Workshop applying NIST SP 800-30 Rev. 1 to a sample federal contractor environment. Covers threat source characterization, vulnerability identification, likelihood and impact analysis, risk determination, and risk response. Output is a defensible risk assessment artifact suitable for ATO packages and CMMC evidence.
This four-hour virtual workshop walks compliance practitioners through a complete, end-to-end risk assessment using the NIST SP 800-30 Rev. 1 methodology applied to a realistic sample federal contractor environment. Rather than reviewing the framework in the abstract, you will work through each step of the process as it actually appears in practice — producing documentation that holds up under assessor scrutiny.
The workshop opens with structured threat source identification. You will learn how to categorize threat sources — adversarial, accidental, structural, and environmental — and develop the threat event tables that anchor a defensible risk assessment. Instructor Carl B. Johnson draws on operational experience to show how threat characterization decisions affect every downstream determination in the assessment.
With threat sources established, you will move into vulnerability identification against the sample contractor environment. This segment covers how to map organizational, process-level, and technical vulnerabilities to the threat events you have defined, and how to document that mapping in a format assessors and authorizing officials expect to see.
One of the most scrutinized portions of any risk assessment is the analytic rationale behind likelihood and impact ratings. This session spends significant time on how to select and justify rating scales, how to apply them consistently across diverse threat scenarios, and how to avoid the common documentation gaps that cause assessors to question an assessment's credibility.
You will combine likelihood and impact values into overall risk determinations and then work through risk response options — acceptance, avoidance, mitigation, sharing, and transfer — as they apply to a contractor operating under federal requirements. The workshop covers how risk response decisions connect to Plan of Action and Milestones (POA&M) entries and how to frame those decisions for leadership and authorizing officials.
The final segment focuses on assembling your analysis into a complete, structured risk assessment report. You will see how the artifact must be organized to serve double duty: supporting an Authorization to Operate (ATO) package and functioning as audit-ready evidence for a CMMC assessment. Formatting, traceability, and version control practices are all addressed.
Organizations looking to embed this capability into an ongoing compliance program may want to explore Compliance Program Development support from Cleared Systems, or learn how our team conducts Federal & SLED Risk Assessments on behalf of contractors who need a fully managed engagement.
This workshop is designed for the practitioners who own or contribute to risk assessment work inside a defense or federal contractor organization. Compliance managers, information system security officers (ISSOs), information system security managers (ISSMs), and GRC analysts who are responsible for producing or reviewing risk documentation will find the session immediately applicable. It is equally valuable for IT managers and security engineers who are asked to provide input into risk assessments but have not had formal training in the NIST SP 800-30 framework.
For managers evaluating whether their team members should attend: if your organization has an ATO to maintain, a CMMC assessment on the horizon, or a risk assessment that has previously been returned with findings by an assessor or auditor, this workshop directly addresses those gaps. The output your team member produces during the session is a usable artifact, not a classroom exercise that stays on a slide deck.
Practitioners supporting CMMC compliance efforts will find this workshop pairs well with a broader understanding of CMMC, CUI & DFARS Compliance requirements.
Risk assessment is not a checkbox activity. Done correctly under NIST SP 800-30 Rev. 1, it is the analytic foundation that justifies every control decision in your security program. This workshop gives your team the structured methodology, the documentation habits, and the hands-on artifact experience to produce risk assessments that satisfy authorizing officials, CMMC assessors, and program managers alike — the first time.
Ask about group rates, private delivery of this curriculum for your team, or whether this session fits your compliance roadmap.
Contact Us
