RA.L2-3.11.3 — Remediate vulnerabilities in accordance with risk assessments.

What this control requires

Remediate vulnerabilities in accordance with risk assessments.

Source: CMMC L2 v2.13 RA.L2-3.11.3 / NIST SP 800-171 R2 3.11.3 (official control text).

Why this matters

Identifying vulnerabilities is only half the battle—remediating them based on risk prevents attackers from exploiting known weaknesses. This control ensures your organization doesn't treat all vulnerabilities equally; critical flaws in internet-facing systems receive immediate attention, while low-risk issues in isolated environments follow a measured timeline. Without risk-based remediation, teams either patch everything frantically (wasting resources) or ignore severe threats while fixing trivial ones. This practice protects sensitive data by closing security gaps in the order that matters most to your threat landscape.

What evidence assessors expect

Assessors typically look for: PDF, screenshot, CSV export, signed letter. FORCE coaches you through the exact implementation steps and captures each artifact in-platform.

Related controls