The Assessment

A clear read on where your district stands.

A TRAG assessment is built for K-12: answer-driven, non-intrusive, and scoped to the realities of a lean school IT team. It measures your security posture across every area that matters, scores each on a defensible scale, and turns the result into a plan your board can fund.

How It Works

Rigorous, but light on your team

01 / Answer-driven

Built from your own answers

The baseline is a structured Discovery — your team's own responses, not weeks of on-site auditing. No agents, no scanning required, light on staff time.

02 / Benchmarked

Two yardsticks, one posture

Every result is crosswalked to NIST CSF 2.0 and the K-12 SIX Essentials, and benchmarked against the national K-12 average — so the score has context.

03 / Delivered

Four reports, one engagement

The output is the full report suite — Executive, Technical, Compliance, and a phased Remediation Roadmap — each written for a different reader.

How Scoring Works

Every control gets a defensible 1–5

Scores aren't impressions. Each control is rated on a five-level maturity scale with documented reasoning, so the result holds up to an auditor, a board, or an insurer.

LEVEL 1

Initial

Ad hoc or absent. Depends on individuals, not process.

LEVEL 2

Developing

Exists informally; inconsistent and undocumented.

LEVEL 3

Defined

Documented and repeatable across the organization.

LEVEL 4

Managed

Measured, monitored, and consistently enforced.

LEVEL 5

Optimized

Continuously improved and adapted to new threats.

What Gets Assessed

Every area that matters, in one picture

A combined assessment spans governance, identity, data, detection, continuity, and third-party risk — the full surface a district has to defend.

Govern & comply
  • IT Policy Library Review
  • Education Policy & Compliance
  • Data Privacy Baseline
  • Third-Party Risk Management
  • Vendor & Third-Party Risk
  • AI & Emerging Technology Risk
Protect & access
  • Identity & Access Management
  • Zero Trust Maturity
  • Mobile & Endpoint Security
  • Physical Security
  • Cloud Security Posture
  • Secure SDLC & Application Security
Detect, respond & recover
  • Vulnerability Management
  • Security Awareness & Phishing
  • Incident Response Readiness
  • Business Continuity Management
  • Backup & Disaster Recovery
  • Asset & Data Inventory
Choose Your Depth

Three ways in, one baseline

Start with the answer-driven baseline, align to a specific framework, or go all the way to a risk process your district owns. All three produce the same report suite.

Discovery

Discovery Assessment

A complete security baseline built from your team's own answers across every area — the fastest credible starting point.

Standard

Standard Assessment

A framework-aligned assessment mapped to the single standard your stakeholders care about — verified or unverified, your choice.

Deep Dive

Deep Dive Assessment

Everything in an assessment, plus a formal risk assessment process your district owns and can run going forward.

Want this picture of your own district?

An assessment is the fastest way to replace "I think we're okay" with "here's exactly where we stand, and here's the plan."