AC.L2-3.11.2[b] — Risk Assessment (Vulnerability Assessments)
Domain: Risk Assessment (RA) | Practice: RA.L2-3.11.2 | Objective ID: 3.11.2[b]
Assessment Objective: Vulnerability assessment results are documented.
Summary
AC.L2-3.11.2[b] requires formal documentation of vulnerability assessment findings, including severity ratings, affected systems, and remediation recommendations. Documentation is critical for CMMC Level 2 evaluation.
Key Requirements
Formal vulnerability assessment reports generated from scanning tools. Reports include CVSS scores and severity classifications. Documentation of affected CUI systems. Timestamp and assessor identification. Evidence of management review and sign-off.
NDS Support
Compliance-as-a-Service platforms help organizations aggregate and archive vulnerability assessment documentation for C3PAO review.