3.11 — Risk Assessment

Risk Assessment (RA) Policy

Establishes requirements for periodically assessing risk to OCSI operations, assets, and individuals — covering 3 controls per NIST SP 800-171 Rev 2.

Family: 3.11 — RAControls: 3Owner: Kit E. Floyd, Jr.Last Review: April 3, 2026
SELF-ASSESSMENT

Control statuses below reflect an internal self-assessment prepared with AI assistance. Statuses marked "Implemented" may be organizational claims without verifiable evidence. See POA&M for known gaps.

Policy Statement

OCSI shall periodically assess the risk to organizational operations (including mission, functions, image, reputation), organizational assets, and individuals resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI. external MSSP provides independent risk assessment services as part of ongoing cybersecurity partnership.

Control Implementation
ControlRequirementImplementationStatus
3.11.1Periodically assess the risk to organizational operations, organizational assets, and individualsPARTIAL. A risk assessment document exists (Risk Assessment Report) covering web application threats, data breach scenarios, and hosting risks. However, this was an AI-assisted self-assessment, not an external MSSP assessment. No prior risk assessments exist. No recurring schedule established. Partial
3.11.2Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identifiedNOT IMPLEMENTED. No vulnerability scanning tools are in use. No external MSSP performs scans. No automated scanning of any kind. No NVD monitoring process. This is a critical gap requiring a scanning tool or MSSP engagement. Not Implemented
3.11.3Remediate vulnerabilities in accordance with risk assessmentsPARTIAL. Risk-based SLA defined (Critical: 24hr, High: 72hr, Medium: 30 days, Low: 90 days). POA&M tracks 13 open items. However, this is the first formal gap analysis — no prior vulnerability remediation cycle has been completed. Partial
Risk Matrix
Risk LevelRemediation SLAApproval Requiredexternal MSSP Involvement
Critical24 hoursPresident + Security OfficerImmediate notification
High72 hoursSecurity OfficerNext-day consultation
Medium30 daysSecurity OfficerQuarterly review
Low90 daysDeveloperQuarterly review
Review Schedule: Full risk assessment needs to be conducted annually with external MSSP (not yet engaged). Vulnerability scanning tools need to be procured and configured. No recurring assessment cycle currently exists.

© 2026 OUTSOURCE Consulting Services, Inc. — CUI // SP-RA // NIST 800-171 3.11