Requirement text: RM.3.144: Periodically perform risk assessments to identify and prioritize risks
according to the defined risk categories, risk sources, and risk measurement criteria.
DISCUSSION FROM SOURCE: NIST CSF V1.1
The organization understands the cybersecurity risk to organizational operations (including
mission, functions, image, or reputation), organizational assets, and individuals.
CMMC CLARIFICATION
This level 3 practice extends the related level 2 practice (RM.2.141) by requiring that defined
risk categories, identified sources of risk, and specific risk measurement criteria be included
in the risk assessment. Risk assessments are performed periodically to identify potential
risks to the organization, or after an incident to mitigate recurrence of that risk. A risk
assessment identifies risks to an organization's functions and the supporting assets: people,
technology, information, and facilities. Threat information, vulnerabilities, likelihoods, and
impacts are used to identify risk. Evaluate and prioritize the identified risks based on the
defined risk criteria: risk sources, risk categories, and risk measurement criteria.
It is important to note that risk assessments differ from vulnerability scanning. A
vulnerability scan focuses primarily on technical vulnerabilities in a system, and provides
input to a risk assessment. A risk assessment may not be a strictly technical assessment. It
includes such qualitative data as results from likelihood analysis and potential threat
descriptions. Refer to RM.2.142 for vulnerability scanning.
Example
The CIO has asked you to perform a risk assessment for the organization’s IT assets. You
assemble the leads from each major area across the IT organization. One of the first tasks
the team performs is to define risk in terms of severity and impact to the organization. The
team identifies organizational functions and the IT assets required to support them. This
information is confirmed by executive input. You then lead the team through an exercise
that defines the threats (e.g., APT, hacker, criminal) and attacker tools, techniques, and
procedures (e.g., ransomware, defaced website) that the organization may face. The team
uses publicly available information and previous internal IT assessments to create the
organization’s threat list. The threats and an analysis of susceptibility are analyzed to
determine the likelihood of occurring. The team ranks the impacts and prepares a report for
the CIO. As a result of the report the CIO directs you to improve the security for the public
facing web servers hosting a sponsor-used application. Additional tasks to mitigate risks are
added to a prioritized action list to be worked by the IT organization.
References
• NIST CSF v1.1 ID.RA-5
• CERT RMM v1.2 RISK:SG3, RISK:SG4.SP3
• NIST SP 800-53 Rev 4 RA-3