CMMC Practice Requirement:

Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of “Controlled Unclassified Information” (CUI).

CMMC Requirement Explanation:

By assessing risks to your organization you can come up with plans to mitigate risk thus protecting your business operations.

Example CMMC Implementation:

Conduct a risk assessment to identify risks to your company's business operations. This includes reviewing how common threats such as natural disasters and cyber attacks can impact your business operations and your “Controlled Unclassified Information” (CUI). Document your findings in a risk assessment report. Periodically perform risks assessments, perhaps annually.


- Scenario 1:

You decide to conduct a risk assessment to determine whether or not you should store “Controlled Unclassified Information” (CUI) on your local file server or with a cloud service provider. You list out common threats such as natural disasters, power outages, and malware infections and decide which solution has the least risk. Storing it locally on your file server or in the cloud.

Discover Our NIST SP 800-171 Solutions:


Compliance Accelerator

For contractors seeking compliance

Quantum Assessor

For IT service providers

Supply Chain Verifier

For contractors seeking to verify partner compliance