Most small organizations skip formal security assessments for one reason: they assume it costs money they don’t have. CISA built a tool specifically to remove that excuse.
The Cyber Security Evaluation Tool (CSET) is a free, standalone desktop application that walks any organization through a structured evaluation of their security posture. No consultant. No contract. No cost. You download it, install it, and work through it at your own pace.
I’ve downloaded it and explored it firsthand. Here’s what you’re actually getting.
What CSET covers
CSET isn’t a single questionnaire. It’s a platform with multiple assessment paths depending on what you need to evaluate.
Cybersecurity Assessment Module
This is the maturity model track. It walks you through a structured set of questions about your current practices and scores your organization against established cybersecurity maturity levels. If you’ve never done a formal assessment before, this is where to start. The output gives you a clear picture of where you are today and what the next level of maturity looks like.
Standards-Based Assessment
This module maps your security posture directly to specific frameworks — NIST CSF, CMMC 2.0, RMF, and NIST 800-53. If your organization needs to demonstrate compliance or alignment with a particular standard, this is the path. For Iowa municipalities and school districts interfacing with state or federal requirements, NIST CSF alignment is worth documenting.
Network Diagram
This module lets you build a visual map of your network topology and assess it for vulnerabilities. For organizations that have never formally documented their infrastructure, this alone is valuable — you can’t protect what you haven’t mapped.
The modules worth knowing
Within those categories, three specific modules stand out for small Iowa organizations:
Ransomware Readiness Assessment (RRA). Given what we covered in the first post — Des Moines, Cedar Falls, the pattern of Iowa organizations getting hit — this one is directly relevant. The RRA is tiered from basic to advanced, so it meets you where you are rather than assuming enterprise-level controls. It tells you specifically how prepared you are to prevent, detect, and recover from a ransomware event.
Incident Management Review (IMR). This module evaluates how prepared your organization is actually to respond when something goes wrong. Not just whether you have an incident response plan on paper, but whether that plan is practiced, assigned, and functional. Most small organizations fail this one — not because they’re negligent, but because nobody has ever asked them these questions before.
Critical Infrastructure Survey. This compares your organization’s posture against a sector-specific baseline. For water utilities, local government, and education — all sectors with critical infrastructure designation — this gives you a benchmark against peer organizations.
What CSET produces
After you complete an assessment, CSET generates:
- A summarized report with an overall readiness score
- A detailed report breaking down every finding by category
- A dashboard that visualizes your strengths and gaps at a glance
- Prioritized recommendations ordered by impact
- A Plan of Action and Milestones (POA&M) template — a structured document you can bring to leadership or a board to show exactly what needs to get done and in what order
That last one matters more than it sounds. Having a prioritized, documented action plan changes the conversation from “we should probably do something about security” to “here are the specific five things we’re doing this quarter and why.” That’s the kind of document that unlocks budget conversations.
The Iowa bonus: ICRI
If you’re a county, city, or school district in Iowa, there’s an additional layer available at no cost.
The Iowa Cyber Resilience Initiative — run by Iowa State University’s Center for Cybersecurity Innovation and Outreach and funded through CISA’s State and Local Cybersecurity Grant Program — uses CSET as the foundation for its free virtual assessments. (Iowa Cyber Resilience Initiative, 2026) That means an ISU-affiliated team can walk you through the assessment, help you interpret the results, and connect you to next steps — all without a bill at the end. (Iowa Cyber Resilience Initiative – Center for Cybersecurity Innovation & Outreach, 2026)
If self-assessment feels like too much to start with, ICRI is the on-ramp. You get the same CSET framework with guided support built in.
More on ICRI in a dedicated post coming soon.
How to get started
CSET is available directly from CISA’s GitHub: github.com/cisagov/cset
Download the installer, run through setup, and start with the Ransomware Readiness Assessment. It takes about 45 minutes for a small organization and produces a report that you can act on the same day. (Cyber Security Evaluation Tool (CSET), n.d.)
If you’re an Iowa SLTT organization and want the guided version, reach out to ISU’s CyIO team.
References
(2026). Iowa Cyber Resilience Initiative. Iowa State University Center for Cybersecurity Innovation & Outreach. https://www.cyio.iastate.edu/iowa-cyber-resilience-initiative/
(n.d.). Cyber Security Evaluation Tool (CSET). CISA. https://www.cisa.gov/resources-tools/services/cyber-security-evaluation-tool-cset
