← All Domains

RA — Risk Assessment

new org

SPRS Score: -1203

Objective Progress 0 / 9 (0.0%)
CMMC Practices MET 0 / 3
Domain Score Impact -9

CMMC scoring changes when all assessment objectives for a practice are MET; objective progress updates as each objective is assessed.

RA.L2-3.11.1 DoD Weight: 3 Deduction: -3 Basic
Not Yet Assessed
Requirement: Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI
MET gate: This control cannot be marked MET until every child objective is MET. Blocking objective statuses: 3.11.1[a] = Not Yet Assessed; 3.11.1[b] = Not Yet Assessed

Assessment Objectives (2)

  • 3.11.1[a]
    Determine if: the frequency to assess risk to organizational operations, organizational assets, and individuals is defined.
    Update objective finding / evidence
    Not Yet Assessed
  • 3.11.1[b]
    Determine if: risk to organizational operations, organizational assets, and individuals resulting from the operation of an organizational system that processes, stores, or transmits CUI is assessed with the defined frequency.
    Update objective finding / evidence
    Not Yet Assessed
📝 Assessment Methods (Examine / Interview / Test)
Examine: [SELECT FROM: Risk assessment policy; security planning policy and procedures; procedures addressing organizational risk assessments; security plan; risk assessment; risk assessment results; risk assessment reviews; risk assessment updates; other relevant documents or records].
Interview: [SELECT FROM: Personnel with risk assessment responsibilities; personnel with information security responsibilities].
Test: [SELECT FROM: Organizational processes for risk assessment; mechanisms supporting or for conducting, documenting, reviewing, disseminating, and updating the risk assessment].
RA.L2-3.11.2 DoD Weight: 5 Deduction: -5 Basic
Not Yet Assessed
Requirement: Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified.
MET gate: This control cannot be marked MET until every child objective is MET. Blocking objective statuses: 3.11.2[a] = Not Yet Assessed; 3.11.2[b] = Not Yet Assessed; 3.11.2[c] = Not Yet Assessed; 3.11.2[d] = Not Yet Assessed; 3.11.2[e] = Not Yet Assessed

Assessment Objectives (5)

  • 3.11.2[a]
    Determine if: the frequency to scan for vulnerabilities in an organizational system and its applications that process, store, or transmit CUI is defined.
    Update objective finding / evidence
    Not Yet Assessed
  • 3.11.2[b]
    Determine if: vulnerability scans are performed in an organizational system that processes, stores, or transmits CUI with the defined frequency.
    Update objective finding / evidence
    Not Yet Assessed
  • 3.11.2[c]
    Determine if: vulnerability scans are performed in an application that contains CUI with the defined frequency.
    Update objective finding / evidence
    Not Yet Assessed
  • 3.11.2[d]
    Determine if: vulnerability scans are performed in an organizational system that processes, stores, or transmits CUI when new vulnerabilities are identified.
    Update objective finding / evidence
    Not Yet Assessed
  • 3.11.2[e]
    Determine if: vulnerability scans are performed in an application that contains CUI when new vulnerabilities are identified.
    Update objective finding / evidence
    Not Yet Assessed
📝 Assessment Methods (Examine / Interview / Test)
Examine: [SELECT FROM: Risk assessment policy; procedures addressing vulnerability scanning; risk assessment; security plan; security assessment report; vulnerability scanning tools and associated configuration documentation; vulnerability scanning results; patch and vulnerability management records; other relevant documents or records].
Interview: [SELECT FROM: Personnel with risk assessment, security assessment and vulnerability scanning responsibilities; personnel with vulnerability scan analysis and remediation responsibilities; personnel with information security responsibilities; system or network administrators].
Test: [SELECT FROM: Organizational processes for vulnerability scanning, analysis, remediation, and information sharing; mechanisms supporting or implementing vulnerability scanning, analysis, remediation, and information sharing].
RA.L2-3.11.3 DoD Weight: 1 Deduction: -1 Basic
Not Yet Assessed
Requirement: Remediate vulnerabilities in accordance with risk assessments.
MET gate: This control cannot be marked MET until every child objective is MET. Blocking objective statuses: 3.11.3[a] = Not Yet Assessed; 3.11.3[b] = Not Yet Assessed

Assessment Objectives (2)

  • 3.11.3[a]
    Determine if: vulnerabilities are identified.
    Update objective finding / evidence
    Not Yet Assessed
  • 3.11.3[b]
    Determine if: vulnerabilities are remediated in accordance with risk assessments.
    Update objective finding / evidence
    Not Yet Assessed
📝 Assessment Methods (Examine / Interview / Test)
Examine: [SELECT FROM: Risk assessment policy; procedures addressing vulnerability scanning; risk assessment; security plan; security assessment report; vulnerability scanning tools and associated configuration documentation; vulnerability scanning results; patch and vulnerability management records; other relevant documents or records].
Interview: [SELECT FROM: Personnel with risk assessment, security assessment and vulnerability scanning responsibilities; personnel with vulnerability scan analysis responsibilities; personnel with vulnerability remediation responsibilities; personnel with information security responsibilities; system or network administrators].
Test: [SELECT FROM: Organizational processes for vulnerability scanning, analysis, remediation, and information sharing; mechanisms supporting or implementing vulnerability scanning, analysis, remediation, and information sharing].