>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

RA.L2-3.11.1Risk Assessments

Level 2
800-171: 3.11.1

>Control Description

Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI.

>Cross-Framework Mappings

NIST SP 800-171

3.11.1
Compare

SCF

RSK-04
Compare

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What is your risk assessment policy and methodology?
  • How frequently do you conduct organizational risk assessments?
  • Who is responsible for conducting or overseeing risk assessments?
  • What framework guides your risk assessment process (e.g., NIST RMF)?
  • How do you prioritize identified risks?
  • What is your process for communicating risk assessment results to leadership?

Technical Implementation:

  • What GRC tools support risk assessment?
  • What risk assessment platforms do you use?
  • What tools identify and catalog assets for risk assessment?
  • What threat intelligence informs risk assessments?
  • What tools quantify and prioritize risks?
  • How do you technically aggregate risk across the organization?

Evidence & Documentation:

  • What risk assessment reports and documentation can you provide?
  • What risk assessment methodology documentation shows your approach?
  • What vulnerability scan reports demonstrate regular scanning?
  • What vulnerability remediation tracking shows timely remediation?
  • What risk register or risk tracking documentation can you show?
  • What evidence demonstrates risk assessments are conducted periodically?

Ask AI

Configure your API key to use AI features.