CMMC Practice RM.3.144: Periodically perform risk assessments to identify and prioritize risks according to the defined risk categories, risk sources, and risk measurement criteria.
CMMC CLARIFICATION (Ref CMMC – Appendix B)
This level 3 practice extends the related level 2 practice (RM.2.141) by requiring that defined risk categories, identified sources of risk, and specific risk measurement criteria be included in the risk assessment. Risk assessments are performed periodically to identify potential risks to the organization, or after an incident to mitigate recurrence of that risk. A risk assessment identifies risks to an organization’s functions and the supporting assets: people, technology, information, and facilities. Threat information, vulnerabilities, likelihoods, and impacts are used to identify risk. Evaluate and prioritize the identified risks based on the defined risk criteria: risk sources, risk categories, and risk measurement criteria.
It is important to note that risk assessments differ from vulnerability scanning. A vulnerability scan focuses primarily on technical vulnerabilities in a system, and provides input to a risk assessment. A risk assessment may not be a strictly technical assessment. It includes such qualitative data as results from likelihood analysis and potential threat descriptions. Refer to RM.2.142 for vulnerability scanning.