Risk and Vulnerability Assessments Help Strengthen Cybersecurity & Privacy Programs

Risk and Vulnerability Assessments Help Strengthen Cybersecurity & Privacy Programs


Today’s evolving cyber threats faced by Federal departments and agencies cover a wide range of malicious activities from nation-state sponsors, criminal organizations, terrorist groups, hacktivists, insider threats, and others. Securing networks, systems, and applications demands a multi-layered approach that provides defense-in-depth to protect valuable data and information. A key step in this process is a Risk and Vulnerability Assessment (RVA), which assesses threats and vulnerabilities; determines deviations from acceptable configurations, enterprise, or local policy; assesses the level of risk; and develops and/or recommends appropriate mitigation countermeasures in operational and non-operational situations.

Criterion’s RVA services help organizations to strengthen their Cybersecurity & Privacy Program (CS&P) and optimize their CS&P investments. By improving asset inventories, better identifying security vulnerabilities and noncompliance with standards, and offering justified next steps for correcting, mitigating, and remediating these findings, we help customers create a stronger, more resilient CS&P program. Furthermore, standardization and completeness of RVA policies, processes, and procedures lead to high confidence in the outcomes and efficiencies of Criterion’s RVA services. With increased context and links between RVA services and the mission/business impact, organizations will be better able to make decisions regarding CS&P investments.

RVA Benefits

There are several benefits to undertaking an RVA:

  • Strengthen CS&P program by creating stronger link between RVA services and mission impact by enabling a clearer and more accurate risk/benefit/cost curve.
  • Optimize CS&P investments (know what you have in place and identify what you need with higher confidence) – cost/performance optimization.
  • Improve ability to identify systemic security issues based on the analysis of vulnerability and configuration data.
  • Improve conduct of required reviews as appropriate within environment (e.g., periodic assessments, reviews, compliance and vulnerability scans, penetration testing, etc.).
  • Improve performance of technical (evaluation of technology) and non-technical (evaluation of people and operations) risk and vulnerability assessments of relevant technology focus areas (i.e., local computing environment, network and infrastructure, enclave boundary, and supporting infrastructure).
  • Maintain and enhance current knowledge of applicable CS&P policies, regulations, and compliance guidance specifically related to CS&P auditing, assessment, review, and evaluation.

Criterion’s Approach

The targets of the proactive RVA are the day-to-day organizational systems with the purpose of assessing threats and vulnerabilities; determining deviations from acceptable configurations, enterprise or local policy; assessing the level of risk; and developing/recommending appropriate mitigation strategies and/or remediation recommendations in operational and non-operational situations. Criterion’s RVA process has three major phases (pre-assessment, assessment/testing, post-assessment) and applicable supporting activities, including Network Mapping, Vulnerability Scanning, Phishing Assessment, Wireless Assessment, Web Application Assessment, Operating System Security Assessment (OSSA), Database Assessment, and Penetration Testing.

RVA Process: Bseline, Identify, Assess, Determine, Recommend, Document

Criterion’s RVA service was developed in our Cybersecurity Center of Excellence, a dedicated group of cybersecurity professionals and subject matter experts (SMEs) with a focus on understanding and extending industry best practices. This development and application of practical, innovative, and continuously improving cybersecurity approaches, methodologies, and technologies directly benefits our customers today and into the future, as they tap into Criterion’s specialized expertise. Adding RVA to our customers’ Focused Operations teams enables them to move beyond their current capabilities, keeping ahead of adversaries while they continually mature their systems.

Criterion’s RVA services are already being used by our Federal customers either as a stand-alone solution or combined with Criterion’s Cybersecurity Operations Center (CSOC) services. Customers can access our services via the General Services Administration (GSA) Highly Adaptive Cybersecurity Services (HACS) Special Item Number (SIN) 54151HACS.