CMMC Practice RM.3.144
Periodically perform risk assessments to identify and prioritize risks according to the defined risk categories, risk sources, and risk measurement criteria.
Bold Coast Security Guidance
For Level 3 compliance, there must be a formal documented risk management plan that brings together the various aspects of risk and vulnerability management into a cohesive risk management program. At this level, risk assessment is a formal documented processes using a standard methodology. This plan must include assessing risk and vulnerabilities, as well as a consistently applied remediation plan.
NIST CSF V1.1
The organization understands the cybersecurity risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals.