Risk Assessment
Risk Assessment is about knowing your own weaknesses before an adversary does: scanning for vulnerabilities and judging the risk they pose. It turns security from guesswork into a managed program.
The 3 Risk Assessment requirements
9 assessment objectives across this family.
- 3.11.1Risk AssessmentsPeriodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI.3 pt✕ POA&M
- 3.11.2Vulnerability ScanScan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified.5 pt✕ POA&M
- 3.11.3Vulnerability RemediationRemediate vulnerabilities in accordance with risk assessments.1 pt
Build Risk Assessment, and all 14 families, with an officer
The Level 2 Accelerator walks all 110 requirements with you, generates your SSP, POA&M, and Audit Room from real evidence, includes the full Level 1 platform, and puts a credentialed officer alongside you for 180 days. Filed in 180 days, or we work free until you are.
No credit card. Phase 2 begins Nov 10, 2026, when applicable DoD solicitations start requiring a current Level 2 status to win the award.
Questions, answered
How many CMMC Level 2 requirements are in Risk Assessment?+
The Risk Assessment family (RA) has 3 of the 110 CMMC Level 2 requirements, assessed against 9 objectives from NIST SP 800-171A.
What is the Risk Assessment family about?+
Risk Assessment is about knowing your own weaknesses before an adversary does: scanning for vulnerabilities and judging the risk they pose. It turns security from guesswork into a managed program.