🏛 Sycamore Systems

Cybersecurity Advisory & Tooling for SMBs

NIST CSF 2.0

Security Scorecard Assessment

Answer 38 plain-language questions and receive an instant, branded security report — scored against the NIST Cybersecurity Framework 2.0.

⏱ 10–15 minutes 📄 Instant PDF report 🔒 Your data is never stored ✅ NIST CSF 2.0
0 — Not started 1 — Partial / informal 2 — Mostly done, not documented 3 — Fully implemented & documented
GV

Govern

15% weight
GV-1
Written cybersecurity policy employees are aware of
GV-2
Cybersecurity roles and responsibilities clearly assigned
GV-3
Leadership actively supports and oversees cybersecurity
GV-4
Vendor and third-party cybersecurity risks evaluated
GV-5
Dedicated budget or resources allocated to cybersecurity
GV-6
Security policies reviewed and updated at least annually
ID

Identify

20% weight
ID-1
Up-to-date inventory of all hardware maintained
ID-2
Up-to-date inventory of all software and applications
ID-3
Critical data and systems identified and prioritized
ID-4
Sensitive data location and access documented
ID-5
External connections (vendors, remote, cloud) documented
ID-6
Formal cybersecurity risk assessments conducted
ID-7
Lessons learned from incidents used to improve security
PR

Protect

25% weight
PR-1
Strong, unique passwords required for all accounts
PR-2
MFA enabled for email, remote access, and critical systems
PR-3
User access limited to what each employee needs (least privilege)
PR-4
Employees receive regular cybersecurity awareness training
PR-5
Sensitive data encrypted at rest and in transit
PR-6
Regular data backups stored securely offsite or in cloud
PR-7
All devices kept up to date with security patches
PR-8
Antivirus / endpoint protection on all devices
DE

Detect

15% weight
DE-1
Network and systems monitored for unusual activity
DE-2
Logs from key systems reviewed regularly
DE-3
Alerts configured for suspicious logins or access attempts
DE-4
Detection capability for unauthorized data access or exfiltration
DE-5
Regular vulnerability scans or assessments performed
DE-6
Cybersecurity threat intelligence monitored for your industry
RS

Respond

15% weight
RS-1
Written incident response plan exists
RS-2
All employees know who to contact and what to do in an incident
RS-3
Incident response plan tested or practiced in last 12 months
RS-4
Process to contain and isolate compromised systems
RS-5
Breach notification process for customers, partners, and regulators
RS-6
Post-incident documentation and defense improvements
RC

Recover

10% weight
RC-1
Documented disaster recovery or business continuity plan
RC-2
Backup restoration tested in last 12 months
RC-3
Recovery time for critical systems is known
RC-4
Communication plan for stakeholders during recovery
RC-5
Recovery plan reviewed and updated after incidents

📬 Where should we send your report?

Your assessment answers are processed in real time and never stored or shared. You'll receive your report within seconds.
Your PDF report will be emailed to you instantly.