Back to Control Explorer



Control Acronym



Risk Management

CMMC Level


800-171 Control #


CMMC Description

Periodically perform risk assessments to identify and prioritize risks according to the defined risk categories, risk sources, and risk measurement criteria.

CMMC Clarification

This level 3 practice extends the related level 2 practice (RM.2.141) by requiring that defined risk categories, identified sources of risk, and specific risk measurement criteria be included in the risk assessment. Risk assessments are performed periodically to identify potential risks to the organization, or after an incident to mitigate recurrence of that risk. A risk assessment identifies risks to an organization's functions and the supporting assets: people, technology, information, and facilities. Threat information, vulnerabilities, likelihoods, and impacts are used to identify risk. Evaluate and prioritize the identified risks based on the defined risk criteria: risk sources, risk categories, and risk measurement criteria. It is important to note that risk assessments differ from vulnerability scanning. A vulnerability scan focuses primarily on technical vulnerabilities in a system, and provides input to a risk assessment. A risk assessment may not be a strictly technical assessment. It includes such qualitative data as results from likelihood analysis and potential threat descriptions. Refer to RM.2.142 for vulnerability scanning. Example The CIO has asked you to perform a risk assessment for the organization’s IT assets. You assemble the leads from each major area across the IT organization. One of the first tasks the team performs is to define risk in terms of severity and impact to the organization. The team identifies organizational functions and the IT assets required to support them. This information is confirmed by executive input. You then lead the team through an exercise that defines the threats (e.g., APT, hacker, criminal) and attacker tools, techniques, and procedures (e.g., ransomware, defaced website) that the organization may face. The team uses publicly available information and previous internal IT assessments to create the organization’s threat list. The threats and an analysis of susceptibility are analyzed to determine the likelihood of occurring. The team ranks the impacts and prepares a report for the CIO. As a result of the report the CIO directs you to improve the security for the public facing web servers hosting a sponsor-used application. Additional tasks to mitigate risks are added to a prioritized action list to be worked by the IT organization.

800-171 Description

800-171 Discussion


Other Source Discussion

NIST CSF V1.1 The organization understands the cybersecurity risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals.

CIS Control References

NIST 800-53 Control Ref.

NIST SP 800-53 Rev 4 RA-3

CMMC Derived

NIST CSF Control References

NIST 800-171 References

Applicable FAR Clause

NIST CSF Control Reference


CERT RMM Reference


Modification of NIST 800-171B Reference

NIST 800-171B Reference

UK NCSCCyber Reference

AS ACSC Reference


Assessment Sub-Criteria 1

RM.3.144.[a] the organization maintains a process for performing risk assessments;

Assessment Sub-Criteria 2

RM.3.144.[b] the organization documents and maintains defined risk categories, risk sources, and risk measurement criteria;

Assessment Sub-Criteria 3

RM.3.144.[c] the organization prioritizes risk; and

Assessment Sub-Criteria 4

RM.3.144.[d] the organization performs risk assessment at a frequency defined by the organization.

Assessment Sub-Criteria 5

Assessment Sub-Criteria 6

Assessment Sub-Criteria 7

Assessment Sub-Criteria 8

Assessment Sub-Criteria 9

Assessment Sub-Criteria 10

Assessment Sub-Criteria 11

Assessment Sub-Criteria 12

Assessment Sub-Criteria 13

Assessment Sub-Criteria 14

Assessment Sub-Criteria 15