RiskWatch
RiskWatch International · Founded 1993 · Sarasota, FL, USA
State, local, and federal-contractor risk platform: one register from threat to treatment, with KRI auto-escalation and 40+ ATO libraries underneath.
Summary
RiskWatch is an enterprise risk management platform built around a Global Risk Register that rolls up mission, IT, vendor, and physical risk into one view, with system-and-agency-to-enterprise aggregation for leadership and the authorising official. It runs a risk assessment engine with a KRI (Key Risk Indicator) library that auto-escalates a risk when it breaches its threshold, a treatment workflow with owner assignment and tasks tracked to closure, and native threat and vulnerability libraries that feed risk scores into heat maps and executive dashboards. Its differentiator is Risk-to-Compliance bi-directional mapping: assessment findings flow back into risk scores and the register feeds control-assessment scope, so risk and compliance run together across the RMF lifecycle rather than as two disconnected tools. Pre-built control libraries for 40+ frameworks sit underneath, including NIST 800-53 r5, NIST 800-171 r3, NIST CSF, CMMC 2.0, FISMA, IRS Publication 1075, CJIS Security Policy 5.9, FedRAMP Moderate and High baselines, GovRAMP (formerly StateRAMP), HIPAA, and PCI DSS. Government customers include US state agencies, county IT offices, higher-education institutions, defense contractors, and federal-civilian-adjacent buyers; the product has been in the field since 1993. The single-tenant deployment model and customer-owned data residency make RiskWatch a defensible pick for state CISOs subject to IRS Publication 1075 § 9.3.5 data-locality rules and for defense contractors scoping a CMMC 2.0 Level 2 assessment ahead of the November 2026 Phase 2 deadline, and a survey-based assessment engine lets non-technical control owners respond directly.
Strengths
- Global Risk Register consolidates mission, IT, vendor, and physical risk into one register with system-and-agency-to-enterprise rollup for leadership and the authorising official
- Risk assessment engine with a KRI (Key Risk Indicator) library and auto-escalation when a risk crosses its threshold, so exposure surfaces between assessment cycles
- Risk treatment workflow with owner assignment, tasks, and recommendations tracked to closure; native threat and vulnerability libraries feed heat maps and executive risk dashboards
- Risk-to-Compliance bi-directional mapping ties assessment findings back into risk scores and feeds the register into control-assessment scope, so risk and compliance run together across the RMF lifecycle
- 40+ pre-built framework libraries with cross-mapping underneath including NIST 800-53 r5, NIST 800-171 r3, CMMC 2.0, FISMA, FedRAMP Moderate and High baselines, GovRAMP, CJIS, IRS Publication 1075
- 33-year operating history with assessor and examiner-recognised assessment artefacts; C3PAO and 3PAO export packs are first-class output, not a custom report build
- Single-tenant deployment with customer-owned data residency, an advantage for state agencies subject to IRS 1075 § 9.3.5 and for defense contractors handling CUI
- Survey-based assessment engine works for non-technical control owners (county records clerks, branch IT, sub-contractor security officers) without a workflow-builder learning curve
- Vendor risk management with BAA, SOC 2, and FedRAMP package tracking aligned to NIST 800-53 SR-3 supply-chain controls and EO 14028 SBOM obligations
- Physical security assessment software is in the same tenant as cyber and compliance risk, useful for federal-facility, state-courthouse, and county-data-center buyers, with quote-only pricing and a transparent scoping conversation rather than a hard paywall
Weaknesses
- RiskWatch is not currently FedRAMP authorised at the platform level; federal agencies requiring a FedRAMP boundary for the GRC tool itself will need Telos Xacta, RegScale, ServiceNow IRM in GovCommunityCloud, or IBM OpenPages on AWS GovCloud (we are evaluating a FedRAMP path; this is honest)
- No native OSCAL ingest or export pipeline; agencies adopting the FedRAMP 20x OSCAL-native workflow will want RegScale or Telos Xacta for that specific path
- Public pricing is opaque; the federal/state procurement community is used to GSA Schedule list pricing and our public page does not yet match that expectation
State agencies, county IT, higher-education, defense contractors, and federal-civilian-adjacent buyers that want one global risk register across mission, IT, vendor, and physical risk, with KRI-driven escalation, treatment workflows, and board-ready heat maps, plus NIST 800-53 r5, NIST 800-171 r3, and CMMC 2.0 mapped in one tenant with strong assessor export artefacts.
Federal mission systems that require the GRC platform itself to carry a FedRAMP High or DoD IL5 boundary; Telos Xacta, RegScale, ServiceNow IRM GovCommunityCloud, or IBM watsonx on AWS GovCloud fit that brief better.
Key features
- Global Risk Register with system-and-agency-to-enterprise rollup for leadership and the authorising official
- Risk assessment engine with a KRI (Key Risk Indicator) library and threshold auto-escalation
- Risk treatment workflow with owner assignment, tasks, and recommendations
- Threat and vulnerability libraries that feed risk scores, heat maps, and executive dashboards
- Risk-to-Compliance bi-directional mapping (assessment findings update risk scores) across the RMF lifecycle
- Pre-built control libraries for NIST 800-53 r5, NIST 800-171 r3, CMMC 2.0 Levels 1-3, FedRAMP Moderate + High, GovRAMP, FISMA, IRS Publication 1075, CJIS 5.9, NIST CSF 2.0, cross-mapped to auto-detect shared controls across NIST 800-53 / 800-171 / CMMC / GovRAMP
- Assessor-export packs (PDF + Excel) for C3PAO CMMC assessments and 3PAO FedRAMP and GovRAMP reviews
- Survey-based assessment engine for non-technical control owners (branch IT, records clerks, sub-contractors)
- Evidence vault with versioning, hashing, and audit-ready export for ATO package assembly
- Vendor risk management with BAA, SOC 2, and FedRAMP package tracking aligned to NIST 800-53 SR controls and EO 14028 SBOM obligations
- Policy management with approval and attestation workflows for governance documents required under OMB Circular A-130
- Single-tenant deployment for state-agency, defense-contractor, and federal-adjacent data-residency requirements
Integrations
25+ native. Notable: Microsoft Entra ID (SAML SSO), Okta, Microsoft 365 / SharePoint, Slack, Jira, Salesforce, Custom REST API.
Target size
50 to 25,000 employees · US · Canada