You periodically assess the risk to operations from your CUI systems.
What it actually means
A periodic risk assessment — what could go wrong with the systems handling CUI, how likely, how bad — documented and used to drive decisions. It doesn't need to be elaborate; it needs to be real, current, and actually inform what you prioritize.
Pass or fail — an assessor needs a "yes" to each
- A risk assessment is performed periodically.
- It covers the systems processing/storing/transmitting CUI.
- Results inform decisions (e.g., remediation priority).
What to have ready
- Risk assessment document
- Cadence/policy for updating it
- Evidence it drives prioritization
Where teams trip up
- No documented risk assessment
- A one-time assessment never updated
- An assessment that sits on a shelf
See where this control puts your score
Run all 110 requirements free in about 10 minutes.
Calculate your SPRS score →