CMMC Practice RM.3.144

Periodically perform risk assessments to identify and prioritize risks according to the defined risk categories, risk sources, and risk measurement criteria.

Source

CMMC Version 1.02, pg. 208

Bold Coast Security Guidance

For Level 3 compliance, there must be a formal documented risk management plan that brings together the various aspects of risk and vulnerability management into a cohesive risk management program. At this level, risk assessment is a formal documented processes using a standard methodology. This plan must include assessing risk and vulnerabilities, as well as a consistently applied remediation plan.

Discussion From Source

NIST CSF V1.1 The organization understands the cybersecurity risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals.

References