type, connectivity, and criticality. Example: a 25-person contractor might discover that a shared Dropbox account and two sales laptops are the only CUI-bearing assets—scope can be intentionally small but must be documented.
Practical Implementation Checklist (Step-by-step)
Use the following checklist as an operational sequence. Each step includes technical detail and an example for a small business:
- Inventory and Classification — Build an asset list (automated with inventory agents like OCS Inventory/NMap + manual entries for cloud services). Classify assets by CUI sensitivity (High/Medium/Low) and identify users with access. Example: tag sales-laptop-03 as "CUI: contract data (Medium)".
- Threat and Vulnerability Identification — Run authenticated vulnerability scans (Nessus/OpenVAS/Qualys) on asset groups and review threat intel feeds relevant to your tech stack (e.g., Microsoft 365, AWS). Log recent incidents and vendor advisories.
- Risk Analysis — Use a simple risk matrix (Likelihood x Impact) or a CVSS-based threshold for technical findings (e.g., CVSS >=7 = High priority). For business impact, define categories like operational downtime, contract loss, or regulatory penalties with dollar/time estimates where possible.
- Assign Owners and Acceptability — Assign risk owners (system owner, process owner, HR for personnel risk) and document acceptable residual risk and timelines for remediation (e.g., 30 days for High technical findings, 90 days for Medium).
- Mitigation and Controls — Produce remediation plans that include technical fixes (patching, MFA, endpoint detection and response (EDR)), administrative controls (role reviews, least privilege), and physical controls (secure storage of CUI hardcopies).
- Evidence and Reporting — Capture artifacts: updated inventory, scan reports, risk register, remediation tickets, acceptance memos. Prepare a short executive summary for management and a technical appendix for auditors.
Personnel and Insider Risk: Practical Measures
Personnel risk is integral to RA.L2-3.11.1. Implement role-based access control (RBAC), periodic privileged access reviews, and least-privilege policies. For small businesses, perform quarterly privileged account reviews (list privileged identities, validate need, and remove unnecessary privileges). Use technical controls: enforce MFA on all accounts that access CUI, enable account activity logging (Azure AD or Google Workspace audit logs), and maintain an HR-linked offboarding checklist that immediately revokes access when employment ends.
Cadence, Tools, and Evidence — How Often and With What
Define a cadence: at minimum, perform a full risk assessment annually with targeted interim reviews quarterly or after major changes (new systems, mergers, incidents). Technical tasks: monthly automated vulnerability scans, weekly log review for high-risk alerts in your SIEM or consolidated logging (e.g., Splunk/ELK/CloudWatch), and quarterly tabletop exercises. Produce evidence: dated scan outputs, signed risk register entries, meeting minutes from risk review boards, and tickets in your ITSM tool showing remediation work.
Compliance Tips, Best Practices and Risks of Non-Compliance
Best practices: keep the process simple and repeatable—use templates (risk register, remediation plan), automate data collection where possible, and tie risk assessment outputs to change management and procurement. Prioritize controls that reduce attack surface quickly: enforce MFA, automate patching for critical CVEs, segment networks to reduce lateral movement, and use EDR for endpoint visibility. The risk of not implementing RA.L2-3.11.1 includes undetected CUI exposure, failed audits, loss of DoD contracts, and increased likelihood of breaches; for a small business, one compromised contractor laptop could result in contract termination or financial penalties that exceed the company's annual profit.
Summary
Meeting RA.L2-3.11.1 is achievable for small and mid-sized organizations if you follow a scoped, repeatable process: define scope, inventory and classify assets and users, identify threats and vulnerabilities, score and assign risk owners, implement prioritized mitigations, and maintain evidence on a defined cadence. Use lightweight automation for scans and logging, keep templates for repeatability, and ensure personnel controls are part of the assessment—this practical checklist aligns with the Compliance Framework approach and will help you produce defensible, auditable results for NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2.
