CMMC v2.0 Risk Assessment
Controls mapping and traceability diagram. Created by Tara Lemieux and Michael Redman, Schellman Compliance.
CMMC v2.0 Risk Assessment
by Tara Lemieux
1. RA.L2-3.11.1 Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI.
1.1. "Determine if:
1.1.1. CA.L2-3.12.2: Enables Plan of Action
1.2. (a) the frequency to assess risk to organizational operations, organizational assets, and individuals is defined"
1.3. (b) risk to organizational operations, organizational assets, and individuals resulting from the operation of an organizational system that processes, stores, or transmits CUI is assessed with the defined frequency"
2. RA.L2-3.11.2 Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified.
2.1. "Determine if:
2.2. (a) the frequency to scan for vulnerabilities in organizational systems and applications is defined"
2.3. (b) vulnerability scans are performed on organizational systems with the defined frequency"
2.4. (c) vulnerability scans are performed on applications with the defined frequency"
2.5. (d) vulnerability scans are performed on organizational systems when new vulnerabilities are identified"
2.6. (e) vulnerability scans are performed on applications when new vulnerabilities are identified"
3. RA.L2-3.11.3 Remediate vulnerabilities in accordance with risk assessments.
3.1. "Determine if:
3.1.1. Is of benefit to CA.L2-3.12.2; allows remediation of vulnerabilities to take place based on the developed plans of actions for vulnerabilities from CA.L2-3.12.2.