NIST SP 800-171 & CMMC 2.0 Control 3.11.1 Requirement:

Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of “Controlled Unclassified Information” (CUI).

NIST SP 800-171 & CMMC 2.0 3.11.1 Requirement Explanation:

Risk arises from anything that can reduce an organization’s assurance of mission/business success; cause harm to image or reputation; or harm individuals, other organizations, or the Nation. By assessing risks to your organization you can devise plans to mitigate identified risks.

Example NIST SP 800-171 & CMMC 2.0 3.11.1 Implementation:

Conduct a risk assessment to identify risks to your company's business operations. This includes reviewing how common threats such as natural disasters and cyber attacks can impact your business operations and your “Controlled Unclassified Information” (CUI). Document your findings in a risk assessment report. Periodically perform risks assessments, perhaps annually.

NIST SP 800-171 & CMMC 2.0 3.11.1 Scenario(s):

- Scenario 1:

You decide to perform a risk assessment to determine whether you should store “Controlled Unclassified Information” (CUI) on your local file server or with a cloud service provider. You list out common threats such as natural disasters, power outages, and malware infections and decide which solution has the least risk.

Discover Our NIST SP 800-171 & CMMC 2.0 Solutions:


Compliance Accelerator

Power through compliance. Meet and maintain your NIST SP 800-171 & CMMC 2.0 compliance requirements.

Quantum Assessor

Transform your business. Create new revenue streams and provide scalability for your NIST SP 800-171 and CMMC 2.0 services.

Supply Chain Verifier

Trust is everything. Verify, monitor, and support subcontactor compliance.