CMMC 1.0 Practice - RM.2.141

Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of “Controlled Unclassified Information” (CUI).

CMMC 1.0 Practice - RM.2.142

Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified.

CMMC 1.0 Practice - RM.2.143

Remediate vulnerabilities in accordance with risk assessments.

CMMC 1.0 Practice - RM.3.144

Periodically perform risk assessments to identify and prioritize risks according to the defined risk categories, risk sources, and risk measurement criteria.

CMMC 1.0 Practice - RM.3.146

Develop and implement risk mitigation plans.

CMMC 1.0 Practice - RM.3.147

Manage non-vendor-supported products (e.g., end of life) separately and restrict as necessary to reduce risk.