Mapped to NIST 800-171 Requirement: 3.11.1
CMMC Assessment Objective: RA.L2-3.11.1[a]
What This Control Means
You must assess and document the security risks that could affect the confidentiality, integrity, or availability of CUI in your environment.
These risks could involve:
• Technical threats (e.g., malware, system vulnerabilities)
• Physical threats (e.g., theft, fire, water damage)
• Human threats (e.g., insider threats, social engineering)
• Process gaps (e.g., missing backups, inadequate training)
Why It Matters
If you don’t know your risks, you can’t mitigate them.
Without this control:
• CUI could be exposed to threats that were never considered
• You may lack justification for key safeguards
• Your environment may be out of alignment with CMMC’s risk-based approach
• Assessors will flag your risk management plan as incomplete
How to Implement It
1. Define Your CUI Scope
• Identify systems, storage locations, and communication paths that handle CUI
• Include both internal systems and third-party/cloud environments
2. Perform a Risk Assessment
• Identify:
◦ Likely threats
◦ Vulnerabilities in your current systems or processes
◦ Potential impacts to CUI if exploited
3. Use a Recognized Framework
• Follow NIST SP 800-30 or use a similar qualitative risk model
• Include likelihood and impact scoring to prioritize risks
4. Consider Multiple Risk Types
• Insider misuse
• Phishing and malware
• Misconfigured systems
• Supply chain/vendor-related risk
• Unencrypted transmissions or outdated software
5. Document Findings
• Include a risk register or matrix
• List identified risks with notes on where CUI is impacted
Evidence the Assessor Will Look For
• Risk assessment documentation identifying CUI-specific risks
• Risk register or matrix tied to CUI systems or workflows
• Notes or worksheets from internal/external risk assessments
• Mapping of threats and vulnerabilities to CUI assets
Common Gaps
• General risk assessments without CUI-specific focus
• No documentation of risk identification
• Overlooking physical, human, or cloud-related risks
• Failure to include backup, recovery, or remote access risks
How Cuick Trac Helps
Cuick Trac supports this requirement by:
• Providing tools to identify risks related to CUI storage, processing, and transmission
• Generating automated risk matrices for CUI systems
• Linking threats and vulnerabilities to specific assets and users
• Helping build a living risk register aligned with NIST 800-30
• Supporting audits and reviews with complete documentation and scoring
With Cuick Trac, your risks are known, tracked, and prioritized—starting with the data that matters most.
Final CTA
If you don’t identify the risks, you’ll never reduce them.
Schedule a Cuick Trac demo to identify your CUI-related risks and lay the foundation for strong compliance.