Call now for cybersecurity help: 888-646-1616
Josh Ablett

Risk Assessment (RA) Guide [For CMMC Level 2.0 Compliance)

January 17, 2024

Welcome to our Risk Assessment Guide for CMMC Level 2.0. This guide is for small businesses and DoD contractors. We will show you how to do risk assessments, with easy instructions and useful tips. We'll also help you gather the evidence you need for CMMC Level 2.0.

Risk Assessment is important for meeting CMMC rules. It helps find and lower possible security risks. Knowing and handling these risks is key to keeping your data safe and your business secure.

We know this control can seem complicated, but it's essential for your business's safety. Need help with Risk Assessment or other CMMC areas? Get a free consultation with us. We're here to help your business meet CMMC Level 2.0 in a way that works for you and keeps your information protected.


“Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational information systems and the associated processing, storage, or transmission of CUI.”

Level Of Effort: Medium

Organizations need to check risks related to their operations, assets, and staff, especially when dealing with CUI. This means looking at threats, weaknesses, and possible effects to make smart decisions about cybersecurity.

Every year, or more often if things are changing fast in your company, do a risk assessment. 

This is a formal review where you document:

  • Major changes in your business, not just in I.T. Think about new laws, changes in what you sell or where you work, and financial shifts.
  • Any new threats to your business, both inside and outside.
  • Changes in your technology and staff.

Combine all this to see if there are new risks and what more you can do about them. Create a plan that clearly says who will make these changes and when.

Many companies get help from an external cybersecurity or vCISO service for this. If you're interested in exploring how our vCISO services can assist with your risk assessment, learn more about what we offer and how we can help. But if you want to do it yourself, your internal compliance or security officer can find many resources online. Just search for “free security risk assessment template.”


“Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified.”

Level Of Effort: Medium

Organizations need to check their systems and apps for any weak spots. This ongoing task helps find and fix security issues, especially when new problems are discovered. Here's a guide on what steps to follow and what proof you need to show you're meeting these standards.


  • Select a vulnerability scanning service: Work with your I.T. team to choose a service that scans your systems and applications for vulnerabilities.
  • Install scanning software on all devices: Install this software on every company computer, server, virtual machine, and network device like firewalls. Installing it on a local server in office settings is also a good idea.
  • Regular scanning is key: Perform vulnerability scans not just once, but regularly – ideally monthly or weekly. This ensures continuous monitoring for any new or existing security issues.
  • Plan for scanning costs: These services usually start at around $3 per computer monthly, so budgeting is important.


  • Maintain vulnerability scan reports: Keep reports from every scan. These reports will give you a detailed list of vulnerabilities, helping you focus on which issues to address first.


“Remediate vulnerabilities in accordance with risk assessments.”

Level Of Effort: High

This is about fixing the weak spots you find in your systems and apps during vulnerability scans. The goal is to decide which fixes to do first, based on how much each weak spot could risk your business.


Develop a fix-it process: Set up a method to review scan results and start fixing the problems. Initially, this might seem like a lot, so use your vulnerability scanner's tools to help decide what to fix first.

Set timeframes for fixes: Work with your I.T. team to create a Service Level Agreement (SLA) for patches. Decide how quickly you’ll fix different types of problems. A common approach is:

  • Critical issues in 7 days
  • High in 14 days
  • Medium in 30 days
  • Low when you can

Remember, this is just one way to do it. Talk with your cybersecurity and I.T. teams to figure out the best plan for your company.

Agree on how to handle exceptions: Sometimes, you can’t fix every problem. This might be because of old equipment that needs specific software or software patches that aren’t working right. Decide how you’ll talk about and manage these exceptions. For example, you might keep old equipment off the main network to reduce risk. Make sure you know who decides on these exceptions and how long they'll last.


  • For your fix-it process: Keep your System Security Plan (SSP) updated with this process.
  • For setting fix timeframes): Update your SSP and have proof from your vulnerability scanner that you’re sticking to these timeframes.
  • For handling exceptions: Update your SSP to include how you deal with exceptions. Keep logs of these exceptions and mark them in your vulnerability scanner.

Need Help With Other CMMC Controls? 

Leave a Reply

Your email address will not be published. Required fields are marked *

Do you think we might be a
good match?

We help over 100 of the best financial services, healthcare, and manufacturing companies across the U.S. with their cybersecurity.
Copyright 2024 Adelia Associates, LLC | All Rights Reserved