⭐ Start Here: CISA CPG Checklist (If you only download one thing from this page, make it this.)
CISA’s Cybersecurity Performance Goals checklist — now on version 2.0 — is a prioritized, plain-language list of baseline security practices every organization should have in place. It’s not overwhelming. It’s not theoretical. It’s a concrete checklist designed specifically for organizations that don’t have a dedicated security team and need to know what to do first.
Work through it. Check off what you have. Pay attention to what you don’t.
Download the CPG 2.0 Checklist — Free, direct from CISA, updated May 2026.
From Your Friendly Government Agencies (Yes, really. Some of this is genuinely good.)
CISA Small & Medium Business Hub — The Cybersecurity and Infrastructure Security Agency has a dedicated SMB section with practical guidance. Start here if you’re not sure where to begin.
CISA Cyber Essentials — A plain-language guide specifically for small business leaders. No technical background required. Download the Starter Kit and work through it.
CISA No-Cost Cybersecurity Services & Tools — Free tools and services you probably didn’t know existed. Worth a look before you pay for something.
NIST Small Business Cybersecurity Corner — Videos, planning guides, and practical guidance from the National Institute of Standards and Technology. More accessible than it sounds.
NIST Cybersecurity Framework 2.0 Small Business Quick Start Guide — A condensed version of the full NIST framework designed specifically for smaller organizations. If someone asks you whether you have a cybersecurity framework, this is a solid place to start building one.
FTC Cybersecurity for Small Business — The Federal Trade Commission covers twelve cybersecurity topics in plain English. Phishing, ransomware, vendor security, email authentication. Useful for training staff without putting them to sleep.
Free Training & Awareness (Because the yearly meeting nobody remembers doesn’t count.)
Cyber Readiness Institute — A free, self-paced program built specifically for SMBs. Covers the fundamentals without assuming any technical background. Good for owners and non-technical staff.
Wizer Security Awareness Training — Free security awareness training with short, engaging videos. This is the kind of training people might actually watch. Novel concept.
CISA Cybersecurity Awareness Training — Free modules and materials from CISA. Good for organizations that need documented training without a budget for commercial platforms.
NIST Free Online Learning Content — A curated list of free cybersecurity learning resources. Ranges from beginner to advanced.
GCA Cybersecurity Toolkit for Small Business — A structured, six-step toolkit from the Global Cyber Alliance, sponsored by Mastercard. Covers device inventory, patching, passwords, MFA, phishing defense, backups, and email security. Free, practical, and organized by implementation level so you know what requires technical help and what you can do yourself. Good companion to the CISA CPG checklist — use both.
Free Scanning Tools
Intruder External Vulnerability Scanner — Free tier lets you run external vulnerability scans against your own systems, yes they’ll try to sell you a continuous monitoring plan, and yes you can largely ignore that and run a free scan periodically anyway. Worth doing every month or two to see what your perimeter looks like from the outside.
RoboShadow — Surprisingly generous free tier — about 90% of features including vulnerability reporting are available at no cost. Daily automated scans, real-time detection, solid reporting. Worth trying before spending money on something more expensive.
Disaster Recovery & Incident Response Templates (Have a plan before you need one. That’s the whole point.)
The worst time to write a disaster recovery plan is during a disaster. The second worst time is right after one, when everyone is exhausted and pointing fingers. Do it now, when nothing is on fire.
Smartsheet Free DR Plan Templates — Multiple formats including Word, Excel, and PDF. Clean, customizable, and comprehensive enough to be useful without being so complex you’ll never finish them.
TechTarget Small Business DR Plan Template — Built specifically for smaller organizations. Covers the essentials without assuming you have a dedicated IT department to implement it.
Secureframe Disaster Recovery Plan Framework — Good overview of what a DRP needs to cover, plus a downloadable template. Useful if you want to understand the thinking behind the document, not just fill in the blanks.
ClickUp Incident Response Templates — If you prefer working in a project management tool rather than a document, ClickUp’s templates let you run your DR plan as an actual workflow. Useful for teams that think in tasks rather than pages.
Smartsheet Vendor Risk Assessment Template — Available in Google Sheets format. Covers information security, data center security, web application security, and infrastructure protection. Color-coded risk ratings built in.
Heimdal Security Vendor Risk Template — Available as a Google Doc. Make a copy and customize it. References ISO 27001 and NIST standards where relevant.
UpGuard Vendor Risk Assessment Questionnaire — More comprehensive than the others. Good if you’re doing formal vendor assessments rather than quick checks.
A note on the difference: A Disaster Recovery Plan covers how you restore systems and data after something goes wrong. An Incident Response Plan covers how you detect, contain, and respond to a security incident specifically. You need both. They’re related but not the same document. If you only have one, make it the IR plan first — security incidents are more likely than the building flooding, and the response timeline matters enormously.
Worth Paying For (I don’t get a penny for any of these. I just think they’re genuinely good.)
NINJIO Security Awareness Training — If the free training options feel too dry for your team, NINJIO is worth a serious look. Short, story-driven animated episodes covering real attack techniques — phishing, smishing, social engineering. The kind of training people might actually watch without being told twice. Nine consecutive quarters as a G2 Leader, which means real users keep saying good things about it. Pricing varies by organization size, so contact them directly.
UpGuard Vendor Risk — If you want to know what your vendors’ security posture actually looks like — not just what they tell you in a questionnaire — UpGuard does continuous scanning and monitoring of your third-party vendors and alerts you when something changes. Genuinely powerful. Honest caveat: pricing starts around $1,600/month, which makes it more mid-market than true SMB. If you’re managing a meaningful vendor portfolio and a breach through one of them would hurt badly, it’s worth the conversation. If you’re a five-person shop, probably not yet.
Checkmk — Infrastructure monitoring that actually works. I’ve used it and it’s genuinely good. Over 2,000 pre-built plugins, auto-discovery, unified visibility across servers, networks, cloud workloads, and applications. Importantly for SMBs, it keeps your data local — no forced cloud dependency. Starts with a free Community (open-source) edition, which gets you surprisingly far before you need a paid tier. Fair warning: initial setup has a learning curve, but once it’s running it’s solid.
Tools From This Site
AI Feature Audit Template — A downloadable spreadsheet that walks you through auditing what AI features are active in your software stack. Four phases, thirty minutes, Red/Yellow/Green triage built in. Free, obviously.
More tools coming. Check back.
*A Note on These Resources*
I don’t vouch for everything on the internet and I’m not responsible for content on external sites. What I can tell you is that I’ve reviewed everything linked here and believe it’s worth your time. If something is outdated or broken, let me know.
If there’s a resource you think belongs here, I’d genuinely like to hear about it.