CMMC 1.0 Practice RM.3.144 Requirement:
Periodically perform risk assessments to identify and prioritize risks according to the defined risk categories, risk sources, and risk measurement criteria.
CMMC 1.0 RM.3.144 Requirement Explanation:
Periodic risk assessments help identify risks to your company's systems and business processes. Risk assessments cover people, technology, information, and facilities. There are different types of risk assessments. These include qualitative and quantitative. Qualitative risk assessments are generally easier to conduct.
Example CMMC 1.0 RM.3.144 Implementation:
Assemble a team of IT personnel and business personnel to perform an organizational risk assessment. Create a list of threat sources (e.g., cyber attack) and threat events (denial of service against your web server). List your existing vulnerabilities associated with the threat event (e.g., a lack of inbound traffic filtering rules). Calculate the likelihood of the the threat event occurring. Calculate the impact the threat event would have if it occurred. Calculate the risk the threat event poses to your company. Determine the actions you can take to mitigate the identified risks. Document the above in a risk assessment report. Have a policy defining the frequency your company is to conduct risk assessments.
CMMC 1.0 RM.3.144 Scenario(s):
- Scenario 1:
Under your company's risk assessment policy you conduct an annual qualitative risk assessment. The assessment determines risks to your company's business processes and the systems supporting them. You consolidate the findings in a report that is given to executive management who allocate resources to reducing the identified risks.
Quick & Simple
Discover Our Cybersecurity Compliance Solutions:
Whether you need to meet and maintain your compliance requirements, help your clients meet them, or verify supplier compliance we have the expertise and solution for you
NIST SP 800-171 & CMMC Compliance
Become compliant, provide compliance services, or verify partner compliance with NIST SP 800-171 and CMMC requirements.
Become compliant, provide compliance services, or verify partner compliance with HIPAA security rule requirements.
FAR 52.204-21 Compliance
Become compliant, provide compliance services, or verify partner compliance with FAR 52.204-21 Basic Safeguarding of Covered Contractor Information Systems requirements.
ISO 27001 Compliance
Become compliant, provide compliance services, or verify partner compliance with ISO 27001 requirements.