Risk Assessment

A risk assessment is the process of identifying potential threats and vulnerabilities that could affect your organization, analyzing the likelihood and impact of each risk, and determining appropriate measures to manage those risks. It's how you systematically identify what could go wrong and prioritize what to do about it.

Risk assessments should be performed regularly and whenever significant changes occur — new systems, new threats, organizational changes, or new compliance requirements. The results drive your security investment decisions, helping you allocate limited resources to the risks that matter most.

Why It Matters

Risk assessment is a CMMC domain. Conducting and documenting risk assessments demonstrates that your security decisions are informed by actual risk analysis rather than guesswork. Assessors expect to see risk-based decision-making in your security program.

Related Resources

CMMC: RA.L2-3.11.1
CMMC: RA.L2-3.11.2
CMMC: RA.L2-3.11.3
NIST 800-171: 3.11.1
NIST 800-171: 3.11.2
NIST 800-171: 3.11.3
NIST 800-53: RA-1
NIST 800-53: RA-2