Cybersecurity Assessment and Resiliency Evaluation for Small Business (CARES)

Your responses will remain secure, confidential, and private. This survey contains 30 questions and is a necessary first step to understand your overall cybersecurity posture.

In addition, it does not guarantee compliance, as each organization must first determine their applicable cybersecurity framework(s), and assess compliance based on company policies, procedures and the framework(s) selected.

Refer to the following rating scale / legend when responding to the applicable questions:

Maturity Level 0: Incomplete
Ad hoc and unknown. Work may or may not get completed.
Maturity Level 1: Initial
Unpredictable and reactive. Work gets completed but is often delayed and over budget.
Maturity Level 2: Managed
Managed on the project level. Projects are planned, performed, measured, and controlled.
Maturity Level 3: Defined
Proactive, rather than reactive. Organization-wide standards provide guidance across projects, programs, and portfolios.
Maturity Level 4: Quantitatively Managed
Measured and controlled. Organization is data-driven with quantitative performance improvement objectives that are predictable and align to meet the needs of internal and external stakeholders.
Maturity Level 5: Optimizing
Stable and flexible. Organization is focused on continuous improvement and is built to pivot and respond to opportunity and change. The organization’s stability provides a platform for agility and innovation.

1. What is your role at the company?


2. What industry is your company?


3. How many employees do you have?


4. What is the general education level of the majority of your employees?


5. What Small Business Administration (SBA) region of the company is your small business or your major operations?


6. Are you a minority owned business as defined by the SBA?