Welcome to our Risk Assessment Guide for CMMC Level 2.0. This guide is for small businesses and DoD contractors. We will show you how to do risk assessments, with easy instructions and useful tips. We'll also help you gather the evidence you need for CMMC Level 2.0.
Risk Assessment is important for meeting CMMC rules. It helps find and lower possible security risks. Knowing and handling these risks is key to keeping your data safe and your business secure.
We know this control can seem complicated, but it's essential for your business's safety. Need help with Risk Assessment or other CMMC areas? Get a free consultation with us. We're here to help your business meet CMMC Level 2.0 in a way that works for you and keeps your information protected.
“Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational information systems and the associated processing, storage, or transmission of CUI.”
Level Of Effort: Medium
Organizations need to check risks related to their operations, assets, and staff, especially when dealing with CUI. This means looking at threats, weaknesses, and possible effects to make smart decisions about cybersecurity.
Every year, or more often if things are changing fast in your company, do a risk assessment.
This is a formal review where you document:
Combine all this to see if there are new risks and what more you can do about them. Create a plan that clearly says who will make these changes and when.
Many companies get help from an external cybersecurity or vCISO service for this. If you're interested in exploring how our vCISO services can assist with your risk assessment, learn more about what we offer and how we can help. But if you want to do it yourself, your internal compliance or security officer can find many resources online. Just search for “free security risk assessment template.”
“Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified.”
Level Of Effort: Medium
Organizations need to check their systems and apps for any weak spots. This ongoing task helps find and fix security issues, especially when new problems are discovered. Here's a guide on what steps to follow and what proof you need to show you're meeting these standards.
“Remediate vulnerabilities in accordance with risk assessments.”
Level Of Effort: High
This is about fixing the weak spots you find in your systems and apps during vulnerability scans. The goal is to decide which fixes to do first, based on how much each weak spot could risk your business.
Develop a fix-it process: Set up a method to review scan results and start fixing the problems. Initially, this might seem like a lot, so use your vulnerability scanner's tools to help decide what to fix first.
Set timeframes for fixes: Work with your I.T. team to create a Service Level Agreement (SLA) for patches. Decide how quickly you’ll fix different types of problems. A common approach is:
Remember, this is just one way to do it. Talk with your cybersecurity and I.T. teams to figure out the best plan for your company.
Agree on how to handle exceptions: Sometimes, you can’t fix every problem. This might be because of old equipment that needs specific software or software patches that aren’t working right. Decide how you’ll talk about and manage these exceptions. For example, you might keep old equipment off the main network to reduce risk. Make sure you know who decides on these exceptions and how long they'll last.