Hello, and welcome to the NIST 800, 171 learning path. My name is Dave Hatter, I'm your instructor for this class. And this is course two, understanding and implementing the 110 NIST 800 171 requirements. As you know, there are 14 requirements families and in this video, we will explore family 3.11 risk assessment. This is about regularly evaluating risks to information systems and personnel, and it has three requirements. The first requirement 3.11.1. Periodically assess the risk to organizational operations including mission, functions, image, or reputation, organizational assets, and individuals resulting from the operation of organizational systems, and the associated processing, storage, or transmission of CUI. This is a basic requirement and this says quote, clearly defined system boundaries are a prerequisite for effective risk assessments, unquote. Your assessments can be formal or informal, they should consider internal and external vulnerabilities and threats, and it needs to determine the likelihood and impact. You can see NIST special publication 800 days, 30 for guidance on risk assessments. I highly recommend you check out that document, it's chock full of useful information about risk assessments. The next requirement 3.11.2. Scan for vulnerabilities in organizational systems and applications periodically, and when new vulnerabilities affecting those systems and applications are identified. This is a drive requirement, you want to scan to ensure that vulnerabilities are identified and remediated. You should either SCAP compliance scanning tool that security content, automated protocol that can utilize open vulnerability, assessment language or oval to detect vulnerabilities, and can report vulnerabilities and the common vulnerabilities and exposures for matter CVE. And you want to see the common weakness enumeration listing, and the national vulnerability database or NVD for known vulnerability information. You can check out NIST special publication 800-40 for guidance on vulnerability management. And then, the last requirement in this family. 3.11.3, remediate vulnerabilities in accordance with risk assessment. This is a drive requirement, and you need to remediate identified vulnerabilities based on risk. In other words, prioritize the remediation and use the risk assessment that you did, and the vulnerability scanning to make sure that you're taking care of any vulnerabilities that you find in systems that contain CUI. That is the last requirement of this family. Thanks for watching, and I will see you in the next video
