Mapped to NIST 800-171 Requirement: 3.11.2
CMMC Assessment Objective: RA.L2-3.11.2[a]
What This Control Means
Once you’ve identified the risks (RA.L2-3.11.1[a–b]), you must now assign a risk response strategy to each one. There are four main types of risk responses:
• Mitigate – Reduce the likelihood or impact
• Accept – Acknowledge and live with the risk
• Transfer – Shift the risk to another party (e.g., insurance, third-party vendor)
• Avoid – Eliminate the risk by not performing the risky activity
Each risk must have a documented response aligned with its severity and business impact.
Why It Matters
Knowing your risks isn’t enough—you have to decide what to do about them. Without defined responses:
• Risks may go unmanaged
• High-impact vulnerabilities may remain open
• Assessors will see your risk program as incomplete
• Your mitigation plans and POA&M cannot be justified
This control connects analysis to action.
How to Implement It
1. Review Your Risk Register
• For each identified risk, determine:
◦ Likelihood of occurrence
◦ Potential impact on CUI
◦ Risk score or priority
2. Choose an Appropriate Risk Response
• Based on the severity, assign:
◦ Mitigate for high-priority issues
◦ Accept if low risk or cost-prohibitive to fix
◦ Transfer when using a compliant third-party vendor
◦ Avoid if the risk is unnecessary to take on
3. Document the Response
• Add a “risk response” column in your risk register
• Include justifications and owners for each action
4. Link to Mitigation Plans
• If mitigating, create or update your Plan of Action and Milestones (POA&M)
• Assign responsibility and due dates
5. Review Periodically
• Update risk responses as systems, threats, or operations change
Evidence the Assessor Will Look For
• Risk register with response actions documented
• Risk acceptance forms or sign-offs
• POA&M entries for risks being mitigated
• Notes or decisions from risk response meetings
• Justifications for any accepted or transferred risks
Common Gaps
• Risks identified but no documented response strategy
• Only technical responses listed (no business or process options)
• No justification for accepting or transferring risks
• No link between risk response and mitigation tracking
How Cuick Trac Helps
Cuick Trac supports this requirement by:
• Providing a structured platform to assign response actions to each identified risk
• Logging mitigation, acceptance, transfer, or avoidance with owner and rationale
• Linking POA&M items to risk register entries
• Generating risk response reports for internal and auditor review
• Helping prioritize responses based on CUI impact and compliance scope
With Cuick Trac, your risk strategy is proactive, visible, and defensible.
Final CTA
Knowing the risk is only half the battle—responding is the other half.
Schedule a Cuick Trac demo to document your risk response decisions and close your compliance gaps.