The questions districts raise most often — answered plainly. If yours isn't here, the briefing is the place to ask it.
With a free 30-minute briefing. We talk through your environment, your concerns, and your goals. If an engagement makes sense, you get a fixed-fee proposal with clear scope and deliverables. If it doesn't, you'll hear that too — TRAG would rather decline than sell you something you don't need.
Discovery is the answer-driven baseline across every area — the fastest credible starting point. Standard aligns the assessment to a specific framework your stakeholders care about, verified or unverified. Deep Dive adds a formal risk-assessment process your district owns going forward. All three produce the same four-report suite.
Most assessments run two to four weeks from kickoff to executive readout, depending on size and how quickly your team can answer. A Discovery assessment moves faster; a verified or Deep Dive scope takes longer. The timeline is set during scoping so there are no surprises.
For the Discovery baseline, mostly your team's structured answers — a few hours of focused time and a point of contact to coordinate. If you opt into verification (Standard or Deep Dive), add read-only access or screen-shares so findings can be confirmed against real evidence. Either way, TRAG does the heavy lifting; your team's time is measured in hours, not weeks.
TRAG is built specifically for K-12 — from small rural districts running on a one- or two-person IT team to large districts with their own staff. If you need senior security judgment without the cost of a full-time CISO, you're the right fit. Other education organizations, like higher ed, are handled case by case.
No. The assessment is non-intrusive — built from your team's responses, with optional read-only evidence review at the verified tiers. There's no active exploitation and no risk to uptime. If you later want hands-on penetration testing, that's scoped and scheduled separately and explicitly.
Confidentiality is built into how TRAG works. Access is limited to what's needed and read-only wherever possible. Findings, evidence, and reports are shared only with the people you designate, and are retained or destroyed according to your preference when the engagement ends. Your district's data is never sold or handed to third parties. If your district requires vendors to sign its own confidentiality or data-privacy agreement, TRAG will sign it.
No. Your district's security and vulnerability data is never sent to the cloud or to a public AI tool, and never to any outside vendor. Analysis happens on infrastructure TRAG controls, so the data stays in a controlled environment and doesn't leave.
Yes. Many districts require vendors to sign their own data-privacy or confidentiality agreement, and TRAG signs the district's agreement rather than imposing boilerplate of its own. If you have a standard DPA or vendor agreement, send it along during scoping.
No. TRAG is strictly vendor-neutral and accepts no commissions, referral fees, or reseller margins. Recommendations are based solely on what reduces your risk for the least cost and effort. Often the best fix is configuring a tool you already own or changing a process — neither of which costs anything.
You work directly with a practitioner who has 27 years of hands-on IT and CISO-level experience — not a junior analyst running a tool. The person who scopes your engagement is the person who assesses your environment and presents the findings.
No. Every assessment ends with a live executive readout and a roadmap your team can run. From there it's your call — take the roadmap and execute it yourselves, or keep TRAG on retainer to drive it. Many districts convert their assessment into an ongoing advisory retainer.
Every assessment is crosswalked to NIST CSF 2.0 and the K-12 SIX Essentials, so you get both a board-friendly national standard and a K-12-specific benchmark — measured against the national K-12 average. If you need alignment to a single specific standard, such as NIST 800-53 or CIS, that's the Standard assessment. TRAG recommends the right fit during scoping.
Yes. The Compliance report crosswalks your findings against the student-data regulations K-12 districts answer to — FERPA, COPPA, CIPA, and state breach-notification law — so the output helps you prepare for scrutiny at the same time it improves your security. It's a gap analysis, not a legal opinion; your counsel makes the formal compliance call.
Often significantly. Insurers increasingly require specific controls — MFA, EDR, tested backups, privileged access management. An assessment shows exactly where you stand against those expectations, and TRAG can help complete questionnaires accurately and close the gaps that drive premiums or coverage denials.
Often, yes. Funders — including the FCC's Schools & Libraries Cybersecurity Pilot — reward a documented, prioritized cybersecurity plan, which is exactly what a TRAG assessment and roadmap produce. TRAG can help position your district's plan so it holds up to grant reviewers, auditors, and insurers.
Both. Most work is done remotely, which keeps engagements efficient and affordable. On-site visits are available when an engagement benefits from them — for example, walking a facility or running an in-person tabletop — and travel is quoted transparently up front.
TRAG's role is to assess, prioritize, and lead — and to make sure the right fixes get done. For hands-on implementation, TRAG either guides your internal team through the roadmap or coordinates trusted specialists, all while remaining vendor-neutral and accountable for the outcome.
That's fine. The briefing is genuinely free and pressure-free. Plenty of districts use it to clarify their thinking and come back months later. You'll leave the call with a clearer sense of your risk regardless of whether you engage.
No. Advisory retainers run month-to-month after an initial three-month term that gives the engagement time to find its footing. If it's not delivering value, you're free to step down or stop.
The fastest way to an answer is a short conversation. Book a briefing and ask anything — about your environment, the process, or whether TRAG is even the right fit.