According to OMB Circular A-130, “… substantial resources have been expended doing complex analyses of specific risks to systems, with limited tangible benefit in terms of improved security for the systems. Rather than continue to try to precisely measure risk, security efforts are better served by generally assessing risks and taking actions to manage them.”

Risk assessments need not be complex and time consuming. Rather, these assessments should be performed in a manner that fits system requirements, time demands, and budget constraints.

By removing the complexity out of the risk assessment process, IMSG has established a reputation for providing rapid and effective risk assessments for a growing number of Federal government agencies. We provide independent risk assessments that identify risks, likelihoods, and impacts associated with applicable system threats and vulnerabilities.

We use a tool-enabled process that starts with system categorization (FIPS-199) and results in the delivery of a Risk Assessment Report that complies with Federal and agency-specific policies, in a format consistent with NIST guidelines.

We also ensure that the Risk Assessment Report is integrated into the System Security Plan, which helps to form the basis of a coherent and consistent C&A package.