Risk Assessments and Meeting NIST SP 800-171 Control 3.11.1

Eric Marquette

Welcome back to CMMC Unlocked, everyone. I'm Eric, and today we're diving into the world of risk assessments—specifically, how they underpin NIST SP 800-171 compliance, with a spotlight on control 3.11.1. Now, if you’ve been following our series, you’ll know we’ve talked a lot about continuous compliance and safeguarding CUI, but risk assessments are really the backbone of it all. They’re not just a checkbox—they’re about understanding where your organization is vulnerable and what you need to do to protect your data and, by extension, the defense supply chain.

Paul Netopski

That’s right, Eric. Control 3.11.1 in NIST SP 800-171 requires organizations to “periodically assess the risk to organizational operations, assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI.” In plain English, it means you need a structured process to identify what could go wrong, how bad it could be, and what you’re going to do about it. And for CMMC Level 2, assessors are going to look for evidence that you’re not just doing this once, but that it’s a living, breathing part of your security program.

Ruby Sturt

Yeah, and I think a lot of folks underestimate how much risk assessments connect to your overall security posture. Like, it’s not just paperwork for the auditors. If you don’t know what your risks are, how can you possibly defend against them? I mean, it’s like trying to play footy blindfolded—good luck with that.

Eric Marquette

Exactly, Ruby. Actually, I had a client recently—a mid-sized defense contractor—who thought they were ready for their CMMC assessment. But when we dug in, it turned out they hadn’t done a formal risk assessment in over two years. They’d been patching systems and running antivirus, but they didn’t have a clear picture of their assets or the threats they faced. That nearly derailed their compliance efforts. We had to scramble to get a risk assessment done, document everything, and show the assessors that they understood their environment. It was a close call, and honestly, it could have been avoided with a bit of upfront planning.

Roz the Rulemaker

That’s a classic scenario, Eric. And it really highlights why risk assessments are foundational—not just for compliance, but for operational resilience. The regulatory framework expects organizations to be proactive, not reactive. If you’re only thinking about risk when the assessor walks in, you’re already behind the curve.

Paul Netopski

Let’s get practical for a minute. Meeting 3.11.1 starts with asset identification—knowing what you have, where it is, and what it does. Then you move into threat and vulnerability analysis: What could go wrong? Who might target you? What weaknesses exist in your systems or processes? And finally, you need to document your findings and decisions. That documentation is what assessors are going to review, and it needs to be specific to your environment—not just a generic template you found online.

Ruby Sturt

Oh, templates! I’ve seen so many organizations just download a risk assessment template, fill in a few blanks, and call it a day. But assessors can spot that a mile away, can’t they?

Paul Netopski

Absolutely. One of the most common mistakes is incomplete scope—missing assets, ignoring cloud services, or not considering third-party risks. Another is treating risk assessments as a one-and-done exercise. I remember working with a contractor who thought doing a risk assessment every three years was enough. That sparked a pretty critical discussion with the assessment team. The standard says “periodically,” but in practice, that means at least annually, or whenever there’s a significant change in your environment. And you need to show that you’re actually reviewing and updating your risk assessments, not just filing them away.

Roz the Rulemaker

Paul, that’s a key point. The frequency and quality of your risk assessments are what make them defensible in an audit. If you’re just ticking boxes, you’re missing the intent of the control—and assessors will pick up on that.

Eric Marquette

And don’t forget about documentation best practices. If it’s not written down, it didn’t happen. That’s something we’ve hammered home in previous episodes, and it’s just as true here.

Roz the Rulemaker

Let’s take a step back and look at the regulatory context behind 3.11.1. The reason documentation is so critical is that it supports defensibility—not just in audits, but in any regulatory review or incident investigation. If you can show your work—how you identified risks, what decisions you made, and why—you’re in a much stronger position if your compliance is ever questioned. This is especially important as CMMC rulemaking evolves. Agencies are looking for evidence that organizations are not only following the letter of the law, but also the spirit—actively managing risk, not just reacting to incidents.

Eric Marquette

Roz, I think that ties into what we discussed last episode about the iterative nature of rulemaking and how organizations need to be ready for changes. Risk assessments aren’t static—they need to evolve as the rules and threats change.

Ruby Sturt

Roz, can I ask—how much flexibility do organizations really have with timelines? Like, if the guidance changes or there’s a new threat, how do you balance staying compliant with not burning out your team?

Roz the Rulemaker

That’s a thoughtful question, Ruby. The answer is, there’s some flexibility, but it’s bounded by the principle of reasonableness. Regulators understand that environments change and that guidance evolves. What matters is that you have a documented process for reviewing and updating your risk assessments—ideally, tied to significant events like system upgrades, new contracts, or emerging threats. If you can show that you’re adapting in a structured way, you’re much more likely to satisfy both auditors and regulators. And remember, risk assessments also feed into other requirements—like incident response planning and supply chain risk management. It’s all interconnected.

Paul Netopski

That’s why it’s so important to treat risk assessments as a living process, not a static document. The more you can show that you’re learning and adapting, the stronger your compliance posture will be.

Eric Marquette

So, let’s talk about making risk assessments part of your day-to-day security program, not just an annual fire drill. One of the best ways to do this is by scheduling regular reviews—quarterly, semi-annually, whatever fits your risk profile. The key is to make it routine, so you’re always adapting to new threats and changes in your environment.

Paul Netopski

And don’t overlook automation. There are some great tools out there now that can help with asset identification and threat analysis. Automation reduces human error and makes it easier to keep your risk register up to date. We talked about this in our episode on continuous compliance—using technology to stay ahead of the curve.

Ruby Sturt

Yeah, and it’s not just about the tech. You’ve gotta have clear roles and responsibilities. Who’s in charge of updating the risk assessment? Who reviews it? Who makes sure mitigation actions actually happen? If everyone thinks someone else is handling it, nothing gets done. I’ve seen that play out more than once.

Roz the Rulemaker

That’s a great point, Ruby. Accountability is essential. Assigning ownership ensures that risk assessments are maintained and acted upon. And from a regulatory perspective, having clear documentation of roles and responsibilities strengthens your defensibility if you’re ever audited or challenged.

Paul Netopski

Once you’ve identified your risks, the next step is developing a prioritized mitigation plan. Not every risk is equal—some need immediate action, others can be monitored. The goal is to align your mitigation activities with both your assessment findings and your available resources. That way, you’re not spreading yourself too thin or missing critical vulnerabilities.

Eric Marquette

And it’s important to integrate those mitigation activities into your existing security workflows. If you treat them as separate projects, they’re more likely to fall through the cracks. Make them part of your regular patching cycles, change management, or incident response processes—whatever fits your organization best.

Ruby Sturt

And don’t forget to review and adjust your strategies. New threats pop up all the time, and what worked last year might not cut it now. Post-implementation reviews are your chance to see what’s working and what needs tweaking. It’s all about staying resilient, not just compliant.

Roz the Rulemaker

Exactly, Ruby. A resilient security posture is built on continuous improvement. Regularly reviewing your mitigation strategies, incorporating new threat intelligence, and documenting your decisions will help you maintain both compliance and operational effectiveness. And as the regulatory landscape evolves, this approach will serve you well.

Eric Marquette

Well, that’s a wrap for today’s episode. Thanks, everyone, for sharing your insights—and thank you to our listeners for joining us on CMMC Unlocked. We’ll be back soon with more on navigating the world of cybersecurity compliance. Ruby, Paul, Roz—always a pleasure.

Ruby Sturt

Cheers, Eric! Always good fun. Catch you all next time.

Paul Netopski

Thanks, everyone. Stay vigilant, and keep those risk assessments current.

Roz the Rulemaker

Thank you all. Until next time, keep compliance practical and defensible. Goodbye, everyone.