The RA.L2-3.11.1 control requires organizations handling Controlled Unclassified Information (CUI) to perform and document risk assessments that drive security decisions; this post provides a practical, audit-focused checklist and implementation notes to make your risk assessment program compliant, repeatable, and demonstrably effective for small businesses following the Compliance Framework mapping to NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2.
What RA.L2-3.11.1 expects (Compliance Framework context)
At the Practice level within the Compliance Framework, RA.L2-3.11.1 is about establishing a documented, periodic process to identify threats and vulnerabilities to CUI, analyze impact and likelihood, prioritize risks, and produce actionable remediation or acceptance decisions with evidence that an assessor can review. Key objectives include scoped asset inventories for CUI, a defined risk methodology (qualitative or quantitative), periodic reassessment (annually and after significant change), and traceable artifacts (risk register, meeting notes, remediation plans, and approvals).
Step-by-step implementation checklist
1) Define scope and data flows: Create a CUI data inventory and diagram network/data flows showing where CUI is stored, processed, and transmitted. For a small subcontractor, that might be a single cloud tenant, a development VM, and authoring laptops. Document each asset with owner, classification (CUI vs non-CUI), and exposure points (VPN, email, APIs).
2) Build an asset and control baseline: Catalog assets with OS, apps, versions, patch state, authentication methods, and encryption status. Capture baseline configurations (CIS benchmarks or vendor hardening guides) as evidence. Use authenticated vulnerability scanning (credentialed scans) and record CVE listings and CVSS scores to feed risk prioritization.
3) Select and document your risk assessment method: Adopt a simple, repeatable methodology (likelihood × impact matrix or CVSS-driven thresholds). Define scales (e.g., likelihood 1–5, impact 1–5), mapping rules (score ≥15 = high priority), and acceptance criteria. Record this method in a formal Risk Assessment Procedure document so auditors can validate repeatability.
4) Perform threat and vulnerability analysis: Combine threat intelligence (e.g., monthly feeds or vendor advisories) with internal findings from scans, logs, and pentests. For example, if a contractor uses an outdated VPN appliance with CVE-XXXX-YYYY rated CVSS 9.0, document exploitability, potential CUI exposure (files or API keys), and compensating controls (network segmentation, MFA) used while remediation is scheduled.
5) Produce a risk register and POA&M entries: For each identified risk include unique ID, asset, description, likelihood, impact, calculated risk score, mitigation options, planned remediation owner and timeline, and residual risk after controls. For small businesses, link POA&M items to ticket IDs in your ticketing system (Jira, ServiceNow, or GitHub Issues) so status updates are automatically recorded.
Continuous monitoring and evidence collection
Implement a monitoring cadence: schedule monthly vulnerability scans, weekly AV/EDR status checks, and quarterly tabletop reviews. Preserve evidence for auditors: signed risk assessment reports, meeting minutes, risk register snapshots, scan reports (with timestamps), remediation ticket history, and signed risk acceptance forms from designated authorizing officials. Use immutable storage (S3 with versioning or secure document repository) to retain artifacts for the audit timeline.
Practical tools, small-business scenarios, and technical specifics
Small business example: a 25-person subcontractor hosting CUI in Microsoft 365 and a single AWS account. Practical steps: enable Conditional Access and MFA for all M365 accounts, apply Sensitivity Labels for CUI, use AWS KMS for encryption at rest, enforce least privilege IAM roles, run Amazon Inspector/CIS Benchmarks, and use an EDR sensor that provides centralized telemetry. Document tool names, versions, scanning credentials (not the secrets—record that credentialed scans were used), and configure automated export of logs to a SIEM or secure storage for 90 days for correlation and audit review.
Compliance tips, best practices, and risks of noncompliance
Best practices: tie risk assessments to procurement and change control (assess before new cloud services), enforce owner sign-off for residual risks, and integrate security tickets with the enterprise risk register. Use measurable remediation SLAs (e.g., critical CVSS ≥9 remediated within 14 days). The risks of not implementing RA.L2-3.11.1 are severe: loss of DoD contracts, failed CMMC assessment, exposure of CUI leading to data breaches, reputational damage, and downstream liability. Even minor failures—missing documentation, inconsistent methods, or no evidence of periodic reassessment—commonly cause audit findings.
In short, implement a scoped, repeatable risk assessment process that produces traceable artifacts, uses technical scanning and monitoring, and ties remediation into ticketing and POA&M. By following the checklist above and preserving evidence (reports, registers, tickets, approvals), a small business can demonstrate compliance with the Compliance Framework practice RA.L2-3.11.1 and reduce real cyber risk to CUI.
