The Risk Assessment (RA) domain focuses on finding the weak spots before a bad actor does. It is the process of looking at your systems to decide what could go wrong and how much it would hurt if it did. The RA family requires you to check your defenses and stay updated on new types of cyber attacks.
You must identify the threats to your organization. This includes looking at internal risks and external risks. You then decide which risks are the most likely to happen and which would cause the most damage. You must use tools to scan your network and computers for known security holes. These scans act like a "health check" for your technology. Finding a problem is only half the battle. You must also have a plan to fix the holes you find.
Risk Assessment is the "brain" of your security program. It tells you where you are weak, what is coming for you, and what you need to do to stay safe.
Domain level policies address the controls implemented within systems and organizations. Policies are the perfect home to define control parameters, such as frequencies. Procedures describe the implementation of policies or controls. Organizations may document procedures within the system security plan or within separate documents.
Here are some of the principles that guided this risk assessment policy:
A cover page tracks specific details regarding the policy, including:
NIST SP 800-53 defines specific objectives for domain-level policies. From this guidance we incorporate the following major sections into our policy:
The purpose statement should identify why the policy exists and what it aims to achieve.
The scope should identify who it applies to and under what circumstances.
The policy governance section covers most of the organization defined parameters. These subsections cover the following details:
The fourth section includes our policy statements. Subsection headings group related Policy statements together. Each policy statement has a unique number for traceability to other documents. A policy statement number consists of the section, subsection, and policy statement order.
The fifth section identifies the relevant roles and responsibilities identified in the policy. A single, short paragraph describes the responsibilities for each role. The sixth section identifies the supporting procedures. We opted to align our subsection headings with the names of supporting procedures. The seventh section identifies related documents, to include relevant policies. The eighth section documents a revision history. This table captures policy changes, including: version, effective date, approver(s), change summaries. The ninth section captures a formal authorization of the policy by the policy owner.
NIST identified a named set of procedures for each practice within NIST SP 800-171. The assessment guide (SP 800-171A) contains the original mappings. The CMMC assessment guides include this mapping as well. The potential assessment methods and objects section contains a subsection called examine. Within each practice, NIST identified relevant policies, procedures and other artifacts. We used the relevant procedures to organize the section headings within each policy.
A cybersecurity risk management program will conduct a formal Risk Assessment to evaluate threats and vulnerabilities impacting organizational operations, assets, and individuals processing CUI. This assessment shall identify, implement, and track appropriate remediation plans and be conducted annually or whenever significant changes are made to the system.
All identified risks shall be documented and tracked within a formal Risk Register. The risk register shall define the potential impact, the likelihood of the event occurring, the current security controls in place, and the owner responsible for managing the risk. It acts as a central log that helps the organization decide whether to accept, avoid, or reduce each risk based on its severity.
CMMC Objectives Covered in This Section:
A comprehensive Supply Chain Risk Management (SCRM) assessment must be conducted for any third party that performs security services, accesses confidential data, or poses a critical dependency. These assessments and all resulting decisions shall be documented in the Vendor Risk database. Assessments shall be performed prior to onboarding and re-evaluated at least annually, upon contract renewal, or following significant changes in vendor structure.
The assessment must evaluate the risk of the vendor supplying malicious products, performing malicious activities, or having a lack of services/redundancy that would harm organizational systems. The evaluation will analyze foreign influence, reputation, staff screening, and the flow-down provisions of federal regulations.
Only external systems that have been verified through this assessment process are authorized for connection. These connections shall be limited to the minimum necessary access required and controlled via secure, encrypted communication protocols.
If a product vendor is determined to be high-risk, they shall not be used without a formal exception, which shall be tracked in the Vendor Risk database.
Small, non-repeating orders of Commercial Off-The-Shelf (COTS) products may skip the processes outlined in this policy, provided the seller is performing distribution from the United States and the purchase is made in an individual’s name. COTS products purchased under this exception that will directly process, store, or transmit CUI must still undergo standard internal configuration and security hardening before use, and must be verified against the list of prohibited telecommunications and video surveillance equipment (e.g., NDAA Section 889) prior to deployment. If a COTS product provides cryptographic functions for CUI, it must be verified as FIPS-validated prior to deployment.
CMMC Objectives Covered in This Section:
For security and inventory management purposes, all hardware and software components capable of processing, storing, or transmitting Controlled Unclassified Information (CUI) are identified and tracked within the master inventory.
A financial distinction between Capital Assets (>$5,000) and Non-Capital Assets, the security inventory is inclusive of all "CUI-relevant" components, including but not limited to: mobile devices, network appliances, virtual machines, and specialized software.
CMMC Objectives Covered in This Section:
Comprehensive vulnerability scanning shall be performed on all organizational systems and applications at least every sixty (60) days. Vulnerability scanners must be updated with the latest signatures immediately prior to each scan. These activities must encompass every device within the policy scope and utilize configurations that perform non-disruptive checks of network ports, protocols, and operating systems.
When new vulnerabilities are identified via government-issued advisories or external alerts, an out-of-schedule (ad hoc) vulnerability scan shall be performed immediately against affected systems. In cases where an individual device cannot be scanned (e.g., traveling end-user devices), a representative system with the same baseline configuration shall be scanned to assess potential risk.
CMMC Objectives Covered in This Section:
FedRAMP guidance on how to write a control implementation statement states the following:
Write your policies before you start drafting your security plan. K2 GRC shows you exactly how each part of your policy connects to your security goals. This starts with selecting an objective to document.
After selecting a criteria, K2 GRC shows policy statements relevant to that criteria. The input screen shows the specific policy name and the statement’s number. This enables users to cite relevant policy sections within the control narratives. The system aggregates these control narratives to populate the system security plan (SSP).
You carry a heavy weight on your shoulders every day. The fear of a hidden vulnerability or an unknown threat can keep any leader up at night. You want to protect your team and your hard work, but the digital world feels like a minefield. It is exhausting to worry about what you might have missed or which vendor might let you down.
You deserve to feel in control of your company’s future rather than waiting for the next crisis to hit. A strong Risk Assessment policy turns that fear into a clear plan of action. It gives you the power to see through the fog and focus on what matters most. Do not let the complexity of CMMC stop you from securing your business today. Our pre-written Risk Assessment Policy template removes the stress of starting from scratch. It maps requirements for you so you can stop second-guessing your compliance.
