What a Cybersecurity Risk Assessment Actually Reveals
Every organization believes its security posture is stronger than it is — until an independent cybersecurity risk assessment puts that assumption to the test. After conducting hundreds of assessments across defense contractors, federal agencies, and regulated industries, the team at Cleared Systems sees the same categories of findings surface again and again. The specific vulnerabilities differ, but the structural gaps are remarkably consistent.
This post is not a theoretical overview. It is a practical field guide drawn from real assessment work. If you are a compliance manager or executive preparing for a formal assessment — or trying to understand what one will find — use this as a baseline to evaluate your current program before an assessor does it for you.
For a deeper look at how we structure formal engagements, visit our Federal & SLED Risk Assessments service page.
Finding 1: No Formal, Documented Risk Assessment Process
The most foundational finding is the absence of a repeatable, documented risk assessment methodology. Many organizations perform informal reviews — someone in IT checks a few settings, leadership has a gut feeling about exposure — but nothing is documented, dated, or tied to a risk register.
Why it matters: NIST SP 800-171, CMMC Level 2, and DFARS 252.204-7012 all require a formal risk assessment process. Without documentation, you cannot demonstrate compliance, track risk over time, or produce evidence for auditors.
Remediation: Establish a documented risk assessment methodology aligned to NIST SP 800-171 or NIST CSF. Define assessment frequency (at minimum annually and after significant changes), assign ownership, and maintain a risk register that is reviewed by leadership on a regular cycle. Our post on cybersecurity risk management covers the foundational concepts in plain language.
Finding 2: Incomplete or Inaccurate System Security Plans
The System Security Plan (SSP) is the cornerstone document of any compliance program. In practice, we encounter SSPs that are copied from templates, years out of date, or describe a system boundary that no longer reflects the actual environment. An inaccurate SSP is often worse than no SSP — it creates a false assurance that controls are in place when they are not.
Remediation: Conduct a line-by-line review of your SSP against your current environment. Map every control to evidence of implementation. If your SSP was written more than 12 months ago and your environment has changed, treat it as a gap. Reference our detailed breakdown of SSPs and POA&Ms as critical components of a strong security program for structural guidance.
Finding 3: Uncontrolled Access to Controlled Unclassified Information (CUI)
Access control deficiencies are among the most frequently cited findings across every regulatory framework we assess against. The most common version: CUI is accessible to employees who have no business need to access it, shared drives lack role-based permissions, or former employees retain active credentials.
Why it matters: Least-privilege access is a core requirement under NIST SP 800-171 and CMMC. Uncontrolled access dramatically expands the attack surface and the blast radius of any breach.
Remediation: Conduct an access rights review immediately. Implement role-based access control (RBAC), enforce least privilege, and establish a formal off-boarding procedure that includes credential revocation. Pair this with a clear understanding of what Controlled Unclassified Information actually is and where it lives in your environment.
Finding 4: Inadequate Multi-Factor Authentication Deployment
Multi-factor authentication (MFA) is frequently identified as partially deployed rather than fully deployed. Organizations enable MFA for email but not for VPN access, remote desktop, or privileged accounts. Partial deployment is not compliant deployment.
Remediation: Audit every access pathway into your environment — remote access, cloud systems, privileged accounts, and administrative consoles. MFA must be enforced on all of them, not just the most visible ones. This is a straightforward technical remediation with significant risk reduction impact and is directly required under CMMC Level 2 and DFARS compliance obligations.
Finding 5: Absence of Endpoint Detection and Response Controls
Legacy antivirus solutions are not sufficient to satisfy modern threat detection requirements. During assessments, we routinely find endpoints — including servers and workstations handling CUI — running outdated signature-based tools without behavioral detection, logging, or centralized visibility.
Remediation: Deploy an Endpoint Detection and Response (EDR) solution across all in-scope assets. Ensure logs are forwarded to a centralized SIEM or monitoring platform. Review our post on endpoint security fundamentals for a solid technical grounding on what modern endpoint protection requires. Integrate endpoint telemetry into your incident response process so detections trigger defined actions, not ad hoc responses.
Finding 6: No Tested Incident Response Plan
The existence of an incident response plan in a folder is not the same as having an operational incident response capability. The most common finding is not the complete absence of a plan — it is the absence of evidence that the plan has ever been tested, exercised, or updated to reflect the current environment.
Why it matters: DFARS 252.204-7012 requires contractors to report cyber incidents to DoD within 72 hours. If your team has never run a tabletop exercise or practiced the reporting workflow, the 72-hour clock will expose serious gaps under real conditions.
Remediation: Schedule a tabletop exercise at minimum annually. Update the plan after every exercise and after every real incident. Confirm that reporting workflows, contact lists, and escalation paths are current. Building a tested plan is a core deliverable of our Regulatory vCISO Services engagements.
Finding 7: Gaps in Configuration Management and Patch Cadence
Configuration management findings typically fall into two categories: systems running outdated software with known vulnerabilities, and systems that have drifted from their baseline configuration with no documentation explaining why. Both represent exploitable attack surface.
Remediation: Establish a formal patch management policy with defined SLAs for critical, high, and medium vulnerabilities. Maintain configuration baselines for all system types. Conduct vulnerability scans on a regular cycle and track remediation in your POA&M. Understanding the difference between vulnerability scanning and penetration testing will help you determine which tool is appropriate at each stage of your program.
Finding 8: Insufficient Supply Chain and Third-Party Risk Controls
As the defense industrial base faces increasing scrutiny over supply chain risk, this finding is becoming more prominent in every assessment we conduct. Organizations frequently lack visibility into what systems their vendors can access, whether those vendors meet baseline security requirements, and how CUI flows through third-party relationships.
Why it matters: CMMC 2.0 requirements flow down to subcontractors. If your vendors handle or can access CUI, their security posture becomes your compliance problem. Prime contractors who cannot document subcontractor security controls are increasingly exposed during audits.
Remediation: Implement a formal vendor risk management program. At minimum, require vendors with CUI access to attest to their security practices, complete a questionnaire aligned to NIST SP 800-171, and undergo periodic review. Contractual flow-down language alone is insufficient. Active oversight is required. Our Compliance Program Development service helps organizations build vendor risk management into their broader compliance architecture.
Turning Findings Into a Remediation Roadmap
A cybersecurity risk assessment is not a pass/fail event. It is a diagnostic tool. The value is not in the findings report itself — it is in what your organization does with that information over the next 90 to 180 days. Each finding should be entered into a POA&M with a defined owner, a target completion date, and interim mitigations where the full fix will take time.
Organizations that treat the assessment as a compliance checkbox rather than an operational improvement exercise consistently underperform on follow-on audits. Those that use findings to drive systematic remediation build programs that hold up under DIBCAC reviews, C3PAO assessments, and contract-level scrutiny.
The eight findings above are not exhaustive, but they represent the highest-frequency, highest-risk gaps we see across the federal contractor community. If your organization has unresolved exposure in even three or four of these areas, you have meaningful work ahead before your next assessment cycle.
Ready to Know Where You Actually Stand?
Cleared Systems conducts independent cybersecurity risk assessments for defense contractors, federal agencies, and regulated organizations across the country. Whether you need a gap assessment ahead of a CMMC audit, a full NIST SP 800-171 evaluation, or an executive-level risk briefing, we can scope an engagement to fit your timeline and budget. Request a quote today, or explore our engagement models to find the right fit for your organization.