CMMC 1.0 Practice RM.3.144 Requirement:
Periodically perform risk assessments to identify and prioritize risks according to the defined risk categories, risk sources, and risk measurement criteria.
CMMC 1.0 RM.3.144 Requirement Explanation:
Periodic risk assessments help identify risks to your company's systems and business processes. Risk assessments cover people, technology, information, and facilities. There are different types of risk assessments. These include qualitative and quantitative. Qualitative risk assessments are generally easier to conduct.
Example CMMC 1.0 RM.3.144 Implementation:
Assemble a team of IT personnel and business personnel to perform an organizational risk assessment. Create a list of threat sources (e.g., cyber attack) and threat events (denial of service against your web server). List your existing vulnerabilities associated with the threat event (e.g., a lack of inbound traffic filtering rules). Calculate the likelihood of the the threat event occurring. Calculate the impact the threat event would have if it occurred. Calculate the risk the threat event poses to your company. Determine the actions you can take to mitigate the identified risks. Document the above in a risk assessment report. Have a policy defining the frequency your company is to conduct risk assessments.
CMMC 1.0 RM.3.144 Scenario(s):
- Scenario 1:
Under your company's risk assessment policy you conduct an annual qualitative risk assessment. The assessment determines risks to your company's business processes and the systems supporting them. You consolidate the findings in a report that is given to executive management who allocate resources to reducing the identified risks.
Discover Our NIST SP 800-171 & CMMC 2.0 Solutions:
Power through compliance. Meet and maintain your NIST SP 800-171 & CMMC 2.0 compliance requirements.
Transform your business. Create new revenue streams and provide scalability for your NIST SP 800-171 and CMMC 2.0 services.
Supply Chain Verifier
Trust is everything. Verify, monitor, and support subcontactor compliance.