Σ  SIGMA RCSA · CYBERSECURITY

Deep-dive risk assessments that run themselves.

Every year, regulated enterprises must prove their controls actually work — walkthroughs with application owners, document request lists, evidence reviews, draft findings, remediation roadmaps. Today that program lives in fifty spreadsheets and a thousand emails. SigmaRCSA is one portal that runs the entire Risk & Control Self-Assessment lifecycle: risk-based scoping, evidence that checks itself the moment it's uploaded, owner-scoped draft socialization, and a board-ready report at the end.

Framework-agnostic Automatic evidence checking Owner portal Board-ready reporting On-prem or hosted
106
NIST CSF 2.0 subcategories bundled in-box — or import SOC 2, PCI DSS, HIPAA, or your own framework from Excel
Instant
Evidence sufficiency verdicts the moment an owner uploads — relevance, recency, and document type, checked automatically
0
Bytes of your control data leave your environment by default — self-hosted, zero external dependencies
1 click
From finalized results to a branded PowerPoint: thematic gaps, remediation roadmap, maturity profile

Product walkthrough

Six stages. One system of record.

Stage 01 · Scope

Pick the framework. Pick the assets. Done.

Your application inventory carries owners, data-sensitivity flags, and criticality ratings — so risk-based scoping is one click: assess the crown jewels first. Framework × assets becomes a full assessment plan instantly.

Stage 02 · Applicability

Not every control applies. Prove why.

Enterprise-level controls, absent data classes, vendor-run stacks — mark any control not-applicable per asset, with a written rationale that lands in the audit trail. Auditors see a matrix, not a shrug.

Stage 03 · Evidence

Evidence that checks itself on upload.

Owners get a portal scoped to their applications, a tailored document request list, and automatic reminders and escalations. Every upload is scored on the spot — topic relevance, document type, recency — so weak evidence gets fixed in minutes, not at the eleventh hour. Assessors can send one back with a specific ask; a configurable round cap keeps fieldwork converging.

Stage 04 · Assess

Human judgment, machine-prepared.

Assessors see the evidence, the automatic verdict with its reasons, and an optional AI second opinion — then record the call: No gap, Gap, or Documentation gap, with a 1–5 maturity rating, remediation priority, and level of effort. The engine advises; your expert decides.

Stage 05 · Socialize

No surprises in the final report.

DRAFT results go to owners — each sees only their own applications. They confirm, or dispute with rationale and additional evidence; disputes route straight back to the assessor for re-review. Unanswered drafts finalize as drafted. Fair, fast, and fully recorded.

Stage 06 · Report

The deck writes itself.

One click generates the leadership deck: executive summary, thematic view of gaps, gap concentration by application, a do-now / do-next / do-later remediation roadmap with level of effort, and the maturity profile. Finalized cycles archive year-over-year — regulators love a tidy history.

The method

Your assessment process — the one you already run — automated end to end.

Inventory & prioritize

Central asset register with owners, criticality, and PII / PHI / PCI flags drives risk-based selection.

Select the framework

NIST CSF 2.0 in-box; SOC 2, PCI DSS, HIPAA, COBIT, or your custom catalog imported from Excel.

Tailor applicability

Per-asset applicability matrix with recorded rationale for every exclusion.

Collect evidence

Kickoffs, document request lists, reminders, and escalations — sent automatically, tracked centrally.

Check & assess

Instant sufficiency verdicts on upload; assessors record findings and maturity on a scale you define.

Socialize drafts

Owners review results scoped to their assets, confirm or dispute with evidence before anything is final.

Report & prioritize

Thematic gaps, do-now / do-next / do-later remediation, level of effort — one click to PowerPoint.

Archive & repeat

Every cycle preserved year-over-year for regulators, trend lines, and next year's head start.

Why teams switch

Built for the people who actually run the program.

Evidence that checks itself

Every upload is scored against the control it claims to satisfy — before an assessor spends a minute on it. Weak evidence gets caught in the same sitting it was uploaded.

Owners see only their world

Application owners get a clean portal: what's due, what's been asked, and their own draft results. Never anyone else's.

The chasing runs itself

Reminders and escalations target only owners with open items. Fieldwork back-and-forth is capped and tracked, so assessments converge instead of cycling.

Every decision has a receipt

Applicability rationale, evidence verdicts, owner responses, finding changes — an append-only audit trail regulators can walk through.

History that compounds

Year-over-year archive of finalized cycles: trend maturity, show remediation progress, and start next year's assessment from this year's baseline.

Runs where your data lives

Download and run it on your own servers — any OS, zero external dependencies — or let us host a dedicated instance. Your evidence never leaves your control.

Security & deployment

A risk tool that would pass its own assessment.

Data protection

  • Self-hosted by default — nothing leaves your environment
  • Evidence stored outside the web root, integrity-hashed, served download-only
  • Role-based access with object-level ownership checks
  • AI review is opt-in, with your own API key — off by default

Application security

  • scrypt password hashing, session hardening, account lockout
  • CSRF protection on every mutation; strict input validation
  • Upload allowlist verified against file magic bytes
  • Append-only audit trail of every sign-in and change

Operations

  • Single Node.js process, zero dependencies — auditable in an afternoon
  • Runs on macOS, Windows, Linux, Docker, or our hosted cloud
  • All state in one directory: back it up, restore it, done
  • Offline license activation — no phone-home

See SigmaRCSA on your own controls.

We'll walk your team through a live cycle — your framework, your asset classes, your workflow — and leave you with an evaluation instance to explore.

Request a Private Demo