GRCWatch
Sign inStart free trial

NIST 800-171 Control 3.11.1: Risk Assessment

Control 3.11.1 requires organizations to periodically assess risks to operations, assets, and individuals from system use and CUI processing. For SMBs handling sensitive unclassified information, regular risk assessments are foundational to compliance. This control ensures you identify threats before they impact mission-critical functions.

What this means

Organizations must conduct periodic risk assessments that evaluate threats and vulnerabilities across systems processing, storing, or transmitting controlled unclassified information (CUI). These assessments should measure potential impact to organizational operations (mission, functions, reputation), assets, and individuals. The assessment process identifies where CUI flows, what could go wrong, and what safeguards exist—creating a baseline for ongoing risk management and remediation decisions.

How to comply

  1. 1.Define assessment scope: identify all systems, data flows, and touchpoints where CUI is processed, stored, or transmitted
  2. 2.Establish assessment frequency based on organizational risk tolerance, system changes, and regulatory requirements (typically annually minimum)
  3. 3.Conduct qualitative or quantitative risk analysis using industry frameworks (NIST RMF, ISO 27005) to identify threats, vulnerabilities, and likelihood
  4. 4.Document likelihood and impact of identified risks to operations, assets, and individuals affected by the system
  5. 5.Document assessment methodology, assumptions, and date to demonstrate periodic re-evaluation
  6. 6.Review and update assessments when systems change, new threats emerge, or after security incidents
  7. 7.Use assessment results to inform risk response decisions (mitigate, accept, transfer, or avoid)

Evidence auditors look for

  • Annual risk assessment reports with documented scope, threats, vulnerabilities, and impact ratings
  • System risk registers or matrices ranking identified risks by likelihood and impact
  • Risk assessment tool outputs or templates showing CUI data flows and threat analysis
  • Assessment update documentation reflecting changes to systems or threat landscape
  • Risk mitigation plans tied directly to high or medium-rated assessment findings
  • Board or compliance committee meeting minutes reviewing periodic risk assessments
  • Third-party risk assessment reports if using external assessors

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automates periodic risk assessment scheduling, tracks assessment frequency compliance, and centralizes risk findings in a single dashboard—eliminating spreadsheet chaos and ensuring your organization never misses a required assessment window.

See how GRCWatch handles this control automatically

Start free trial

Related controls

3.11.2 Vulnerability Management3.12.1 System Monitoring3.12.2 Security Event Analysis