Purpose

A Cyber Hygiene Assessment (CHA) is designed to identify basic security gaps in a PSU’s cybersecurity program through evaluation of policies, processes, and practices, covering areas such as vulnerability management, access controls, endpoint protection, and phishing resilience. Leveraging CHA outcomes, PSU leaders can identify and prioritize low-cost, high-impact fixes that reduce common attack surfaces and improve overall security posture. A CHA is a proactive strategy to measure your PSU’s overall cybersecurity posture by uncovering security gaps and risky behaviors, acknowledging accomplishments, and outlining opportunities for improvement with a roadmap for future security investments.

About CHA Program

The CHA Program is a continuation of previous hygiene assessments completed across the PSU community by the MCNC Vital Cyber team. The updated CHA program is part of NCDPI’s K-12 Cybersecurity Program and is built on the NC K-12 CORE Safeguards, a set of cybersecurity practices that form the building blocks of a reasonable cybersecurity program for PSUs. In addition, the CHA program aligns and compliments the PSU Cybersecurity Program Plan used by PSUs for strategy and documentation. The CHA Program includes a limited technical assessment, NC K-12 CORE Safeguard assessment, and a NCDPI K-12 Cybersecurity Program Services and Resources Health Check to identify priority recommendations with specific response guidance focused on ACTION.

• The CHA program is VOLUNTARY and is offered at no cost to PSUs.
• For the PSU, the CHA requires limited PSU time and effort, with 1 day of onsite data gathering and a 2-3 hour assessment call.
• The CHA program targets ~40 PSUs a year, repeating on a 3 year cycle with an annual check-in each year.

CHA Process

The CHA Program and Assessment follows the following 4 step process:

1. Kickoff Questionnaire
   • PSU complete a kickoff questionnaire that collects PSU demographics, identifies existing services and solutions (NCDPI K-12 Cybersecurity Program sponsored and PSU specific), and encourages the PSU to prepare or refresh the PSU Cybersecurity Program Plan.
2. Complete Assessments
   • The CHA has 3 components:  technical assessment, safeguard assessment, and program services and resources health check.
     • Technical Assessment is a 1-day onsite engagement designed to inform the status of safeguard implementation and to identify common gaps in cybersecurity practice.  This assessment requires tool/script access to PSU systems.  This assessment consists of:
       • Firewall Policy Audit (non-Managed Firewall)
       • Switch Configuration Audit (sample)
       • Nessus Vulnerability Scan
       • CIS Benchmark Scan – End-user devices, servers, DCs
       • Active Directory Review
         • AD account with bad password settings.
         • AD Domain Admins / AD Enterprise Admins
         • AD Domain Controllers
     • Safeguard Assessment is a 2-3 hour review of the PSUs implementation status of the NC K-12 CORE Safeguards.  This assessment is discussion only, no evidence or artifacts are required to validate responses.
     • NCDPI K-12 Cybersecurity Program Services and Resources Health Check evaluates the PSU’s basic adoption of applicable program solutions.
3. Assessment Analysis and Documentation
   • During this step, the NCDPI K-12 Cybersecurity Program teams will analyze the results from the three assessment components and generate corresponding documentation.
     • Document observations, areas for improvement, and priority recommendations in a CHA Report.
     • Develop and generate prioritized and actionable CHA Response Guidance.
4. Deliver Final CHA Report and Guidance and close out assessment process.

Resources

**Remember, you must be a member of the K-12 Cybersecurity Community Mailing list to access the PSU Cybersecurity Program Plan and other supporting materials.**
Subscribe here:   https://go.ncdpi.gov/NCK12CyberCommunityList

• September 2025 DLE – Cyber Hygiene Assessment