Risk Assessment Policy
Risk Assessment Domain (RA)
📖 What This Policy Covers
Risk Assessment is about systematically identifying what could go wrong and how bad it would be. This policy covers periodic risk assessments using the NIST SP 800-30 methodology (identify assets, threats, vulnerabilities, determine likelihood and impact, calculate risk, prioritize and mitigate), vulnerability scanning (weekly authenticated scans, CVSS-based prioritization), and insider threat assessment (behavioral and technical indicators, detection methods, response procedures). This policy drives the prioritization of all other security investments.
Purpose
This policy ensures threats and vulnerabilities to CUI systems are systematically identified, risks are assessed using a consistent methodology, risk mitigation decisions are documented and tracked, and vulnerability scanning drives continuous risk reduction.
Scope
Applies to all information systems, networks, and processes that handle CUI. Covers organizational risk assessments, vulnerability scanning, and insider threat assessment.
🎯 Why It Matters
Without risk assessment, security spending is ad hoc -- you may invest heavily in one area while leaving critical gaps elsewhere. CMMC assessors want to see that you understand your risk landscape and make informed decisions. The risk assessment feeds into your Plan of Action & Milestones (POA&M) and justifies security investments to leadership. Vulnerability scanning provides the continuous data that keeps your risk picture current.
🔐 Key Requirements
1. Periodic Risk Assessments
Formal risk assessments using NIST SP 800-30 methodology.
- ✓ Annual risk assessments or when significant changes occur (new systems, architecture changes, major incidents)
- ✓ NIST SP 800-30 methodology: identify assets, threats, vulnerabilities; determine likelihood/impact; calculate risk score; prioritize; develop mitigation plan
- ✓ Risk assessment report includes: executive summary, risk register, mitigation recommendations with timelines, residual risk
- ✓ Risk acceptance decisions approved by CISO and executive leadership
- ✓ Risk register maintained as a living document, updated quarterly
2. Vulnerability Scanning
Regular automated vulnerability scanning with risk-based remediation.
- ✓ Weekly authenticated scans for CUI systems
- ✓ Tools: Nessus, Qualys, Rapid7, AWS Inspector, Azure Defender
- ✓ Scope: network devices, servers, workstations, web apps, databases, cloud resources
- ✓ Prioritization by CVSS score, exploitability, and asset criticality
- ✓ Remediation per Configuration Management Policy SLAs
3. Insider Threat Assessment
Monitor for and assess insider threat indicators.
- ✓ Behavioral indicators: disgruntled employees, policy violations, substance abuse
- ✓ Technical indicators: unusual data downloads, after-hours CUI access, failed privilege escalation, accessing systems outside job scope
- ✓ Detection: User and Entity Behavior Analytics (UEBA) in SIEM, DLP alerts, manager reports, anonymous hotline
- ✓ Response: IT Security investigates anomalies, HR involvement for behavioral concerns, law enforcement if criminal activity suspected
👥 Roles & Responsibilities
CISO
- • Lead annual risk assessment
- • Approve risk register and mitigation plans
- • Present risk posture to executive leadership
- • Make risk acceptance decisions (with executive approval)
IT Security
- • Conduct vulnerability scans
- • Assist with risk assessment data gathering
- • Monitor insider threat indicators via SIEM/UEBA
- • Track remediation of identified risks
Executive Leadership
- • Approve risk acceptance decisions
- • Allocate budget for risk mitigation
- • Review risk posture quarterly
System/Application Owners
- • Provide asset and system information for risk assessments
- • Remediate vulnerabilities on their systems within SLAs
- • Report risk changes (new integrations, architecture changes)
🛠️ Implementation Roadmap (6 Weeks)
Risk Assessment
Weeks 1-2- → Conduct initial risk assessment using NIST SP 800-30 template
- → Identify all CUI assets, threats, and vulnerabilities
- → Calculate risk scores and populate risk register
- → Present findings to executive leadership for risk acceptance decisions
Vulnerability Scanning
Weeks 3-4- → Deploy/configure vulnerability scanner (Nessus, Qualys)
- → Run initial baseline scans
- → Establish weekly scanning schedule
- → Create remediation workflow (scan results -> tickets -> track to closure)
Insider Threat Program
Weeks 5-6- → Configure UEBA rules in SIEM
- → Create insider threat playbook for IR team
- → Train managers on behavioral indicators
- → Set up anonymous reporting hotline
Recommended Tools
📊 CMMC Practice Mapping
| Practice ID | Requirement | Policy Section |
|---|---|---|
| RA.L2-3.11.1 | Periodically assess risk | 1 |
| RA.L2-3.11.2 | Scan for vulnerabilities | 2 |
| RA.L2-3.11.3 | Remediate vulnerabilities per risk | 2 (see CM Policy for SLAs) |
📋 Evidence Requirements
These are the artifacts a C3PAO assessor will ask for. Start collecting early.
Risk Assessment Report
Risk Register
Vulnerability Scan Reports
Executive Risk Acceptance
⚠️ Common Gaps (What Assessors Flag)
1. No formal risk assessment performed
2. Vulnerability scans running but no risk-based prioritization
3. No insider threat monitoring
📝 Template Customization Guide
When filling in the downloadable template for this policy, replace these placeholders with your organization's specifics:
[COMPANY NAME] Your organization's legal name
Example: Acme Defense Systems, LLC
[CISO Name] Name of your CISO
Example: Jane Smith
Customization Tips
- 💡 The risk assessment should be specific to YOUR environment -- don't just list generic threats
- 💡 Include your specific CUI systems, contracts, and data types in the asset identification
- 💡 If you use a GRC tool (Archer, ServiceNow GRC), reference it instead of Excel for the risk register
- 💡 Document how risk assessment findings feed into your POA&M and budget planning cycle