Question 1

What is vendor cyber risk?

Accepted Answer

Vendor cyber risk is the cybersecurity exposure your organization inherits from its suppliers, partners, and service providers. When a third party has access to your systems, data, or network — even indirectly — a breach on their side can become a breach on yours. This is also called third-party cyber risk or supply chain risk.

The threat is well documented. The SolarWinds attack compromised 18,000 organizations through a single software update. The MOVEit breach affected over 2,500 organizations worldwide through one file transfer tool. In both cases, victims had no direct vulnerability — their vendor did.

Regulators have responded. NIS2 requires organizations in scope to formally assess and manage cyber risk across their entire supply chain. DORA mandates ICT third-party risk management for financial entities in the EU. ISO 27001 includes supplier relationships as a control domain. Cyber insurers now routinely ask about vendor risk programs during underwriting.

A vendor cybersecurity questionnaire is the standard starting point — it establishes a baseline of each supplier's security posture across policy, access controls, incident response, and compliance. Atumcell's free vendor questionnaire covers all 20 key controls and includes a risk rating guide.

Question 2

What is NIS2 and who does it apply to?

Accepted Answer

NIS2 (Network and Information Security Directive 2) is the European Union's primary cybersecurity law, which replaced the original NIS Directive and became enforceable across EU member states from October 2024. It sets mandatory cybersecurity requirements for organizations operating in critical and important sectors.

NIS2 applies to medium and large organizations — generally those with 50 or more employees or €10M+ in annual revenue — operating in the following sectors: energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, ICT service management, public administration, and space (essential entities); and manufacturing of critical products, food production, postal and courier services, waste management, chemicals, and digital providers (important entities).

What NIS2 requires: organizations in scope must implement security measures across 10 requirement areas defined in Article 21 — including risk analysis, incident handling, business continuity, supply chain security, cryptography, access control, and multi-factor authentication. Significant incidents must be reported to the relevant national authority within 24 hours of detection. Senior management can be held personally liable for non-compliance.

Penalties: essential entities face fines of up to €10 million or 2% of global annual turnover. Important entities face fines of up to €7 million or 1.4% of global annual turnover.

Even organizations outside the EU may be affected if they provide services to EU-based entities in scope, since NIS2 extends supply chain requirements to vendors.

Question 3

What is DMARC and why does it matter?

Accepted Answer

DMARC (Domain-based Message Authentication, Reporting and Conformance) is an email authentication protocol that tells receiving mail servers what to do with emails that fail SPF checks — and sends the domain owner reports on who is sending email from their domain.

Without DMARC, anyone can send an email that appears to come from your domain. This enables email spoofing attacks including phishing, business email compromise (BEC), and brand impersonation — some of the most costly attack types in cybersecurity. The FBI estimates BEC losses exceed $2.9 billion annually in the US alone.

DMARC has three policy settings. p=none is a monitoring-only mode — it collects data but takes no protective action, meaning spoofed emails still reach inboxes. p=quarantine sends suspicious emails to spam. p=reject blocks them entirely. Only p=quarantine or p=reject provide actual protection against spoofing.

DMARC also generates aggregate reports showing every server that sent email claiming to be from your domain. This visibility is critical for identifying unauthorized senders before tightening your policy.

DMARC is now required by the UK NCSC for public sector organizations, mandated by CISA for US federal agencies, referenced in NIS2 Article 21, and increasingly required by enterprise procurement teams and cyber insurers as a baseline control. If your domain has no DMARC record, or has one set to p=none, it can be spoofed today.

Question 4

What is SPF?

Accepted Answer

SPF (Sender Policy Framework) is a DNS record that specifies which mail servers are authorized to send email from your domain. It is one of the two foundational email authentication controls — the other being DMARC.

When a receiving mail server gets an email claiming to be from your domain, it checks your SPF record to verify whether the sending server's IP address is on the approved list. If it is not, the email fails the SPF check.

What happens after an SPF failure depends on your DMARC policy. Without DMARC, a failed SPF check often has no consequence — the email is delivered anyway. With DMARC set to p=quarantine or p=reject, a failed SPF check triggers the protective action.

SPF records end with a qualifier that defines what to do with unauthorized senders. -all (hard fail) is the strongest — it instructs receiving servers to reject all mail from unlisted servers. ~all (soft fail) marks it as suspicious but typically still delivers it. +all allows any server to send from your domain and should never be used.

Common SPF mistakes include exceeding the 10 DNS lookup limit (which causes SPF to break silently), using ~all instead of -all, and failing to include all legitimate sending services — such as email marketing platforms, CRMs, and ticketing systems — in the record.

Question 5

How do I know if my domain can be spoofed?

Accepted Answer

You can check whether your domain can be spoofed in seconds using SpoofCheck — Atumcell's free domain security tool. Enter your domain and SpoofCheck analyzes your SPF and DMARC DNS records, identifies misconfigurations, and returns a risk rating with specific gaps and recommended fixes. No login required.

The most common indicators that a domain can be spoofed are: no SPF record exists; SPF uses ~all instead of -all; no DMARC record exists; or DMARC is set to p=none (monitoring only, no protection). Any of these conditions means spoofed emails from your domain can reach recipient inboxes.

For a manual audit, Atumcell's free Email Authentication Audit Checklist walks through 14 controls across SPF and DMARC configuration, with a risk rating (Critical / High / Medium) and specific remediation guidance for each gap.

If you are assessing a supplier's domain rather than your own, SpoofCheck supports bulk domain checking — useful for third-party risk assessments and procurement due diligence.

Question 6

What is CIS 18 and why does it matter?

Accepted Answer

The CIS 18 Critical Security Controls (CIS Controls v8, formerly CIS Top 20) are a prioritized set of cybersecurity actions developed by the Center for Internet Security to defend against the most prevalent real-world attacks. They are maintained by a global community of security practitioners and updated to reflect the current threat landscape.

The 18 controls are organized into three implementation groups based on organizational size and risk: IG1 (basic cyber hygiene, suitable for all organizations), IG2 (for organizations with moderate risk and IT resources), and IG3 (for organizations with significant security expertise and high-risk environments). Each control includes specific safeguards — granular, technical actions that can be implemented and measured.

The 18 control areas are: Inventory and Control of Enterprise Assets; Inventory and Control of Software Assets; Data Protection; Secure Configuration of Enterprise Assets and Software; Account Management; Access Control Management; Continuous Vulnerability Management; Audit Log Management; Email and Web Browser Protections; Malware Defenses; Data Recovery; Network Infrastructure Management; Network Monitoring and Defense; Security Awareness and Skills Training; Service Provider Management; Application Software Security; Incident Response Management; and Penetration Testing.

CIS 18 is widely used as a practical security baseline by organizations that have not yet adopted ISO 27001 or SOC 2. It maps directly to NIST CSF, PCI DSS, and HIPAA, and is accepted as evidence of security due diligence by cyber insurers, enterprise procurement teams, and PE portfolio managers. Atumcell's free CIS 18 self-assessment covers all 18 control areas and provides an instant gap report.

Question 7

Are these templates free?

Accepted Answer

Yes — all self-assessments and templates on this page are completely free. No account, subscription, or credit card is required to use them.

You can run any assessment directly in your browser and receive your results instantly. If you want a formatted PDF of your results — useful for sharing with your board, a cyber insurer, an auditor, or a procurement team — a short lead capture form is shown before the download. Your data is handled in line with Atumcell's Privacy Policy and is never sold or shared with third parties.

The templates are designed for practical use, not just awareness. Each one maps to the frameworks regulators and auditors actually check — NIS2, ISO 27001, DORA, and CIS 18 — so your results are directly usable in compliance conversations.

Free Cybersecurity
Templates & Tools

Why security teams use Atumcell templates

Regulatory standard

No login required

Instant results

Built by practitioners

CIS 18 Controls Self-Assessment

Vendor Cybersecurity Questionnaire

Email Authentication Audit Checklist

NIS2 Compliance Self-Assessment

Frequently asked questions

Discover Your
Cyber Risk Level.

Free CybersecurityTemplates & Tools