Risk Assessment Report

Internal risk assessment of the OCSI Staffing Operations Platform — identifying threats, vulnerabilities, and risk levels for all system components.

Document: RA-2026-001Classification: CUIAssessor: OCSI Internal (AI-Assisted) — Not externally validatedDate: April 3, 2026

Executive Summary

This risk assessment evaluates the OCSI Staffing Operations Platform for threats and vulnerabilities that could impact the confidentiality, integrity, and availability of Controlled Unclassified Information (CUI). The assessment covers the web application, Command Center, hosting infrastructure, and supporting processes.

Overall Risk Posture: HIGH — Critical vulnerabilities exist including plaintext credentials in source code, client-side-only authentication (bypassable via DevTools), no MFA, no encryption at rest, no SIEM, and shared hosting. Only 16 of 110 NIST 800-171 controls are technically verified. 13 POA&M items are open.

Open Critical Risks

Open High Risks

Risks Fully Remediated

Threats Assessed

System Under Assessment

Component	Description	Data Types	Risk Relevance
Public Website	Marketing site with 3 design options, About pages, services	Public information only	Reputation, availability
Command Center	Authenticated staffing management application	CUI: candidate PII, client data, placement records	Confidentiality, integrity of CUI
Security Protocols	CMMC compliance documentation	CUI: security plans, risk data	Compliance, confidentiality
GoDaddy Hosting	Apache shared hosting, SSL, DNS	Serves all components	Availability, infrastructure security
Browser localStorage	Client-side CUI data storage	CUI: candidates, jobs, clients, placements	Confidentiality at rest

Threat Analysis

#	Threat	Likelihood	Impact	Residual Risk	Mitigation
T-01	Credential brute force attack	Medium	High	Low	SHA-256 hashing, account lockout (5 attempts / 15 min), audit logging
T-02	Cross-Site Scripting (XSS)	Low	High	Low	CSP, input sanitization, X-XSS-Protection header, no unsafe-inline scripts
T-03	Session hijacking	Low	High	Low	30-min inactivity timeout, 8-hr max session, HTTPS-only, sessionStorage isolation
T-04	Clickjacking / UI redress	Low	Medium	Low	X-Frame-Options DENY, CSP frame-ancestors 'none'
T-05	Data exfiltration via unauthorized channel	Low	High	Low	CSP connect-src 'self', Referrer-Policy, Permissions-Policy
T-06	Insider threat — unauthorized data export	Low	High	Low	Audit logging of all exports, personnel screening, insider threat training (3.2.3)
T-07	CDN supply chain compromise	Low	Medium	Low	Limited CDN usage (fonts + icons only, no executable code), SRI hashes, quarterly review
T-08	GoDaddy hosting compromise	Low	High	Medium	Provider SOC 2 compliance, file integrity monitoring via deployment baseline, FTP credential rotation
T-09	Unauthorized physical access to CUI	Low	Medium	Low	Office security, device auto-lock, remote work policy, session timeout
T-10	SSL/TLS certificate expiry	Low	Medium	Low	GoDaddy auto-renewal, monthly certificate check, HSTS preloading
T-11	Phishing targeting OCSI personnel	Medium	Medium	Low	Security awareness training, generic error messages, external MSSP threat briefings
T-12	Denial of Service (DoS)	Low	Medium	Medium	GoDaddy infrastructure protections, static site resilience, no database backend to overwhelm

Remediated Vulnerabilities

The following vulnerabilities were identified during the initial security assessment and have been fully remediated. See POA&M for details.

ID	Finding	Severity	Status	Remediation
POAM-001	Plaintext credentials in source code	High	Closed	Replaced with SHA-256 hash constants
POAM-002	No account lockout mechanism	High	Closed	Implemented 5-attempt lockout with 15-min timer
POAM-003	No session timeout	Medium	Closed	Added 30-min inactivity + 8-hr absolute timeout
POAM-004	No audit logging	High	Closed	Implemented comprehensive audit logging
POAM-005	Missing Content Security Policy	Medium	Closed	Deployed CSP via meta tag and .htaccess
POAM-006	Missing security headers	Medium	Closed	Added X-Frame-Options, X-XSS-Protection, etc.

Accepted Risks

Risk	Level	Justification	Compensating Controls
Shared hosting environment (T-08)	Medium	GoDaddy provides SOC 2 Type II certified infrastructure. Migration to dedicated hosting assessed annually.	File integrity monitoring, deployment baseline, FTP credential rotation, external MSSP oversight
Client-side CUI storage	Medium	localStorage provides domain-scoped isolation. No server-side database to protect reduces server-side attack surface.	Session timeout, device auto-lock policy, authorized device inventory, browser origin isolation

Recommendations for Continuous Improvement

Evaluate dedicated hosting: Assess migration from shared hosting to VPS or dedicated server for enhanced isolation (annual review)
Implement server-side authentication: Consider migrating to server-side session management when system complexity warrants
Add SRI hashes: Implement Subresource Integrity for all CDN-loaded resources
SIEM integration: Evaluate SIEM solution for centralized log aggregation when organization scales (external MSSP can recommend)
Penetration testing: Schedule annual penetration test with external MSSP beyond standard vulnerability scanning

Assessment Conclusion: OCSI's overall risk posture is HIGH. Critical gaps include: plaintext password in source code (POAM-001), client-side-only authentication bypassable via DevTools (POAM-008), no MFA (POAM-007), no encryption at rest for CUI in localStorage (POAM-010), no centralized logging or SIEM (POAM-011), and shared hosting without infrastructure isolation (POAM-012). Significant remediation is required before C3PAO assessment readiness. See POA&M for full remediation plan.

Next Steps: (1) Engage external cybersecurity MSSP (external MSSP or equivalent), (2) Migrate to server-side authentication architecture, (3) Implement MFA, (4) Encrypt CUI data at rest, (5) Deploy centralized SIEM, (6) Schedule C3PAO gap assessment.