Know where your security program stands — and exactly how to fix it.
MitchGRC delivers a plain-English compliance gap assessment against the framework that matters to your business — with a prioritized remediation roadmap, ready-to-use policy templates, a cyber insurance readiness score, and a signed attestation letter. No consultants. No jargon. No six-month engagement.
14 gaps identified across 3 frameworks. 3 critical gaps expose you to HIPAA penalty risk and may affect cyber insurance eligibility. 90-day remediation roadmap included.
NIST CSF 2.0
58%
HIPAA
41%
CYB. INS.
72%
CRITICAL
No written Business Associate Agreements with 3 vendors — HIPAA requires BAAs with any vendor accessing PHI. Missing BAAs = direct HIPAA liability. Risk: $100K+ penalty per violation.
CRITICAL
No formal Incident Response Plan — Required by HIPAA, NIST CSF, and every major cyber insurer. Without a documented IRP, breach notification timelines cannot be met.
HIGH
Access controls not formally documented — NIST CSF PR.AC-1 requires documented access provisioning and de-provisioning. 4 former employees still have active email accounts.
MEDIUM
No annual security awareness training program — Required by HIPAA Security Rule. Training records must be retained for 6 years.
FRAMEWORKS COVERED
Six frameworks. One plain-English report.
We assess your controls against the framework that matters for your business — or multiple. Each report covers what you have, what you're missing, and exactly what to do.
RECOMMENDED STARTING POINT
🛡
NIST CSF 2.0
The gold standard framework for small business security. Covers 6 functions (Govern, Identify, Protect, Detect, Respond, Recover) across 106 subcategories. Referenced by cyber insurers and enterprise clients.
Who needs it: Any SMB that handles client data, has remote employees, or works with enterprise clients
LEGAL REQUIREMENT
🏥
HIPAA Security Rule
Required by law for any business that handles Protected Health Information. Covers Administrative, Physical, and Technical safeguards. OCR audits and penalties are active and growing.
Who needs it: Healthcare providers, billing companies, legal firms, accountants handling patient data
PAYMENT PROCESSING
💳
PCI-DSS Basics
Required if you process, store, or transmit credit card data. We assess against the 12 PCI requirements applicable to small businesses and identify gaps before your processor does.
Who needs it: Any business that accepts credit cards — retail, restaurants, e-commerce, professional services
VENDOR REQUIREMENT
📄
SOC 2 Lite
Enterprise clients increasingly require vendors to demonstrate SOC 2 alignment. We assess your controls against the Trust Service Criteria and identify what you'd need to close before a formal audit.
Who needs it: SaaS companies, service providers, anyone an enterprise client has asked about SOC 2
FEDERAL CONTRACTS
🇺🇸
CMMC Level 1
Required for any company in the DoD supply chain. Level 1 covers 17 practices across 6 domains. If you have or pursue federal contracts, CMMC compliance is mandatory by regulation.
Who needs it: Any business with DoD subcontracts or pursuing government work
PRACTICAL BASELINE
🔧
CIS Controls 18
18 actionable security controls prioritized by risk. Implementation Group 1 (IG1) is specifically designed for small businesses with limited resources. The most practical framework to start with.
Who needs it: Any small business that wants a structured security baseline without compliance overhead
WHAT MAKES US DIFFERENT
No other GRC service does this at any SMB price.
EXCLUSIVE TO MITCHGRC
💰
Cyber Insurance Readiness Score
We map your controls directly to the questions on the most common cyber insurance applications (Coalition, Corvus, Chubb, At-Bay). You get a score that predicts your insurability and tells you exactly which gaps will raise your premium or get you denied.
Example: Missing MFA on email = 40% premium increase or disqualification on 3 major carriers. Fixing it costs $0. We tell you that before you apply.
EXCLUSIVE TO MITCHGRC
📜
Client-Ready Security Attestation Letter
When an enterprise client asks “what is your security program?” you need a professional answer. Kevin signs a formal attestation letter documenting your security posture, frameworks assessed, and remediation commitments. Closes deals. Satisfies vendor questionnaires.
Example: Your enterprise client sent a 40-question vendor security questionnaire. We fill it out and provide the attestation letter. Done.
ALL PLANS
📄
8 Ready-to-Use Policy Templates
Frameworks require documented policies. We include 8 professionally written policy templates in Word format — Acceptable Use, Password, Incident Response, BYOD, Data Classification, Remote Work, Vendor Management, and Backup & Recovery. Customize and adopt.
Example: HIPAA requires a written Risk Analysis. We provide the template. Your auditor asks for an Incident Response Plan. You already have it.
ALL PLANS
🗺️
90-Day Prioritized Remediation Roadmap
Not a list of gaps. A week-by-week action plan telling you what to fix, in what order, with what resources. Week 1 closes your highest-risk exposures. Week 12 completes your documentation. Vendor-specific instructions where relevant.
Example: Week 1: Enable MFA on M365 (30 min). Week 2: Sign BAAs with 3 vendors (template provided). Week 3: Conduct access review — here are the accounts to audit.
NO COMPETITOR DOES THIS
📊
Framework-to-Framework Gap Mapping
Once we assess you against NIST CSF, we show you exactly how far you are from HIPAA, SOC 2, or CMMC. So when a new compliance requirement arrives, you already know the delta. No repeat assessment from scratch.
Example: You pass NIST CSF IG1. You’re 73% of the way to SOC 2. Here are the 14 additional controls you’d need for a formal audit.
ALL PLANS
👤
Human-Delivered, Not Software-Generated
Kevin reviews every assessment response, validates findings, removes false positives, writes the plain-English explanations, and signs the report. You are not filling out a web form and getting an automated PDF. You are getting a professional assessment with a professional reviewer.
SAMPLE REPORT OUTPUT
This is what you receive. Plain English. Actionable.
Written for a business owner, not a compliance officer. Every finding includes what it means, what it costs you if ignored, and exactly how to fix it.
Your billing service, cloud storage provider, and IT support company each have access to Protected Health Information. Federal law requires a signed BAA with each. OCR penalties for missing BAAs start at $100,000 per violation and can reach $1.9M annually.
FIX: Three BAA templates included in your report. Send to each vendor, get signed, retain for 6 years. Time: 2 hours. Cost: $0.
CRITICAL
No Formal Incident Response Plan
HIPAA requires a documented IRP. Every major cyber insurer requires a documented IRP as a condition of coverage. Without one, you cannot meet the 60-day breach notification requirement and you may void your policy after a claim.
FIX: IRP template included. Customize with your vendor contacts, escalation path, and notification contacts. Review with Kevin if needed. Time: 3 hours. Cost: $0.
CYBER INSURANCE READINESS
INSURER APPLICATION QUESTIONS — YOUR STATUS
Multi-factor authentication on email
✓ MEETS
Endpoint detection & response deployed
⚠ PARTIAL
Documented Incident Response Plan
✕ MISSING
Privileged access management
✕ MISSING
Security awareness training program
⚠ INFORMAL
CYBER INSURANCE READINESS
Your compliance posture directly affects your coverage and your premium.
Most small businesses don't know their security gaps will affect their cyber insurance until they apply — or until they file a claim and it's denied. MitchGRC maps your controls to insurer requirements before you apply.
What Insurers Actually Ask
Every major cyber insurer asks the same 15-20 questions on their application. Your answers directly determine your premium, your coverage limits, and whether you get coverage at all.
Do you use MFA on all email and remote access?
Do you have a documented Incident Response Plan?
Are privileged accounts managed and monitored?
Do you conduct regular security awareness training?
Do you have offline or immutable backups?
Missing any of these = premium increases of 40-200% or denial
What MitchGRC Delivers
Your assessment report includes a dedicated cyber insurance readiness section showing exactly where you stand against each insurer requirement — before you apply.
Gap analysis against Coalition, Corvus, At-Bay, and Chubb application questions
Estimated premium impact of each open gap
Priority order to close gaps before your renewal
Documentation checklist for your insurance broker
Evidence summary letter for your underwriter
The Security Attestation Letter
When a client, partner, or insurer asks about your security program, you need a professional answer. Every MitchGRC assessment includes a signed attestation letter documenting your security posture.
To Whom It May Concern,
This letter attests that [Business Name] has completed a formal security assessment against the NIST Cybersecurity Framework 2.0 conducted by Mitch's Cyber Solutions LLC. The assessment evaluated controls across governance, asset management, access control, data protection, incident response, and recovery domains...
[Assessment findings summary] [Remediation commitments and timeline] [Next assessment date]
Kevin Mitchell
MITCH'S CYBER SOLUTIONS LLC · PLAINFIELD, IL
INCLUDED POLICY TEMPLATES
8 policies ready to use. Customize and adopt.
Every compliance framework requires documented policies. These templates are included in every assessment — professionally written, framework-mapped, and ready to customize with your business details.
💻
Acceptable Use Policy
Covers acceptable use of company systems, internet, email, and data. Required by NIST CSF and HIPAA.
Template · 4 pages
🔑
Password & Access Policy
Password requirements, MFA mandates, and access provisioning/de-provisioning procedures.
Template · 3 pages
🚨
Incident Response Plan
Step-by-step incident classification, response procedures, notification requirements, and recovery steps.
Template · 8 pages
📱
BYOD Policy
Requirements for personal devices accessing company data. MDM requirements and data wipe procedures.
Template · 3 pages
📂
Data Classification Policy
How to classify data by sensitivity and the handling requirements for each classification level.
Template · 4 pages
🏠
Remote Work Policy
VPN requirements, home network security, and acceptable remote work configurations.
Template · 3 pages
🤝
Vendor Management Policy
Third-party risk assessment requirements and Business Associate Agreement management for HIPAA.
Template · 4 pages
💾
Backup & Recovery Policy
Backup frequency, retention requirements, recovery time objectives, and testing procedures.
Template · 3 pages
HOW IT WORKS
Order today. Report in 48 hours.
No lengthy onboarding. No software to install. A structured questionnaire, a human reviewer, and a complete report delivered within 48 hours.
📝
STEP 01
Complete Intake
Tell us your business type, industry, frameworks needed, and current security measures. 15-minute questionnaire. No technical expertise required.
🔎
STEP 02
Kevin Reviews
Kevin maps your responses against framework controls, validates findings, identifies gaps, and calculates your compliance score.
📊
STEP 03
Report Delivered
You receive your gap report, compliance scorecard, cyber insurance readiness section, 90-day roadmap, and all 8 policy templates.
📞
STEP 04
Debrief (Optional)
Remediation Plan and Monitor customers receive a 30-minute debrief call with Kevin to walk through the findings and roadmap.
HOW WE COMPARE
Enterprise GRC quality. Small business pricing.
Feature
Drata
Vanta
Secureframe
Tugboat Logic
MitchGRC
Gap assessment
✓
✓
✓
✓
✓
Plain English report
—
—
—
—
✓
Cyber insurance readiness score
—
—
—
—
✓
Signed attestation letter
—
—
—
—
✓
Policy templates included
~
~
~
~
✓
90-day remediation roadmap
—
—
—
~
✓
Framework-to-framework mapping
✓
✓
—
—
✓
Human specialist reviewer
—
—
—
—
✓
SMB accessible price
—
—
—
—
✓
Price
$1,000+/mo
$800+/mo
$800+/mo
$500+/mo
$399 flat
PRICING
Flat fees. No subscriptions required. No surprises.
Pay once for a complete assessment. Add monitoring if you want continuous tracking. All prices include the full report, 8 policy templates, and the cyber insurance readiness section.
TIER 01
Gap Assessment
$399 one-time
One framework — delivered within 48 hours
A complete gap assessment against one framework with a full report, compliance scorecard, and cyber insurance readiness section. Everything you need to know where you stand.
Assessment against 1 framework
Gap report with severity ratings
Cyber insurance readiness score
All 8 policy templates
Compliance scorecard (A–F)
Signed attestation letter
Delivered within 48 hours
90-day remediation roadmap
Debrief call with Kevin
Evidence tracker dashboard
TIER 02
Remediation Plan
$799 one-time
Everything in Gap + roadmap + debrief
Everything in the Gap Assessment plus a prioritized 90-day remediation roadmap and a 30-minute debrief call with Kevin to walk through findings and priorities.
Everything in Gap Assessment
90-day prioritized remediation roadmap
Week-by-week action plan
Vendor-specific fix instructions
Second framework mapping included
30-min debrief call with Kevin
30-day follow-up check-in
Quarterly re-assessment
Evidence tracker dashboard
TIER 03
GRC Monitor
$149/mo
or $1,299/year — save $489
Continuous compliance monitoring with quarterly re-assessments, an evidence tracker dashboard, and compliance score trending over time. For businesses with ongoing compliance requirements.
Everything in Remediation Plan
Quarterly re-assessment
Evidence tracker dashboard
Compliance score trend over time
Policy update reminders
Insurance renewal preparation
Priority support (same-day)
Updated attestation letter quarterly
➕ Add-Ons — Available with Any Plan
Additional Framework
Add a second framework to any assessment. Includes cross-framework gap mapping showing shared controls.
$199
Cyber Insurance Prep Package
Complete documentation package formatted for insurance underwriters. Includes evidence summary, control inventory, and completed application answers for Coalition, Corvus, and At-Bay.
$299
Vendor Security Questionnaire Response
When a client sends a 40-question vendor security questionnaire, we complete it on your behalf using your assessment data and Kevin signs it.
$149 per questionnaire
HIPAA Risk Analysis
A formal, documented HIPAA Risk Analysis meeting OCR requirements. Required for covered entities and business associates. Kevin reviews and signs.
$499
📄
If the report doesn't tell you anything new, you don't pay.
If your Gap Assessment contains zero findings you weren't already aware of and have fully documented, we refund you completely. We have never issued this refund.
WHY TRUST US
A compliance report you can actually use.
👤
Kevin Signs Every Report
Every assessment is reviewed and signed by Kevin Mitchell personally. Your attestation letter has a real name on it from a real company. Not a SaaS platform’s logo.
📋
Plain English Throughout
No NIST control numbers in isolation. No compliance jargon without explanation. Every finding is written so a business owner can read it, understand it, and act on it.
🏢
Security Company, Not Compliance SaaS
MitchGRC is operated by Mitch's Cyber Solutions LLC, a managed security company. We run real security programs for real clients. The GRC work reflects actual security practice, not checkbox compliance.
QUESTIONS
Straight answers.
Do I need to be a compliance expert to use this?+
No. The intake questionnaire is written in plain English with no compliance jargon. You describe what you do and what you have. Kevin translates your answers into framework controls. The output report is also written in plain English. You will not need a compliance background to read it or act on it.
Which framework should I start with?+
For most small businesses, NIST CSF 2.0 is the right starting point. It's the most broadly recognized, referenced by cyber insurers, and comprehensive enough to cover the basics of any other framework. If you handle patient data, add HIPAA. If you process payments, add PCI. If a client is asking you about SOC 2, start with NIST CSF and we'll show you the gap to SOC 2 as part of the report.
How is this different from hiring a compliance consultant?+
A compliance consultant typically charges $150-$400/hour and a full engagement costs $5,000-$25,000. MitchGRC delivers the same gap assessment output for $399-$799 because we have a defined methodology, structured questionnaire, and a direct line to Kevin rather than a team of junior consultants. The deliverable is the same — a gap report, roadmap, and documentation — at a fraction of the cost.
What is the cyber insurance readiness score?+
Every major cyber insurer (Coalition, Corvus, At-Bay, Chubb, Travelers) uses a similar set of 15-20 security controls as the basis for their underwriting questions. We map your controls to these questions and score you against them. You see which gaps will affect your premium or eligibility before you apply. Fixing an IRP template costs $0 and could save you 30-40% on your premium or prevent a denial.
What is the security attestation letter used for?+
The attestation letter is used when a client, partner, or procurement team asks about your security program. Enterprise clients increasingly require vendors to demonstrate a security posture before signing contracts. The letter documents that a formal assessment was conducted, summarizes your controls, and outlines your remediation commitments. It is signed by Kevin Mitchell on behalf of Mitch's Cyber Solutions LLC. Many clients accept this in lieu of a full SOC 2 report for SMB vendor relationships.
Do the policy templates actually satisfy compliance requirements?+
The templates are written to satisfy the documentation requirements of NIST CSF, HIPAA, and CIS Controls. They need to be customized with your specific business details, employee names, contact numbers, and vendor information. A policy template that has been properly customized and adopted by your organization satisfies the “documented policy” requirement across frameworks. Kevin reviews all templates for your specific industry during the Remediation Plan and Monitor tiers.
GRC
MitchGRC// ASSESSMENT ORDER
Order Your Assessment
Tell us about your business and what frameworks matter to you. Kevin reviews your responses and delivers your report within 48 hours.
BUSINESS
PLAN
SECURITY
CONTACT
CONFIRM
STEP 1 OF 5
Gap Assessment — $399 one-time
Full gap report + compliance scorecard + cyber insurance readiness + 8 policy templates + attestation letter. 48hr delivery.
Remediation Plan — $799 one-time
Gap Assessment + 90-day week-by-week roadmap + second framework mapping + 30-min debrief call with Kevin.
Tell us what you currently have in place. Be honest — gaps are expected and that's what we're here to find. There are no wrong answers.
STEP 3 OF 5
Report and all templates delivered here within 48 hours of payment confirmation.
STEP 4 OF 5
Review your order. Kevin receives your intake immediately and begins the assessment within 24 hours of payment confirmation.
I confirm the information provided is accurate to the best of my knowledge. I understand this is an assessment and advisory service, not a legal or regulatory determination. MitchGRC reports should be reviewed with qualified counsel for formal compliance requirements.
STEP 5 OF 5
✅
Order received. Assessment begins within 24 hours.
Payment link is on its way to your email. Kevin will begin your assessment as soon as payment is confirmed. Report delivered within 48 hours of that.