Risk Management Framework (RMF) Assessments

Understand the state of your security posture so you know where to improve

For many organizations, understanding the current security posture is a significant challenge that prevents improvements to the design and implementation of an end-to-end cybersecurity program.  

MPG’s past performance and accreditations make us an ideal partner for evaluating an organization’s security posture in a top-to-bottom approach. From the program-level to the system-level, we determine where gaps exist that put assets at risk.


During the planning phase, we establish clear rules of engagement. We then meet with the customer, Authorizing Official (AO), and any other stakeholders to discuss the engagement before finalizing a schedule.   


We execute the exhaustive gap analyses assessment against the many Risk Management Frameworks (RMF): 

  • NIST SP 800-53 Revision 4 
  • CMMC 
  • ISO 27001 
  • COBIT  

Assessment observations, associated evidence, test procedures, implementation status, findings, and associated risk(s) will be determined through the following techniques:   


We conduct interviews with customer stakeholders in management and information technology roles to better understand the day-to-day operational security. Our interview process is critical to these phases’ success because understanding the service offering, the associated business processes, and the security controls allow us to develop effective and efficient test procedures.    

Documentation Review   

We review the associated security documentation for your environment. Policies, procedures, diagrams, and supporting evidence must be provided to ensure that we can effectively evaluate the security control implementation status and effectiveness. Any control that cannot be adequately assessed with the evidence, testing, and interviews will be documented within the Gap Analysis Report.   


Physically observing your security controls and processes as customer personnel and/or systems perform them for specific controls. In these cases, support personnel with the knowledge and access to demonstrate security control functionality should be made available.   

Technical Testing

In some instances, MindPoint will need to perform technical testing against documented controls. Technical testing may require population sampling and the gathering of associated artifacts to support control implementation statements.  

The information gathered through these our process will be used to document security control effectiveness and identify control deviations for your service offering.  

Document Results, Findings, and Risks

Upon completing the assessment, the MPG team will document and report assessment results, findings, and associated risks in a standardized or customer-provided Security Assessment Report (SAR) template. The goal is to provide an accurate reflection of your security posture while providing information to evaluate related risks related to identified findings.

We submit our report in draft form to your key stakeholders for review and comment before it’s finalized and formally delivered. Our project close-out meeting is then an opportunity to summarize the reported findings and associated risks and provide completed deliverables.