Renewal questions
Your carrier wants evidence of controls, not a yes/no answer that nobody has verified.
A point-in-time cybersecurity risk assessment for leaders who need a defensible view of exposure—not another generic checklist. We turn interviews, configurations, policies, and operating evidence into a NIST CSF 2.0 Current Profile, an agreed Target Profile, severity-ranked findings, and a prioritized roadmap.
For COO, CFO, CTO, risk, security, and IT leaders across the United States.
Your carrier wants evidence of controls, not a yes/no answer that nobody has verified.
A customer questionnaire or procurement review is exposing uncertainty across owners and systems.
Leadership needs a concise risk picture, investment choices, and accountable next steps.
New people, systems, vendors, or locations have outpaced the control environment.
A phishing event, account compromise, outage, or near miss raised questions the team cannot yet answer.
You have tools and policies, but no evidence-based view of whether the controls operate together.
We document the outcomes your organization currently achieves across Govern, Identify, Protect, Detect, Respond, and Recover—based on evidence, not aspiration.
We agree on the outcomes appropriate to your obligations, threat exposure, operating model, and business priorities. The gap between profiles focuses the roadmap.
A bounded evidence request covers policies, inventories, access, configurations, recovery, vendors, and prior findings. Focused interviews test ownership and operating reality.
We rate observed gaps using likelihood and business impact, then record evidence strength, affected outcomes, and urgency. Severity is not a vulnerability score and is explained in the report.
Each finding states what we observed, why it matters, the supporting evidence, recommended action, and an accountable owner.
Immediate actions and a sequenced 90-day roadmap balance risk reduction, dependencies, effort, and cost. Leadership receives an executive readout.
Typical timebox: 5 to 10 business days after kickoff and timely evidence access. Complex or regulated environments are scoped separately. National engagement price is scoped after the diagnostic and confirmed in writing before work begins.
Synthetic sample—illustrative only. It contains no client information and is not a finding about any organization.
The sample table scrolls horizontally on smaller screens. Keyboard users can focus the labeled table region and use horizontal navigation.
| CSF 2.0 outcome | Observed evidence | Rating | Recommended move |
|---|---|---|---|
| PR.AA · Identity and access | MFA is enforced for administrators; two legacy access paths remain outside the policy. | High | Disable legacy authentication; validate emergency-access controls; assign identity owner. |
| RC.RP · Recovery planning | Backups run daily; the team could not provide a recent restore-test record. | High | Run a representative restore test, record recovery time, and schedule quarterly evidence. |
| GV.SC · Cyber supply chain | Critical vendors are listed, but security review and renewal owners are inconsistent. | Moderate | Tier vendors, set minimum evidence, and attach accountable owners to renewal dates. |
Final ratings depend on the environment, evidence, and agreed methodology. We do not convert CSF outcomes into a purported certification score.
NIST CSF 2.0 is the organizing framework. Where useful, we map recommended safeguards to CISA Cross-Sector Cybersecurity Performance Goals and CIS Controls as supporting implementation references. Those mappings help teams act; they do not make the assessment a CISA or CIS audit, and they do not imply endorsement.
This is a point-in-time assessment of the systems, people, documentation, and evidence in the agreed scope. It is not an audit, not a certification, not an attestation, not a penetration test, and not legal advice. It does not include continuous monitoring or a 24x7 SOC, live incident response or digital forensics and incident response (DFIR), or remediation implementation unless that work is separately scoped in writing. It does not guarantee prevention of an incident, insurance eligibility, contract award, or compliance outcome. Counsel, auditors, insurers, and certification bodies retain their respective roles.