This post walks through a practical, actionable implementation of RA.L2-3.11.1 (NIST SP 800-171 Rev. 2 / CMMC 2.0 Level 2) — the requirement to perform periodic risk assessments focused on Controlled Unclassified Information (CUI) — including templates you can adopt, tools to run scans and gather evidence, and small-business examples that show how to meet assessor expectations.
Step-by-step approach (high level)
Begin with a repeatable process: (1) identify and scope CUI and the systems that store/process/transmit it, (2) build an asset inventory that maps to CUI repositories, (3) identify threats and vulnerabilities (technical and non‑technical), (4) score likelihood and impact and compute risk ratings, (5) prioritize controls and document remediation in a POA&M, and (6) produce artifacts (risk register, scan reports, meeting notes) to demonstrate periodic assessments and management review. These steps align directly to RA.L2-3.11.1 expectations and must be repeated on a scheduled basis and after major changes.
1) Identify & scope CUI (templates and practical discovery)
Use a simple AssetInventory_CUI.csv (columns: AssetID, Hostname/CloudPath, Owner, CUI_Type, DataFlow, Location, RiskOwner, LastScanDate). For a small defense supplier example: scanning Microsoft 365 for folders that contain design drawings (.dwg, .pdf), shared links, and cloud buckets. Practical discovery tips: run an index search for likely CUI file extensions and keywords, use cloud provider APIs (AWS S3: aws s3api list-buckets && aws s3api list-objects --bucket
2) Identify threats and vulnerabilities — tools and technical details
Combine automated scans with manual review. Network/host discovery: nmap -sV -p- 10.0.0.0/24 to find listening services; vulnerability scanning with OpenVAS or Nessus for CVE discovery; web app checks with OWASP ZAP. Use Shodan to find internet-exposed assets. Map each CVE to a CVSS v3 base score and capture the vector string. Example: an exposed VPN appliance with CVSS 9.8 should be treated as high risk to CUI. For small businesses, run authenticated scans where possible (credentialed Nessus/OpenVAS scans) to reveal missing patches and misconfigurations. Include non-technical threats: phishing susceptibility (use phishing simulation results), insider risk (access reviews), and supply chain vendor weaknesses.
3) Risk scoring, prioritization and templates
Adopt a simple risk formula: Risk = Likelihood (1-5) * Impact (1-5). Use CVSS thresholds to inform likelihood and impact (e.g., CVSS >=9 => Likelihood 5 / Impact 5 for internet‑exposed CUI systems). Provide a RiskRegister.xlsx with fields: RiskID, Description, AssetID, ThreatSource, Vulnerability/CVE, CVSS, Likelihood(1-5), Impact(1-5), RiskScore, Priority, ProposedMitigation, POA&M_ID, Status, ReviewDate. Example scoring: Likelihood 4 x Impact 5 = 20 (High). Prioritize remediation by risk score and business impact on CUI handling — patching high CVSS exposed systems, adding MFA to remote access, and isolating CUI stores on segmented VLANs/cloud subnets.
4) Documenting remediation, residual risk, and evidence for assessment
Produce a POA&M_Template.docx that ties each risk to a specific control action, owner, milestone, and estimated completion date. For CMMC assessors you'll need: the System Security Plan (SSP) updated with the assessment date and scope, the Risk Register, POA&M entries, raw scan reports (Nessus/OpenVAS), meeting minutes showing risk acceptance by leadership, and change logs showing applied mitigations. Schedule assessments at least annually and after major changes (new contracts, cloud migrations, breaches) — RA.L2-3.11.1 expects periodic evaluation and traceability from discovery to mitigation.
5) Compliance tips, best practices and small-business scenarios
Practical tips: (a) Start with the highest CUI impact systems — e.g., an engineering file server or a contractor-accessible SharePoint site — and implement segmentation + MFA immediately, (b) automate evidence collection where possible (store scan output in a versioned repository with timestamps), (c) use compensating controls when immediate remediation isn't feasible (temporary access restrictions, enhanced monitoring), and (d) adopt a patch SLA (72 hours for critical). Example scenario: a small subcontractor discovers CUI in a personal Google Drive shared with a subcontracted engineer — immediate steps: revoke sharing, copy CUI into an approved repository, add DLP rule to block outbound uploads, log the incident and add a POA&M item to enforce cloud usage policy and DLP deployment.
6) Tools (budget-conscious and enterprise options) and automation
Recommended low-cost stack: Nmap (discovery), OpenVAS (vuln scanning), OWASP ZAP (web), Google Workspace / Office 365 audit logs, Shodan, and a Google Sheet or Excel risk register. If budget allows: Nessus, Rapid7, Qualys for enterprise scanning; RiskLens / OpenFAIR for quantitative risk modeling; Cybersecurity posture management like Microsoft Defender for Cloud or AWS Security Hub for continuous findings. Automate recurring scans (cron or CI pipelines), ingest scan results into your risk register, and generate a periodic assessment report (monthly snapshot + annual formal assessment) to show ongoing oversight.
Risk of not implementing RA.L2-3.11.1: failing to perform focused, documented risk assessments can lead to undiscovered exposures of CUI, contract termination or loss of future DoD work, regulatory penalties, and reputational damage. Practically, an unassessed internet-exposed asset with CUI could be the vector for a breach that results in lost contracts and costly incident response. The compliance expectation is documented, periodic risk management with evidence — not just ad-hoc fixes.
In summary, implement RA.L2-3.11.1 by scoping CUI, using simple templates (AssetInventory_CUI.csv, RiskRegister.xlsx, POA&M_Template.docx), running technical scans with Nmap/OpenVAS/Nessus, scoring risks with a likelihood-impact matrix informed by CVSS, and documenting remediation and leadership review. For small businesses the emphasis should be on repeatability, prioritization, and producing clear artifacts for assessors: a living SSP, a dated risk register, scan outputs, and a POA&M showing tracked remediation and accepted residual risk.
