RA.L2-3.11.1 — Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI.

What this control requires

Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI.

Source: CMMC L2 v2.13 RA.L2-3.11.1 / NIST SP 800-171 R2 3.11.1 (official control text).

Why this matters

Risk assessments identify where CUI faces real-world threats — from ransomware to insider mistakes to vendor compromise. Without periodic reassessment, the organization operates blind to evolving attack surfaces, new vulnerabilities in aging systems, and changes in who touches sensitive data. This control forces leadership to quantify what could go wrong, how likely it is, and what the damage would be. Regular risk assessments prevent catastrophic surprises by treating security as a living discipline rather than a one-time checklist. They protect mission continuity, reputation, and contractual standing by ensuring controls match actual exposure.

What evidence assessors expect

Assessors typically look for: PDF, CSV export, signed letter. FORCE coaches you through the exact implementation steps and captures each artifact in-platform.

Related controls