AC.L2-3.11.1[c] — Risk Assessment (Risk Assessments)Domain: Risk Assessment (RA) | Practice: RA.L2-3.11.1 | Objective ID: 3.11.1[c] | Source: NIST SP 800-171 Rev. 2 / CMMC 2.0 Level 2 | Assessment Objective: Risks to individuals are periodically assessed. |
Executive Summary
CMMC objective AC.L2-3.11.1[c] requires periodic assessment of risks to individuals (privacy risks, safety risks from CUI exposure). This is a core component of CMMC Level 2 compliance for organizations handling CUI under DFARS 252.204-7012.
What the Objective Requires
A documented control implementation addressing the requirement that risks to individuals are periodically assessed. A named control owner accountable for AC.L2-3.11.1[c]. A monitoring mechanism producing evidence the objective is operating across all CUI systems. A documented review cadence with signed evidence. Mapping to NIST SP 800-53 Rev. 5 controls. Cross-references to related Risk Assessment objectives.
Evidence Package
Risk Assessment Policy, SSP narrative, Operational evidence, Review/recertification records, POA&M entries.
Real-World Examples
Organizations frequently fail this objective when risk registers lack privacy impact assessments or when individual risk factors (e.g., dual-citizen employees accessing CUI) are not documented in the assessment process.
How Northern Data Solutions Helps
NDS provides Cyberwatch assessments, Cyberwatch Advanced services, Compliance-as-a-Service, and vCSO guidance to ensure AC.L2-3.11.1[c] compliance.