CMMC Practice RA.L2-3.11.1 – Risk Assessments: Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI.

This document’s risk assessment control family comprises three main requirements:

1. Risk Assessment (Basic Requirement): Organizations must periodically evaluate risks associated with operations, assets, and individuals. This involves defining system boundaries to identify potential threats and comprehending how operations may introduce or compound risks. Assessments can occur at various stages of a system development life cycle, formal or informal.
2. Vulnerability Scans (Derived Requirement): Organizations should regularly conduct vulnerability scans to detect emerging risks and threats. This entails utilizing Security Content Automated Protocol (SCAP) validated tools and identifying vulnerabilities listed in the CVE database.
3. Remediation (Derived Requirement): Upon identifying vulnerabilities, organizations must have policies and procedures in place to address these issues effectively.

CMMC 2.0 Levels:

1. Level 1 (Foundational): Organizations perform basic cybersecurity practices without strict documentation requirements and can achieve certification through an annual self-assessment. It focuses on safeguarding Federal Contract Information (FCI) as defined by 48 CFR 52.204-21. Required for DoD contractors handling FCI.
2. Level 2 (Advanced): Organizations document processes to guide efforts towards CMMC Level 2 maturity, ensuring repeatability. It includes all 110 security controls from NIST SP 800-171 and is equivalent to CMMC 1.02 Level 3 but removes 20 Level 3 practices. Assessment requirements vary based on the criticality of Controlled Unclassified Information (CUI) handled. Necessary for DoD contractors handling CUI.
3. Level 3 (Expert): Organizations establish, maintain, and resource a plan to manage activities for implementing cybersecurity practices, reducing vulnerability to advanced threats. Practices encompass those from NIST SP 800-171 and additional requirements, including those from DFARS clause 252.204-7012. Required for companies handling CUI for DoD programs with the highest priority.

Who requires CMMC Level 1? DoD contractors and subcontractors dealing with Federal Contract Information (FCI), defined as information provided or generated for the Government under a contract to develop or deliver products or services, necessitate CMMC Level 1 certification.

NIST 800-171 refers to the National Institute of Standards and Technology (NIST) Special Publication 800-171. It outlines security requirements for protecting Controlled Unclassified Information (CUI) in non-federal systems and organizations. These requirements serve as guidelines for federal contractors and subcontractors who handle CUI, aiming to safeguard sensitive information from unauthorized access and disclosure. Compliance with NIST 800-171 is often mandated by government contracts, particularly those involving the Department of Defense (DoD) and other federal agencies.

A Supplement to NIST Special Publication 800-171, commonly known as NIST 800-172, serves as an extension or complement to NIST 800-171. It provides additional guidance and security requirements for protecting Controlled Unclassified Information (CUI) in non-federal systems and organizations. NIST 800-172 addresses more advanced cybersecurity threats, particularly those related to protecting Controlled Unclassified Information (CUI) in critical programs and high-risk environments. Organizations handling CUI, especially those with heightened security concerns, may use NIST 800-172 to enhance their cybersecurity practices beyond the baseline requirements of NIST 800-171.