RA β Risk Assessment Domain Notes
CMMC Domain: RA (Risk Assessment)
NIST 800-171 Family: 3.11.x
General Notes
Risk Assessment is Required (Not Optional)
- A formal risk assessment must be documented and periodically refreshed
- Can be separate document or integrated into SSP
- Must cover the CUI boundary β not just IT in general
POA&M (Plan of Action & Milestones)
- POA&M is the key output of risk assessment β documents known gaps and remediation timelines
- CMMC allows POA&M for some findings but not for high-severity items
- Items cannot be on POA&M at time of assessment for controls that must be fully implemented
- "CMMC is binary β you meet it or you don't. No middle ground."
- Source: https://www.reddit.com/r/CMMC/comments/1j8xjd2/ (2025)
Free POA&M Templates
- ComplianceForge: https://complianceforge.com/compliance/cmmc-compliance-dfars-252-204-7021
- CMMC-Bagel (GitHub): includes POA&M management
Apptega Platform
- GRC platform that generates SSP and guidance as you fill in fields
- Mentioned by Leguy42 (active CMMC consultant) as useful for small orgs
- Source: https://old.reddit.com/r/CMMC/comments/1r0tcww/ (2026-02)
GRC Tools for Risk / Compliance Tracking
- Apptega, Drata, RegScale, Hyperproof, IntelliGRC β all mentioned
- Drata: AI hallucinations reported (see vendors/avoid.md)
- IntelliGRC: "reasonably priced" per one commenter
- Cyturus: "all the assessors will be using" (one claim β unverified)
- Excel is viable for small orgs β many successful assessments used only Excel
Related Posts
- Struggling with compliance team β 2026-02-10
- CMMC L2 question β 2026-01-27
- Lessons from first CMMC client assessments β 2025