Nationwide Cybersecurity Review (NCSR)

What is the Center for Internet Security (CIS)?

The Center for Internet Security (CIS) is a non-profit organization focused on improving the security of organizations and individuals in the digital world. CIS is funded through various sources, including government grants, corporate sponsorships, and individual donations.

CIS was founded in 2000 and works with a range of partners, including federal agencies, State, Local, Tribal, and Territorial governments/entities, to provide cybersecurity resources and services to help protect critical infrastructure and other assets. The organization also receives funding from the Department of Homeland Security (DHS) through its Cybersecurity and Infrastructure Security Agency (CISA) to support its mission of enhancing the nation’s cybersecurity posture.

What is the Nationwide Cybersecurity Review (NCSR)?

One of the ways that the CIS works to achieve this goal is through the Nationwide Cybersecurity Review (NCSR). The NCSR is a comprehensive assessment of an organization’s cybersecurity posture. It is designed to help organizations identify areas where they may be vulnerable to cyber-attacks and provide recommendations for improving their overall cybersecurity posture.

The NCSR consists of questions designed to help organizations identify and address potential vulnerabilities in their systems and processes and identify areas where they can improve their cybersecurity posture.

Why would an agency or state participate in the Nationwide Cybersecurity Review (NCSR)?

Several reasons you might decide to conduct a Nationwide Cyber Security Review (NCSR). Some possible reasons include the following:

  1. To assess your current cybersecurity posture and identify any weaknesses or vulnerabilities.
  2. To comply with regulatory or compliance requirements that mandate regular cybersecurity assessments.
  3. To ensure the state’s critical infrastructure and systems are secure and resilient against cyber threats.
  4. To protect sensitive data and information from cyber-attacks.
  5. To demonstrate to the public and stakeholders that you are taking steps to protect its systems and data.
  6. To help identify risks that could lead to costly and disruptive cyber incidents.

Overall, the decision to conduct an NCSR assessment may be driven by a combination of internal and external factors, such as your risk appetite, regulatory requirements, and the potential impact of a cyber incident on the state, agency, and its citizens.

How much does the Nationwide Cybersecurity Review (NCSR) cost?

The NCSR is a no-cost, anonymous, annual self-assessment. All states (and agencies), local governments (and departments), tribal nations, and territorial (SLTT) governments are encouraged to participate. It is designed to measure gaps and capabilities of SLTT governments’ cybersecurity programs and is based on the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF)

Using the results of the NCSR, DHS delivers a bi-yearly anonymous summary report to Congress, providing a broad picture of the cybersecurity maturity across the SLTT communities.

When is the Nationwide Cybersecurity Review (NCSR) open?

The NCSR is open annually from October 1st to February 28th. There are no extensions to complete this after February 28th, so if you miss this deadline, it is best to prepare for the following year’s NCSR, which will open on October 1st.

How long will the Nationwide Cybersecurity Review (NCSR) take to complete?

Your first NCSR will generally take longer as you must gather all the information and documentation required to complete the assessment. However, in the following years, much of the information is pre-populated, so you can expect it to take two to three hours per assessment.

What will I need to complete the Nationwide Cybersecurity Review (NCSR)?

The Nationwide Cybersecurity Review (NCSR) is intended for any organization, regardless of size or sector, that is interested in assessing and improving its cybersecurity practices. The NCSR consists of questions designed to help organizations identify and address potential vulnerabilities in their systems and processes and identify areas where they can improve their cybersecurity posture.

To complete the NCSR, you will need access to someone with knowledge of your organization’s cybersecurity practices and systems, such as a cybersecurity or IT professional. You will also need access to relevant documents and information about your organization’s cybersecurity practices, such as policies, procedures, and technical documentation.

Once you have gathered the necessary information and identified someone with the knowledge and expertise to help you complete the NCSR, you can begin the assessment process. This will typically involve working through the NCSR questions and providing responses that accurately reflect your organization’s current cybersecurity posture. The NCSR is designed to be self-administered, which means you can complete it independently without needing external assistance. However, you may find it helpful to work with a cybersecurity or Compliance consultant to help you understand the questions and identify areas for improvement.

Do you need help filing out your Nationwide Cybersecurity Review (NCSR)?

An experienced consultant such as Tiro Security can be useful in helping to fill out the Nationwide Cybersecurity Review (NCSR) because they can provide expertise and guidance on cybersecurity best practices and risk management. The NCSR is a comprehensive review of an organization’s cybersecurity posture, and completing it can be a complex and time-consuming process. A consultant with relevant expertise and experience can help an organization understand the requirements of the NCSR, identify gaps in its current cybersecurity posture, and develop a plan to address any identified weaknesses.

In addition to their technical expertise, a consultant can provide valuable insights and recommendations based on their experience working with other organizations and their knowledge of industry standards and best practices. They can also help identify potential risk areas and provide guidance on how to mitigate those risks.

Overall, a consultant can be a valuable resource for organizations looking to complete the NCSR and improve their cybersecurity posture, particularly if they do not have in-house expertise or resources to devote to the process.

If you are urgently trying to complete this year’s NCSR or want to plan for next year’s assessment, don’t hesitate to contact Tiro Security today. We will demonstrate how we help our clients with all their Cybersecurity and GRC needs.

Posted in