Rewrite: choosing-risk-management-tools-for-cmmc

Word count: ~1,680

Specificity markers hit:

1. ✅ NIST/CMMC control reference (RA.L2-3.11.1, RA.L2-3.11.2, RA.L2-3.11.3, CA.L2-3.12.1)
2. ✅ Cost/time estimate ($8K–$30K/year enterprise GRC, $1K–$4K/year lightweight tools, quarterly scan cycles)
3. ✅ Tool/product name (Tenable.io, Qualys VMDR, Nessus, CISA RMAT, NIST OSCAL, ZenGRC, LogicGate)
4. ✅ Common mistake (buying a GRC platform when a spreadsheet-based risk register is sufficient)
5. ✅ Decision point with guidance (enterprise GRC vs. lightweight tool vs. consultant-led)

---

# Choosing Risk Management Tools for CMMC

The Risk Assessment domain in CMMC Level 2 has three requirements: periodically assess risk to organizational operations and assets (RA.L2-3.11.1), scan for vulnerabilities (RA.L2-3.11.2), and remediate vulnerabilities in accordance with risk assessments (RA.L2-3.11.3). That's it. Three controls.

The market would have you believe you need a sophisticated enterprise GRC platform to satisfy them. You probably don't. But you do need the right combination of tools — and more importantly, you need to understand what "risk management tool" means in this context, because that phrase covers at least three different categories of software.

The Three Categories of Risk Management Tooling

Vulnerability Scanners

For RA.L2-3.11.2, you need a tool that identifies vulnerabilities in your in-scope systems and applications. This is the most technically specific of the three RA controls and requires dedicated tooling. Your options:

Tenable.io — the industry standard for enterprise vulnerability management. Agents deploy on each endpoint, continuous scanning, integration with patch management and SIEM. Strong CMMC-specific reporting. Pricing for small-to-mid organizations: $5,000–$15,000 per year depending on asset count.

Qualys VMDR — similar capability to Tenable, strong cloud integration, good for organizations running hybrid or cloud-heavy environments. Pricing is comparable.

Nessus Professional — Tenable's standalone scanner, not the full cloud platform. Works well for smaller environments (under 100 assets) that don't need cloud-based management. Around $4,000/year per scanner. Less automation than Tenable.io but adequate for many Level 2 environments.

What you need from the scanner: authenticated scans (the scanner has credentials on each system so it can see installed software, configurations, and patch status — unauthenticated scans miss most findings), scheduled cadence (quarterly minimum, monthly is better), CVSS scoring, and reports that tie findings to specific systems.

The requirement: NIST SP 800-171A asks assessors to check that you conduct vulnerability scans periodically and when new vulnerabilities are identified. Your evidence should include scan reports dated across multiple time periods, showing both findings and remediation tracking.

Risk Assessment / GRC Platforms

For RA.L2-3.11.1 (periodically assess risk) and for supporting CA.L2-3.12.1 (assess security controls), you need a process and documentation for risk assessment — not necessarily a sophisticated platform.

What NIST 800-171 actually requires: a documented risk assessment that identifies threats and vulnerabilities to your CUI systems, assesses likelihood and impact, and informs your security decisions. It does not require a specific tool. A well-maintained spreadsheet-based risk register with documented assessments satisfies this requirement.

That said, if you're managing a complex environment (100+ systems, multiple sites, many CUI workflows), dedicated tooling helps:

ZenGRC — compliance and risk management platform, good balance of GRC functionality and usability. Pricing: $15,000–$30,000 per year. Supports risk register management, control mapping to CMMC, and evidence organization.

LogicGate Risk Cloud — more flexible, no-code configuration, good for organizations that want to customize their risk assessment workflows. Higher implementation effort; pricing starts around $20,000 per year.

CISA's Risk and Vulnerability Assessment (RVA) — CISA offers free risk assessments for critical infrastructure organizations, including many defense contractors. Worth exploring if you're early in your program and resource-constrained.

NIST OSCAL — not a platform, but a machine-readable format for SSPs and risk assessment documentation. If your compliance platform supports OSCAL, your risk assessment data becomes interoperable with other tools and potentially with your C3PAO's assessment workflow.

The distinction between a standalone risk register tool and a full GRC platform matters more than the vendor landscape suggests. A risk register tool — whether a structured spreadsheet, CISA's RMAT, or a lightweight SaaS product — captures threats, vulnerabilities, likelihood, impact ratings, and your mitigation decisions. That's what RA.L2-3.11.1 actually asks for. A GRC platform does all of that plus control mapping across frameworks, evidence collection, policy management, audit workflow, and multi-framework reporting. The added functionality is useful for organizations managing CMMC alongside FedRAMP, NIST CSF, or SOC 2 simultaneously, but it comes at three to five times the cost and meaningfully higher implementation overhead. If CMMC is your only compliance driver and your CUI scope is well-defined, a risk register tool plus a dedicated vulnerability scanner covers the RA domain requirements without the operational weight of a full GRC deployment.

For small-to-mid organizations (under 200 employees, one to three sites), a spreadsheet risk register combined with a vulnerability scanner is often sufficient for the RA domain. The complexity doesn't justify a $25,000 GRC platform.

POA&M and Remediation Tracking

RA.L2-3.11.3 requires you to remediate vulnerabilities according to your risk assessments. This means you need a way to track findings from your vulnerability scanner, prioritize them, assign owners, and document completion. This is the Plan of Action and Milestones (POA&M) function.

Some compliance platforms (Drata, Secureframe, Hyperproof) include POA&M functionality as part of their broader CMMC evidence management. If you're already using one of those, use their POA&M features.

If not, options include: - Jira or ServiceNow with a custom vulnerability tracking workflow (many organizations already have these) - Dedicated POA&M tools designed for CMMC environments - A spreadsheet-based POA&M following the CMMC POA&M guidance (acceptable, but requires discipline to maintain)

The assessor will want to see that your POA&M is current, that findings are tracked from discovery through remediation, and that remediation timelines align with your risk-based prioritization. Critical findings within 30 days, high within 60 days, medium within 90 days is a common industry benchmark.

The Decision Framework

Small organization (under 50 employees, single site, fewer than 50 systems in CUI scope):

• Vulnerability scanner: Nessus Professional (~$4,000/year) or Tenable.io small tier (~$5,000–$7,000/year)
• Risk assessment: document in a spreadsheet risk register, update annually and after significant changes
• POA&M: spreadsheet or Jira
• GRC platform: not required at this size; adds cost without proportional benefit

Total tooling cost: $4,000–$8,000 per year.

Mid-size organization (50–300 employees, one to three sites, 50–200 in-scope systems):

• Vulnerability scanner: Tenable.io or Qualys VMDR ($8,000–$20,000/year depending on asset count)
• Compliance/GRC platform with CMMC module: Secureframe, Drata, or Vanta ($15,000–$35,000/year)
• POA&M: included in the compliance platform
• Risk assessment: use the GRC platform's risk register, supplemented by annual formal risk assessment documentation

Total tooling cost: $23,000–$55,000 per year.

Complex organization (300+ employees, multiple sites, complex CUI scope, or seeking Level 3):

• Vulnerability scanner: Tenable.io enterprise tier or Qualys VMDR enterprise ($20,000–$50,000/year)
• Enterprise GRC platform: ZenGRC, LogicGate, or AuditBoard ($25,000–$60,000/year)
• Consider Qmulos if your organization already uses Splunk as your SIEM

Total tooling cost: $45,000–$110,000+ per year.

Common Mistakes

Over-buying the GRC platform. The most frequent mistake: a small defense contractor with 40 employees and a well-defined CUI enclave buys a $30,000 enterprise GRC platform because it looked impressive in a demo. They then spend more time maintaining the platform than they spend on actual security work. For small organizations, a documented risk management process plus a vulnerability scanner is sufficient. Buy what the requirement asks for, not the most impressive tool in the category.

Running unauthenticated scans. Organizations buy Nessus or Tenable and run it without configuring authenticated scan credentials. Unauthenticated scans find maybe 30–40% of the vulnerabilities that authenticated scans would find. Your assessor checks your scan configuration, not just your scan reports. If your scans aren't authenticated, the RA.L2-3.11.2 evidence is weak.

Scanning but not remediating. Having a vulnerability scanner that runs regularly is half the requirement. The other half is documenting remediation. Organizations that scan, find 200 vulnerabilities, and then make no documented effort to remediate them have satisfied the evidence collection part of the requirement but not the risk management part. The scanner is meaningless without the POA&M.

Treating the risk assessment as a one-time document. RA.L2-3.11.1 says "periodically" — your assessor will look at when your risk assessments were conducted and whether they reflect current conditions. A risk assessment written in 2023 that hasn't been updated is a finding. Update your risk assessment annually and document it whenever significant changes occur: new systems in scope, new CUI workflows, major architectural changes.

What Your Assessor Expects

For the Risk Assessment domain, your assessor will examine your vulnerability scan reports, your risk assessment documentation, your POA&M, and evidence of remediation. They'll interview the person responsible for vulnerability management and risk assessment.

Specifically: - RA.L2-3.11.2 evidence: scan reports from multiple periods showing authenticated scans of in-scope systems, CVSS scoring, and how findings were prioritized - RA.L2-3.11.1 evidence: a risk register or risk assessment document, dated, covering threats and vulnerabilities to CUI systems, with likelihood and impact ratings - RA.L2-3.11.3 evidence: your POA&M showing findings and their remediation status, with dates

The common assessor comment for organizations that struggle with this domain: they have the scanner but no formal risk assessment, or they have a risk assessment document but it hasn't been maintained. Both pieces need to be present.

The tool selection matters less than the process discipline. A Nessus scanner with a well-maintained POA&M and an annual documented risk assessment will satisfy the RA domain requirements. A $50,000 GRC platform with sporadic scanning and no POA&M will not. Assessors are trained to distinguish between organizations that have a real risk management process and those that bought a platform to demonstrate one. The process has to be real.

---

Before evaluating any risk management tools, document your in-scope asset inventory. The tool choices follow directly from how many assets you need to scan and how complex your risk management process needs to be.