Back to Control Explorer



Control Acronym



Risk Management

CMMC Level


800-171 Control #


CMMC Description

Remediate vulnerabilities in accordance with risk assessments.

CMMC Clarification

Review the prioritized list of vulnerabilities generated from the vulnerability scanner. Not all vulnerabilities may affect an organization the same. Review the risks of not remediating the discovered vulnerabilities. The organization should build upon the prioritized list and develop a prioritized mitigation plan for closing the vulnerabilities identified and track their completion. Example You are in charge of IT at your organization. Part of your job is to look for weaknesses in your software that may provide ways for hackers to get into your network and do harm. You perform vulnerability scans to try and find these weaknesses. The output of a scan is a list of the potential weaknesses, also called vulnerabilities. You should review the vulnerabilities and determine how they will affect your organization. You should create a prioritized list of the vulnerabilities you should fix, fix them, and record a completion date and time by each item. If you decide not to fix them, you should document the reasoning, and you should continue to monitor these vulnerabilities.

800-171 Description

Remediate vulnerabilities in accordance with risk assessments.

800-171 Discussion

Vulnerabilities discovered, for example, via the scanning conducted in response to 3.11.2, are remediated with consideration of the related assessment of risk. The consideration of risk influences the prioritization of remediation efforts and the level of effort to be expended in the remediation for specific vulnerabilities.

Other Source Discussion


CIS Control References

CIS Controls v7.1 3.7

NIST 800-53 Control Ref.

NIST SP 800-53 Rev 4 RA-5

CMMC Derived

NIST CSF Control References

NIST 800-171 References

NIST SP 800-171 Rev 1 3.11.3

Applicable FAR Clause

NIST CSF Control Reference


CERT RMM Reference


Modification of NIST 800-171B Reference

NIST 800-171B Reference

UK NCSCCyber Reference

AS ACSC Reference


Assessment Sub-Criteria 1

RM.2.143.[a] vulnerabilities are identified; and

Assessment Sub-Criteria 2

RM.2.143.[b] vulnerabilities are remediated in accordance with risk assessments.

Assessment Sub-Criteria 3

Assessment Sub-Criteria 4

Assessment Sub-Criteria 5

Assessment Sub-Criteria 6

Assessment Sub-Criteria 7

Assessment Sub-Criteria 8

Assessment Sub-Criteria 9

Assessment Sub-Criteria 10

Assessment Sub-Criteria 11

Assessment Sub-Criteria 12

Assessment Sub-Criteria 13

Assessment Sub-Criteria 14

Assessment Sub-Criteria 15