DSE Cybersecurity · National assessment service

Know the risk. Fund the right fixes.

A point-in-time cybersecurity risk assessment for leaders who need a defensible view of exposure—not another generic checklist. We turn interviews, configurations, policies, and operating evidence into a NIST CSF 2.0 Current Profile, an agreed Target Profile, severity-ranked findings, and a prioritized roadmap.

For COO, CFO, CTO, risk, security, and IT leaders across the United States.

When to bring us in

A decision is coming. Your evidence is not ready.

Insurance

Renewal questions

Your carrier wants evidence of controls, not a yes/no answer that nobody has verified.

Revenue

Enterprise diligence

A customer questionnaire or procurement review is exposing uncertainty across owners and systems.

Governance

Board request

Leadership needs a concise risk picture, investment choices, and accountable next steps.

Change

Growth or acquisition

New people, systems, vendors, or locations have outpaced the control environment.

Incident

Recent warning

A phishing event, account compromise, outage, or near miss raised questions the team cannot yet answer.

Clarity

Unclear exposure

You have tools and policies, but no evidence-based view of whether the controls operate together.

Assessment method

Current state, target state, then the road between.

01 · Baseline

NIST CSF 2.0 Current Profile

We document the outcomes your organization currently achieves across Govern, Identify, Protect, Detect, Respond, and Recover—based on evidence, not aspiration.

02 · Destination

Target Profile

We agree on the outcomes appropriate to your obligations, threat exposure, operating model, and business priorities. The gap between profiles focuses the roadmap.

03 · Evidence

Evidence request and interviews

A bounded evidence request covers policies, inventories, access, configurations, recovery, vendors, and prior findings. Focused interviews test ownership and operating reality.

04 · Rating

Business-context risk rating

We rate observed gaps using likelihood and business impact, then record evidence strength, affected outcomes, and urgency. Severity is not a vulnerability score and is explained in the report.

05 · Findings

Severity-ranked findings

Each finding states what we observed, why it matters, the supporting evidence, recommended action, and an accountable owner.

06 · Action

Prioritized roadmap

Immediate actions and a sequenced 90-day roadmap balance risk reduction, dependencies, effort, and cost. Leadership receives an executive readout.

Typical timebox: 5 to 10 business days after kickoff and timely evidence access. Complex or regulated environments are scoped separately. National engagement price is scoped after the diagnostic and confirmed in writing before work begins.

Sample output

A scorecard leaders can act on.

Synthetic sample—illustrative only. It contains no client information and is not a finding about any organization.

The sample table scrolls horizontally on smaller screens. Keyboard users can focus the labeled table region and use horizontal navigation.

Synthetic cybersecurity risk scorecard excerpt
CSF 2.0 outcomeObserved evidenceRatingRecommended move
PR.AA · Identity and accessMFA is enforced for administrators; two legacy access paths remain outside the policy.HighDisable legacy authentication; validate emergency-access controls; assign identity owner.
RC.RP · Recovery planningBackups run daily; the team could not provide a recent restore-test record.HighRun a representative restore test, record recovery time, and schedule quarterly evidence.
GV.SC · Cyber supply chainCritical vendors are listed, but security review and renewal owners are inconsistent.ModerateTier vendors, set minimum evidence, and attach accountable owners to renewal dates.

Final ratings depend on the environment, evidence, and agreed methodology. We do not convert CSF outcomes into a purported certification score.

Framework use

One primary structure. Supporting crosswalks.

NIST CSF 2.0 is the organizing framework. Where useful, we map recommended safeguards to CISA Cross-Sector Cybersecurity Performance Goals and CIS Controls as supporting implementation references. Those mappings help teams act; they do not make the assessment a CISA or CIS audit, and they do not imply endorsement.

Clear boundaries

Evidence-based advice, not assurance.

This is a point-in-time assessment of the systems, people, documentation, and evidence in the agreed scope. It is not an audit, not a certification, not an attestation, not a penetration test, and not legal advice. It does not include continuous monitoring or a 24x7 SOC, live incident response or digital forensics and incident response (DFIR), or remediation implementation unless that work is separately scoped in writing. It does not guarantee prevention of an incident, insurance eligibility, contract award, or compliance outcome. Counsel, auditors, insurers, and certification bodies retain their respective roles.