CMMC Practice Requirement:

Periodically perform risk assessments to identify and prioritize risks according to the defined risk categories, risk sources, and risk measurement criteria.

CMMC Requirement Explanation:

Periodic risk assessments help identify risks to your company's systems and business processes. Risk assessments cover people, technology, information, and facilities. There are different types of risk assessments. These include qualitative and quantitative. Qualitative risk assessments are generally easier to conduct.

Example CMMC Implementation:

Assemble a team of IT personnel and business personnel to perform an organizational risk assessment. Create a list of threat sources (e.g., cyber attack) and threat events (denial of service against your web server). List your existing vulnerabilities associated with the threat event (e.g., a lack of inbound traffic filtering rules). Calculate the likelihood of the the threat event occurring. Calculate the impact the threat event would have if it occurred. Calculate the risk the threat event poses to your company. Determine the actions you can take to mitigate the identified risks. Document the above in a risk assessment report. Have a policy defining the frequency your company is to conduct risk assessments.


- Scenario 1:


Under your company's risk assessment policy you conduct an annual qualitative risk assessment. The assessment determines risks to your company's business processes and the systems supporting them. You consolidate the findings in a report that is given to executive management who allocate resources to reducing the identified risks.
An example of a risk model used to conduct a risk assessment.
An example of a risk model used to conduct a risk assessment.

Discover Our NIST SP 800-171 Solutions:


Compliance Accelerator

For contractors seeking compliance

Quantum Assessor

For IT service providers

Supply Chain Verifier

For contractors seeking to verify partner compliance