Executive Summary

All systems, and especially electronic systems, require a periodic professional risk assessment. Risk assessments are strongly recommended for compliance with industry-specific privacy and security provisions and requirements.

But these requirements are not just a bureaucratic hurdle. A periodic risk assessment should be part of any organization’s line of business processes, whatever the industry. Department of Defense contractors, subcontractors, healthcare entities, and institutions of higher education, among others, because of the especially sensitive nature of Controlled Unclassified Information (CUI), Protected Health Information (PHI), and other sensitive information, have a serious obligation to ensure that they manage that information responsibly. A thorough risk assessment is a first step that enables contractors to take reasonable steps to protect the sensitive entrusted to them.