3.11.1 Periodically assess the risk to organizational operations

3.11.1 periodically assess the risk to organizational assets, risk assessment

3.11.1 ๐๐ž๐ซ๐ข๐จ๐๐ข๐œ๐š๐ฅ๐ฅ๐ฒ ๐š๐ฌ๐ฌ๐ž๐ฌ๐ฌ ๐ซ๐ข๐ฌ๐ค…
This is the fourth-most “Other than satisfied” #CMMC requirement.

Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI.

Not hard to do, but often misunderstood.

Let’s break it down.

๐๐ž๐ซ๐ข๐จ๐๐ข๐œ๐š๐ฅ๐ฅ๐ฒ = at least once a year

๐š๐ฌ๐ฌ๐ž๐ฌ๐ฌ ๐ญ๐ก๐ž ๐ซ๐ข๐ฌ๐ค = the assessor expectation for assessing risk is higher than these three words describe. Refer to NIST Special Publication 800-30 and NIST SP 800-39.

The key components of assessing risk are:

๐Ÿ‘ท ๐Ÿ“‘ identify your critical assets and functions (such as your CUI)
๐Ÿ˜ˆ what threats exist for those assets?
๐Ÿ”ช how would the threats attack those assets?
๐Ÿ”Œ what makes the asset vulnerable to the threat?
๐Ÿ’€ if there was no mitigation in place to prevent the threat, what impact would occur?
๐Ÿ‘ฎ what are you doing to mitigate the threat now?
โณ how likely is the threat to occur (with current mitigations)?
๐Ÿ’ธ what impact (with current mitigations)?
โœ–๏ธ what is the resulting risk #?
๐Ÿš” what do you propose to mitigate further (or risk accept)?
๐Ÿ“… if you did this proposed mitigation, what is the new likelihood?
๐Ÿ˜Š if you did this proposed mitigation, what is the new impact?
โœ–๏ธ new risk #

๐ญ๐ก๐ž ๐Ÿ๐ซ๐ž๐ช๐ฎ๐ž๐ง๐œ๐ฒ ๐ข๐ฌ ๐๐ž๐Ÿ๐ข๐ง๐ž๐ = write down how often you do risk assessments! (see ‘periodically’ above)

๐จ๐ซ๐ ๐š๐ง๐ข๐ณ๐š๐ญ๐ข๐จ๐ง๐š๐ฅ ๐จ๐ฉ๐ž๐ซ๐š๐ญ๐ข๐จ๐ง๐ฌ (๐ข๐ง๐œ๐ฅ๐ฎ๐๐ข๐ง๐  ๐ฆ๐ข๐ฌ๐ฌ๐ข๐จ๐ง, ๐Ÿ๐ฎ๐ง๐œ๐ญ๐ข๐จ๐ง๐ฌ, ๐ข๐ฆ๐š๐ ๐ž, ๐จ๐ซ ๐ซ๐ž๐ฉ๐ฎ๐ญ๐š๐ญ๐ข๐จ๐ง), ๐จ๐ซ๐ ๐š๐ง๐ข๐ณ๐š๐ญ๐ข๐จ๐ง๐š๐ฅ ๐š๐ฌ๐ฌ๐ž๐ญ๐ฌ, ๐š๐ง๐ ๐ข๐ง๐๐ข๐ฏ๐ข๐๐ฎ๐š๐ฅ๐ฌ = NIST is kind enough to give you a list of assets to consider.

๐ซ๐ž๐ฌ๐ฎ๐ฅ๐ญ๐ข๐ง๐  ๐Ÿ๐ซ๐จ๐ฆ ๐ญ๐ก๐ž ๐จ๐ฉ๐ž๐ซ๐š๐ญ๐ข๐จ๐ง ๐จ๐Ÿ ๐š๐ง ๐จ๐ซ๐ ๐š๐ง๐ข๐ณ๐š๐ญ๐ข๐จ๐ง๐š๐ฅ ๐ฌ๐ฒ๐ฌ๐ญ๐ž๐ฆ ๐ญ๐ก๐š๐ญ ๐ฉ๐ซ๐จ๐œ๐ž๐ฌ๐ฌ๐ž๐ฌ, ๐ฌ๐ญ๐จ๐ซ๐ž๐ฌ, ๐จ๐ซ ๐ญ๐ซ๐š๐ง๐ฌ๐ฆ๐ข๐ญ๐ฌ ๐‚๐”๐ˆ = the risk assessment has to include in-scope information system.

๐“๐ก๐ž ๐’ˆ๐’๐’‚๐’ ๐จ๐Ÿ ๐ซ๐ž๐ช๐ฎ๐ข๐ซ๐ž๐ฆ๐ž๐ง๐ญ 3.11.1 ๐ข๐ฌ ๐ญ๐จ ๐ ๐ž๐ญ ๐œ๐จ๐ฆ๐ฉ๐š๐ง๐ข๐ž๐ฌ ๐ญ๐จ 
1) consider what risks their organization and their CUI faces;
2) decide which risks cannot be accepted
3) apply mitigations to reduce risk.
But an assessor will generally only require evidence that you’ve considered what risk your organization and CUI faces (the first part).

๐Ž๐ญ๐ก๐ž๐ซ ๐ญ๐ก๐ข๐ง๐ ๐ฌ ๐ญ๐ก๐š๐ญ ๐›๐ž๐ง๐ž๐Ÿ๐ข๐ญ ๐Ÿ๐ซ๐จ๐ฆ ๐ซ๐ข๐ฌ๐ค ๐š๐ฌ๐ฌ๐ž๐ฌ๐ฌ๐ฆ๐ž๐ง๐ญ๐ฌ:ย ย 
Contractor Risk Managed Assets. Specialized Assets. Plan of Action. DFARS 252.204-7012 (b)(3). If you don’t know why I reference these, you should find out!

Shameless plug: The Kieri Compliance Documentation (Google it if curious) includes detailed instructions and a partially pre-filled-in template for Risk Assessment. We identified 28 risks that affect almost all small businesses and pre-filled them in to get you started.

Leave a Reply

Your email address will not be published. Required fields are marked *