The Risk Assessment (RA) Policy and supporting documents are key components of the CMMC Model. The documents in this collection focus on the identification, assessment, and management of cybersecurity risks. They assign responsibility and timelines for risk assessment activities such as requirements for threat intelligence monitoring, security and risk assessments, and ongoing monitoring of controls. They also contain requirements for performing vulnerability scans, timelines for response to vulnerable systems, legacy systems, and maintenance control. These documents aim to ensure that organizations systematically identify, evaluate, and manage cybersecurity risks to their operations, assets, individuals, and other organizations.