NIST 800-171 • LEVEL 2 • RISK ASSESSMENT
3.11.1 — Risk Assessment
Assess the risk (including supply chain risk) of unauthorized disclosure resulting from the processing, storage, or transmission of CUI. Update risk assessments {{ insert: param, A.03.11.01.ODP.01 }}.
CMMC Practice Mapping
NIST 800-53 Controls
Assessment Objectives
- the risk (including supply chain risk) of unauthorized disclosure resulting from the processing, storage, or transmission of CUI is assessed.
- risk assessments are updated {{ insert: param, A.03.11.01.ODP.01 }}.
Practitioner Notes
A risk assessment is really just a structured way of asking: "What could go wrong with how we handle CUI, and how bad would it be?" You are looking at your systems, your processes, and even your vendors to figure out where the weak spots are.
Example 1: Use NIST's CSET (Cyber Security Evaluation Tool) to walk through a guided assessment of your network. CSET asks plain-English questions about your environment and generates a risk report with prioritized findings you can hand to leadership.
Example 2: In Microsoft 365, go to the Compliance Center > Compliance Manager. It automatically scores your tenant against NIST 800-171 controls and shows you exactly which settings are increasing your risk -- like whether MFA is enforced or if DLP policies are missing.
Update this assessment at least annually, or any time you make a major change to your environment -- new systems, new vendors, new data flows.