RA.L2-3.11.1: Periodically assess the risk to organizational operations, assets, and individuals

📖 What This Means

This practice requires organizations to regularly evaluate the risks that could affect their operations, assets, and people. It’s about understanding what could go wrong, how likely it is to happen, and what the impact would be if it did. For example, a company might assess the risk of a cyberattack on their customer data or the risk of a natural disaster disrupting their operations. By doing this periodically, organizations can stay ahead of potential threats and take steps to mitigate them before they cause harm. Think of it like checking the weather forecast before planning an outdoor event—it helps you prepare for what might come.

🎯 Why It Matters

Failing to assess risks can leave organizations vulnerable to cyberattacks, data breaches, and operational disruptions. For instance, the 2021 Colonial Pipeline ransomware attack caused widespread fuel shortages and cost millions in recovery. The DoD emphasizes this control because protecting Controlled Unclassified Information (CUI) and ensuring mission readiness are critical. Without periodic risk assessments, organizations may miss evolving threats, leading to financial losses, reputational damage, and non-compliance with CMMC requirements.

✅ How to Implement

1. Use cloud-native tools like AWS Inspector or Azure Security Center to perform automated vulnerability scans.
2. Configure logging and monitoring to track access and changes to cloud resources.
3. Review cloud provider security advisories and update configurations accordingly.
4. Conduct periodic penetration testing on cloud-hosted applications.
5. Document findings in a risk assessment report and share with stakeholders.

⏱️

Estimated Effort

10-15 hours per assessment, requiring intermediate IT and security knowledge.

📋 Evidence Examples

Risk Assessment Report

Format: PDF

Frequency: Quarterly

Contents: Identified risks, severity ratings, mitigation plans

Collection: Export from risk assessment tool

Vulnerability Scan Results

Format: CSV

Frequency: Monthly

Contents: List of vulnerabilities, severity scores

Collection: Export from scanning tool

Remediation Plan

Format: Word

Frequency: As needed

Contents: Action items, responsible parties, timelines

Collection: Manual creation

Audit Logs

Format: Log file

Frequency: Daily

Contents: System access and configuration changes

Collection: Export from logging tool

Training Records

Format: Excel

Frequency: Annually

Contents: Employee names, training dates, topics

Collection: Export from HR system

📝 SSP Guidance

Use this guidance when writing the System Security Plan (SSP) narrative for this control.

How to Write the SSP Narrative

For RA.L2-3.11.1 ("Periodically assess the risk to organizational operations, assets, and individuals"), your SSP narrative should specifically describe: (1) the tools and technologies you use to implement this control, (2) the configuration or process that enforces it, (3) who is responsible for maintaining it, and (4) what evidence proves it's working. Describe your risk assessment program, including methodology, frequency, vulnerability scanning tools and schedule, insider threat monitoring, and how risk decisions are documented. Be specific -- name your actual products, settings, and responsible personnel.

Example SSP Narratives

Cloud (Azure/AWS)

"RA.L2-3.11.1 is implemented using cloud-native controls. [Organization] uses [specific cloud service/feature] to periodically assess the risk to organizational operations, assets, and individua.... The configuration is managed through [Azure Policy/AWS Config/Terraform] and monitored via [SIEM tool]. Responsible party: [IT Security Manager]. Evidence: [specific artifact, e.g., 'Azure AD Conditional Access policy screenshot, CloudTrail logs']."

On-Premise

"RA.L2-3.11.1 is implemented through on-premise infrastructure controls. [Organization] uses [Active Directory/Group Policy/specific tool] to periodically assess the risk to organizational operations, assets, and individua.... Configuration is documented in [location] and audited [frequency]. Responsible party: [System Administrator]. Evidence: [specific artifact, e.g., 'Group Policy export, Windows Event logs']."

Hybrid

"RA.L2-3.11.1 is implemented across both cloud and on-premise environments. [Organization] uses [Azure AD Connect/hybrid tool] to ensure consistent enforcement. Cloud resources are managed via [cloud tool] and on-premise systems via [on-prem tool]. Both environments report to [centralized SIEM]. Responsible party: [IT Director]. Evidence: [artifacts from both environments]."

System Boundary Considerations

• Define the risk assessment scope (CUI systems and supporting infrastructure)
• Document vulnerability scanning coverage
• Specify risk register maintenance process
• Ensure this control covers all systems within your defined CUI boundary where periodically assess the risk to organizational operations, assets, and individuals applies
• Document any systems where this control is not applicable and explain why

Key Documentation to Reference in SSP

📄 Risk Assessment Policy
📄 Risk assessment report
📄 Risk register
📄 Vulnerability scan reports
📄 Evidence artifacts specific to RA.L2-3.11.1
📄 POA&M entry if control is not fully implemented

What the Assessor Looks For

The assessor will review your risk assessment methodology, verify vulnerability scanning frequency and coverage, check that identified risks are tracked in a risk register, and confirm executive risk acceptance decisions are documented.

💬 Self-Assessment Questions

Use these questions to assess your compliance. Each "NO" answer provides specific remediation guidance.

Question 1: Do you have a documented risk assessment policy?

✅ YES → Proceed to Q2

❌ NO → GAP: Create a policy using NIST SP 800-30 guidelines. Timeline: 2 weeks

Question 2: Are vulnerability scans performed at least monthly?

✅ YES → Proceed to Q3

❌ NO → GAP: Schedule scans using tools like Nessus or Qualys. Timeline: 1 week

Question 3: Are risks categorized by severity and impact?

✅ YES → Proceed to Q4

❌ NO → GAP: Use a risk matrix to classify risks. Timeline: 1 week

Question 4: Is there a remediation plan for identified risks?

✅ YES → Proceed to Q5

❌ NO → GAP: Develop a plan with clear timelines. Timeline: 2 weeks

Question 5: Are risk assessment findings reviewed and updated quarterly?

✅ YES → Compliant

❌ NO → GAP: Schedule quarterly reviews. Timeline: Ongoing

⚠️ Common Mistakes (What Auditors Flag)

1. Not scanning all systems

Why this happens: Overlooking non-critical systems

How to avoid: Include all assets in the scanning scope

2. Outdated risk assessments

Why this happens: Lack of periodic reviews

How to avoid: Set calendar reminders for quarterly assessments

3. No remediation plan

Why this happens: Focusing only on identification

How to avoid: Document actionable steps for each risk

4. Inconsistent reporting

Why this happens: Using different formats each time

How to avoid: Standardize report templates

5. Ignoring insider threats

Why this happens: Focusing only on external risks

How to avoid: Include internal audits in the assessment process

📚 Parent Policy

This practice is governed by the Risk Assessment Policy

View RA Policy →

📚 Related Controls

RA.L2-3.11.2 RA.L3.11.3 SI.L2-3.11.1