What is CMMC? CMMC Update Archives CMMC Links
Consulting Employee Training Security Awareness Training Public Speaking Expert Witness
White Papers Newsletters CMMC Update Articles Videos Interviews
CMMC Update by Glenda R. Snodgrass for The Net Effect
[ View this email in your web browser ] [ Visit our archives ] [ Sign Up for this Newsletter ]

Janaury 26, 2026

Assessing Risk vs. Assuming Risk

While discussing the security vs. compliance dichotomy recently, the question of risk assessment in the context of NIST SP 800-171 came up, and I realized that some folks have a fuzzy understanding of how this plays out. So let's tackle that today!

Risk assessment is absolutely something you are expected to do. In fact, it’s one of the 14 control families in 800-171, and 3.11.3 tells us to “Remediate vulnerabilities in accordance with risk assessments.”

Risk assessment is basically asking three questions (What could happen? How likely is it? How bad would it be?) and deciding how to address the risk (assume, mitigate or transfer).

Risk assumption is what you are not permitted to do. DoD/DoW does not permit you to assume risk on its behalf for its data. You must mitigate or transfer.

This is why I say we have to be careful when we talk about assessing risk outside the RA family, because it can be a red flag to a C3PAO -- but it doesn’t mean we don’t do risk assessments to help us make good decisions.

Let’s look at this in the context of addressing low level vulnerabilities. Quite often a vulnerability is only a vulnerability if a certain condition is present (e.g., a specific port is open, a specific configuration setting is enabled, a specific module is installed). If you do a risk assessment and determine that condition is not present (How likely is it? Not at all!), you can reclassify that vulnerability as negligible or N/A and you don’t have to apply that patch. You have to do the investigation, though, to determine whether the means of exploitation for that vulnerability is applicable to the system. The investigation is a risk assessment.

However, if the condition is present, you cannot say “Well, I’m going to take my chances because [reasons].” That would be assuming the risk.

When I posed this discussion among colleagues, one of them put it quite succinctly: “You need to assess that there is no risk; you can't decide that the risk doesn't matter.” That's the difference between assessing risk and assuming it.

Hope this helps? Ping me if it doesn't!

Join me for this CMMC webinar by NDIA tomorrow!

Join NDIA's Subject Matter Experts (including me!) on January 27 for Part 7: Seeking Expert Assistance, Available Resources, and How to Manage Flowdowns as a Subcontractor.

Consider how to engage third-party experts, learn the types of resources that are available, and discover what to look for and how to manage flowdown clauses as a subcontractor. Registration



 Glenda R. Snodgrass Sincerely,

Glenda R. Snodgrass, CCP/CCA/Lead CCA
grs@theneteffect.com
The Net Effect, LLC
www.theneteffect.com
251-433-0196 x107

Speak with an Expert

Contact

The Net Effect, L.L.C.
Post Office Box 885
Mobile, Alabama 36601-0885 (US)
phone: (251) 433-0196
email: sales at theneteffect dot com
Secure Payment Center






Site Map

Home
CMMC
PCI
GLBA
Consulting
Employee Training
Public Speaking
Expert Witness
Workshops
About

Resources


CMMC
Newsletter
Whitepapers
Articles
Videos
Interviews



The Net Effect, LLC

Copyright 1996-2026 The Net Effect, L.L.C. All rights reserved. Read our privacy policy