03.11.01 — (a) Assess the risk (including supply chain risk) of unauthorized disclosure resulting from the processing, storage, or transmission of CUI. (b) Update risk assessments {{ insert: param, A.03.11.01.ODP.01 }}.
What this control requires
(a) Assess the risk (including supply chain risk) of unauthorized disclosure resulting from the processing, storage, or transmission of CUI. (b) Update risk assessments {{ insert: param, A.03.11.01.ODP.01 }}.
Source: NIST SP 800-171 R3 §03.11.01 (official control text).
Why this matters
Risk assessment is the foundation of every security decision your organization makes about CUI. Without systematic risk assessment, you're flying blind — unable to prioritize investments, justify controls, or explain to auditors why you configured systems the way you did. This control requires both an initial assessment when CUI enters your environment and periodic updates as threats evolve, vendors change, or business processes shift. Supply chain risk is explicitly included because breaches increasingly occur through trusted third parties who touch your data. A mature risk assessment program transforms compliance from checkbox theater into strategic protection of what matters most to your mission.
What evidence assessors expect
Assessors typically look for: PDF, CSV export, signed letter. FORCE coaches you through the exact implementation steps and captures each artifact in-platform.
Related controls
See your live posture on 03.11.01.
FORCE shows where you stand on this control and walks you through closing it.
Start a free trial tenant →