Risk Assessment

TECHNICAL DEFINITION

Risk assessment in cybersecurity and defense involves systematically identifying, analyzing, and evaluating potential threats, vulnerabilities, and the associated impact on critical assets, thereby quantifying the likelihood and consequence of adverse events to inform strategic risk management and the implementation of appropriate security controls and mitigation strategies. It is a foundational component for establishing an organization's security posture and resource allocation decisions.

BACKGROUND

Assured Compliance Assessment Solution (ACAS) is a software set of information security tools used for vulnerability scanning and risk assessment by agencies of the United States Department of Defense (DoD). It performs automated vulnerability scanning and device configuration assessment. ACAS was implemented by the DoD in 2012, with contracts awarded to Tenable, Inc. (then known as Tenable Network Security) and Hewlett Packard Enterprise Services to improve cybersecurity within the DoD. It is mandated by regulations for all DoD agencies and is deployed via download. Part of the ACAS software monitors passive network traffic, new network hosts, and applications that are vulnerable to compromise. It also generates required reports and data that are remotely accessible, with a centralized console, and is Security Content Automation Protocol (SCAP) compliant. The Defense Information Systems Agency's Cyber Development (CD) provides program management and support in the deployment of ACAS. The Army's Systems Engineering and Integration Directorate said in 2016 that ACAS gives the Army "a clear, specific and timely picture of cyber vulnerabilities and how they are being addressed. Not only does the technology streamline processes at the operator level, it also enables broader goals such as the Cybersecurity Scorecard and automated patching for improved mission assurance."

SYNONYMS & ALIASES

• Risk Analysis
• Threat Assessment
• Vulnerability Assessment
• Security Risk Assessment
• Hazard Analysis

USAGE NOTE

Risk assessments are crucial for military and intelligence organizations to prioritize cybersecurity investments, develop incident response plans, and maintain operational readiness against evolving threats.

DEVELOPERS

Organizations developing technology related to Risk Assessment.

• Tenable

  Develops exposure management solutions, including Tenable.io and Nessus, that help organizations identify, assess, and prioritize cyber risks based on vulnerabilities, misconfigurations, and other security exposures across their IT environments.

• Rapid7

  Provides security analytics and automation solutions that enable organizations to assess, monitor, and reduce their cyber risk exposure through vulnerability management, threat detection, and incident response capabilities.

• Archer

  Offers a comprehensive suite of governance, risk, and compliance (GRC) solutions, including platforms for enterprise risk management, operational risk management, and IT risk assessment to help organizations identify and mitigate risks.

• ServiceNow

  Provides a platform with integrated risk management capabilities within its GRC module, allowing organizations to automate and streamline risk assessment, analysis, and response processes across their enterprise.

• MetricStream

  Delivers governance, risk, and compliance (GRC) solutions, including platforms for comprehensive enterprise risk assessment, operational risk management, and regulatory compliance management.

• Qualys

  Develops a cloud-based platform for IT, security, and compliance, offering solutions for vulnerability management, cyber risk quantification, and continuous security posture assessment.

• LogicManager

  Provides an integrated risk management (IRM) software platform that helps organizations identify, assess, manage, and report on risks across their enterprise through a centralized framework.

• RiskRecon (a Mastercard company)

  Offers technology that automates third-party cyber risk assessment, providing actionable insights into vendors' security posture to help organizations manage supply chain risk.