Knowledge Center



A Risk assessment is a process of determining how effectively systems meet specific security objectives. A proper risk assessment plan should answer the following fundamental questions:

  • What is the scope of the assessment?
  • Who is authorized to conduct the assessment?
  • What are the assessment’s logistics?
  • How should sensitive data be handled?
  • What should be done in the event of an accident?

Basic Assessment Methods:

Control              3.11.1          Periodically assess the risk to organizational operations (including mission, functions, image, or reputation)

There are several basic assessment methods that can be employed for periodic review, as outlined below. The specific method(s) for each information system may vary based on its function in the organizational IT and OT infrastructure as a whole.


Testing is the process of exercising one or more assessment objectives under specific conditions to scrutinize vs. anticipated behaviors. The testing assessment involves the following:

External – Security testing conducted from outside the organization’s security perimeter to view the environment security posture seen from the Internet and reveal vulnerabilities that could be exploited by outside attackers. This involves DNS server information from “A” records to Internet Protocol addresses and allows commonly used application protocols such as FTP, HTTP, SMTP, POP, ICMP, and RDP to discover access method vulnerabilities to the internal systems.

Internal – Internal testing takes place inside the perimeter defenses with routers, firewalls, and switches; therefore, some level of temporary, limited internal access, with administrative privileges, is granted to those testing the network infrastructure.


The examination involves inspection, analysis, and study of a system to obtain evidence. Examination techniques include “network sniffing” with allowed and disallowed ports, and security vendor applications, which results in more elaborate scanning and prioritization. Two basic examination methods are:

Overt – Otherwise known as “white hat testing”, this method involves performing internal and external by a third party (with the knowledge and consent of the organization) to evaluate network and system posture comprehensively.

Covert – This “black hat testing” takes an adversarial approach of testing without the knowledge of the organization’s technical staff (with proper documented consent and oversight of senior management). This type of examination reveals aspects of the organization’s security controls, security staff response, and organizational knowledge, implementation, and remediation procedures.


The interviewing method is distinct and self-explanatory … it involves discussions with department heads and individuals within an organization to understand, clarify, and identify the location of the evidence of conformity.



3.11.2               Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified.

3.11.3             Remediate vulnerabilities in accordance with risk assessments.

Vulnerability scans are usually performed by products that are “Security Content Automated Protocol” (SCAP), which is a method that uses specific standards to automate vulnerability management and policy compliance evaluation, for checking vulnerabilities and misconfigurations. SCAP standards include XCCDF (Extensible Configuration Checklist Description Format), OVAL (Open Vulnerability and Assessment Language), DataStream, ARF (Asset Reporting Format), CPE (Common Platform Enumeration), CVE (Common Vulnerabilities and Exposure) and CWE (Common Weakness Enumeration). SCAP tools can be found at the NVD (National Vulnerability Database) –

Vulnerabilities that have been identified must be remediated. Remediation results in eradicating a threat, as opposed to mitigation, which controls the threat until remediation can be implemented. There are four fundamental steps in the vulnerability remediation process:

  1. Find: Detection of vulnerabilities through scanning and testing
  2. Prioritize: Understanding which vulnerabilities pose a real and significant threat
  3. Fix: Patching, blocking, and otherwise fixing vulnerabilities at scale and in real-time
  4. Monitor: Automatic monitoring for new vulnerabilities with real-time alerts and notifications.

Need Help?

If you are an Organization Seeking Certification (OSC) and are overwhelmed by the enormity and complexity of CMMC, consider professional services to help you plan, implement, and maintain compliance and ensure uninterrupted eligibility for DoD work.

FoxGuard Solutions delivers reliable, secure, and configurable solutions to solve technology and compliance challenges faced by critical infrastructure entities. With over four decades of experience, our team focuses on delivering customized cybersecurity and compliance solutions.

Our services will help guide your organization through the Discovery, Planning, Execution, and Maintenance phases necessary to allow your organization to attain Cybersecurity Maturity Model Certification (CMMC). Our team of experts will partner with you to review existing policies, processes, procedures, and technical controls to identify any gaps with CMMC requirements. An execution plan will be created that aligns with your needs, budget, and timeline, which outlines a recommended approach to attain CMMC.

As a Microsoft Gold Certified Partner, FoxGuard Solutions has experience in delivering both on-premises and cloud-based solutions to assist you with your compliance needs.

FoxGuard Solutions is ISO 9001 and ISO 27001 certified and is a CMMC Registered Provider Organization.
Please visit for more information.

Want to know more about our products

Click outside to hide the comparison bar
Scroll to Top