AC.L2-3.11.3[a] — Risk Assessment (Threat Assessments)
Domain: Risk Assessment (RA) | Practice: RA.L2-3.11.3 | Objective ID: 3.11.3[a]
Assessment Objective: Threats to organizational operations are periodically assessed.
Summary
AC.L2-3.11.3[a] requires organizations to periodically assess threats to organizational operations, including external threats (cyber adversaries, nation-state actors, criminal groups) and internal threats (insider risks). Organizations must maintain threat intelligence and assess applicability to their CUI environment.
Key Requirements
Documented threat assessment process. Evidence of threat intelligence gathering from credible sources (CISA, FBI, vendor advisories). Assessment of threat applicability to organizational CUI. Documentation of identified threat actors and tactics. Annual (minimum) threat reassessment. Executive review and sign-off on threat landscape.
NDS Support
NDS vCSO services provide executive guidance on threat landscapes relevant to defense contractors and organizations handling CMMC-scoped CUI.