This post explains how to design and run an annual risk assessment process that satisfies RA.L2-3.11.1 under the Compliance Framework mapping to NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2, with practical checklists, a reusable risk register template, and small-business examples you can implement right away.
What RA.L2-3.11.1 requires (practical translation)
RA.L2-3.11.1 calls for organizations handling Controlled Unclassified Information (CUI) to perform and document an annual risk assessment that informs security decisions and control selection. In practice for the Compliance Framework, this means: scope your CUI stores and processing, identify threats and vulnerabilities, evaluate likelihood and impact, produce a prioritized risk register, map risks to NIST SP 800-171/CMMC controls, document residual risk and risk acceptance, and produce evidence for auditors (SSP updates, POA&Ms, meeting minutes, and signed risk acceptance records).
Step-by-step implementation for Compliance Framework
Start with a repeatable process you can calendarize and audit: 1) Scope — list business processes, systems, and data flows holding CUI (include cloud, subcontractors, removable media); 2) Inventory — compile assets (asset owner, platform, location, CUI type); 3) Threat & vulnerability identification — use internal logs, vulnerability scans, NVD/CISA advisories, and threat intel; 4) Risk analysis — apply a numeric or categorical likelihood x impact model; 5) Control mapping — tie each high/medium risk to specific NIST SP 800-171 controls and any compensating controls; 6) Remediation planning — create POA&M items with owner, timeline, and resources; 7) Reporting & approval — deliver a formal risk report for executive approval and sign-off; 8) Evidence retention — store artifacts in your compliance repository (SSP, POA&M entries, signed acceptance forms). Automate steps where possible (scans feeding the register, templates, calendar reminders).
Technical details and tools
Be specific: for asset inventory capture hostname, IP, OS, software versions, CUI type, data classification, access controls, and last backup. For vulnerability discovery use authenticated scanner options (Nessus, OpenVAS, Qualys) and schedule quarterly authenticated scans at minimum with ad-hoc scans after major changes. For cloud, use configuration checks (CIS Benchmarks), cloud-native logs (AWS CloudTrail/CloudWatch, Azure Monitor), and enable host-based encryption (AES-256 or equivalent). Define your scoring: for a small business a 1–5 likelihood and 1–5 impact matrix is simple and defensible — document thresholds (e.g., risk >= 15 = High). Log collection and retention must support investigation: keep at least 90 days of syslog and 1 year of security-relevant logs if contractually required; ensure log integrity (write-once S3, secure SIEM access).
Small-business scenario (real-world example)
Example: a 25-person subcontractor stores CUI in Microsoft 365 and on a file server. Year 1 actions: inventory users with CUI access, enable MFA for all admin and CUI users, enforce Conditional Access policies for cloud, run an authenticated Nessus scan on the file server, and map gaps to NIST SP 800-171 controls (e.g., IA, SC, MP). If a scan shows an unpatched RDP service on a server, score likelihood = 4, impact = 4 => risk 16 (High). Mitigation could be patching within 7 days, disabling RDP at network edge, and adding MFA-based remote access; document these in the POA&M with owner and completion date. Keep meeting minutes from the risk review with leadership sign-off to show governance.
Checklist, templates and artifacts to produce
Use the following checklist during your annual assessment and use the template headers below for a risk register. Store all outputs in the Compliance Framework repository and reference them in your SSP and POA&M.
- Checklist: Scope inventory complete, asset inventory updated, vulnerability scan run & results ingested, threats documented, risk scoring applied, controls mapped to NIST SP 800-171/CMMC, POA&M items created, executive risk acceptance signed, SSP updated, evidence archived.
- Artifacts: Risk register (CSV/XLSX), Executive Risk Acceptance Form (signed PDF), POA&M entries with timestamps, vulnerability scan reports, meeting minutes, updated SSP with assessment date.
Risk register CSV template headers (copy/paste into Excel):
Risk ID,Date Identified,Asset/Process,Asset Owner,CUI Type,Threat/Vulnerability,Likelihood(1-5),Impact(1-5),Risk Score,Control(s) Mapped (SP800-171/CMMC),Mitigation Action,POA&M ID,Owner,Target Date,Residual Risk,Acceptance (Name/Title/Date)
Compliance tips and best practices
Keep the assessment senior-led but operationally executed: assign an executive risk owner and a technical owner for each POA&M item. Integrate the annual assessment into change management so you run mini-assessments for major changes or third-party connections. Tie remediation to budgets — without funding POA&Ms will languish and auditors will flag them. Maintain a documented risk threshold and acceptance criteria; automate evidence collection where possible (scans pushing results to the register, automated backups of meeting minutes). For subcontracted services, require SOC 2 or equivalent evidence and include subcontractor risk in your assessment scope.
Risks of not implementing RA.L2-3.11.1
Failing to run and document an annual risk assessment risks losing DoD contracts, failing CMMC audits, and exposing CUI to breaches. Practical consequences include contract termination, remediation costs, fines or withheld payments, and reputational damage — plus the direct technical risk of undetected vulnerabilities leading to data exfiltration. Auditors expect demonstrable governance: a missing or superficial assessment will generate findings that are typically turned into POA&Ms and can delay certification.
Summary: implement a repeatable annual risk assessment tied to your Compliance Framework by scoping CUI, inventorying assets, running vulnerability/threat analysis, applying a documented scoring model, mapping findings to NIST SP 800-171/CMMC controls, recording POA&Ms with owners and timelines, and retaining signed executive acceptance and evidence. Use the checklist and the risk register template above to standardize the workflow, and automate scan ingestion and scheduling wherever possible to reduce effort and strengthen auditability.
