Professional Documents
Culture Documents
NIST CSF2.0 Maturity Tool v1.0
NIST CSF2.0 Maturity Tool v1.0
NIST CSF2.0 Maturity Tool v1.0
0 - March 1, 2024
This worksheet is the culmination of over a decade of measuring the maturity of variou
Framework (CSF) v2.0 with the addition of maturity levels for both policy and practice.
* Policy Maturity: How well do your corporate policies, procedures, standards, and guid
* Practice Maturity: How well do your actual operational practices satisfy the NIST CSF
The goal of the Maturity Level descriptions is to provide some guidance around what g
for a Level 3 maturity, feel free to change it to better suit your needs.
Finally, this is in no way intended to infringe upon any work the good folks over at NIST
completely owned by NIST.
Directions:
1) Review the ‘Maturity Levels’ tab to gain an understanding of how to rank each of the controls in
versus the practices column. The expectations reflected in these maturity levels are based on years
circumstances.
2) On the ‘CSF Summary’ tab, review the Target Scores for applicability within your organization. In
what you think the right level of control for your organization.
3) Using the 1-5 values in the Maturity tab, enter a value in each of the Policy/Practice cells. In orde
2.5) are permitted. Sample values are provided only to demonstrate the functionality of the chart on
ring the maturity of various security programs. This current iteration is founded on the 2024 NI
both policy and practice.
he good folks over at NIST have done. All of the questions and associated information on the ‘N
w.nist.gov/cyberframework
ww.nist.gov/privacy-framework
o rank each of the controls in the ‘NIST CSF Details’ tab. There are different meanings for each level of matur
urity levels are based on years of experience in multiple organizations. However, feel free to adjust them as ne
y within your organization. In most cases, the target of some controls will be different than others. This is m
e Policy/Practice cells. In order to provide as much functionality as possible, you are not locked into a hard 0
e functionality of the chart on the ‘CSF Summary’ page. Clear the existing values before beginning your asses
Change Log
* Mar 1, 2024 - CSF 2.0 Release 1.0 -
s founded on the 2024 NIST Cybersecurity Updated to reflect the new CSF 2.0
requirements. Also enhanced readabili
based on user feedback.
u are not locked into a hard 0-5 value; partial values (i.e.
s before beginning your assessment.
Change Log
24 - CSF 2.0 Release 1.0 -
reflect the new CSF 2.0
nts. Also enhanced readability
ser feedback.
Policy Practice
Score Score
3.14 2.85
4.50 2.50
2.70 3.30
3.14 2.71
Adverse Event Analysis (DE.AE)
2.90 3.30
4.00 2.00
2.83 3.50
Continuous Monitoring (DE.CM) 0.0
3.50 1.50
2.00 4.00
3.17 2.50
Technology Infrastructure Resilience (PR.IR)
3.50 3.50
2.40 3.00
3.00 3.00
2.50 3.50
Data Security (PR.DS)
2.50 3.50
Awareness and Training (PR.AT)
4.50 1.50 Identity Management, Authentication, and Access Co
2.50 3.50
4.50 1.50
NIST Cyber Security Framework 2.0
Overall Average Score
Maturity Levels
Organizational Context (GV.OC)
5.0
Risk Management Strategy (GV.RM)
5 - Optimal
4 - Managed
3 - Defined
Policy (GV.PO) 2 - Acknowledged
1 - Initial
0 - Non-existent
Target Score
Policy Score
Practice Score
Cybersecurity Supply Chain Risk Management (GV.SC)
Improvement (ID.IM)
anagement, Authentication, and Access Control (PR.AA)
Asset Management (ID.AM)
Improvement (ID.IM)
anagement, Authentication, and Access Control (PR.AA)
work 2.0
ed
The NIST Cybersecurity Framework 2.0 www.nist.gov/cyberframework
GV.OV-03: Organizational
cybersecurity risk management
performance is evaluated and
reviewed for adjustments needed
GOVERN (GV)
IDENTIFY (ID): The
organization's current
cybersecurity risks are
understood
IDENTIFY (ID)
PROTECT (PR): Safeguards
to manage the
organization's
cybersecurity risks are
used
Data Security (PR.DS): Data are managed consistent with the organization's
risk strategy to protect the confidentiality, integrity, and availability of
information
PR.PS-01: Configuration
management practices are
established and applied
PROTECT (PR)
DETECT (DE): Possible
cybersecurity attacks and
compromises are found
and analyzed
DETECT (DE)
RESPOND (RS): Actions
regarding a detected
cybersecurity incident are
taken
RESPOND (RS)
RECOVER (RC): Assets and
operations affected by a
cybersecurity incident are
restored
RECOVER (RC)
Policy Practice
Score Score
3.17 2.83
Ov
5.00 1.00 Protective Technology (PR.PT-P)
4.00 2.00
Maintenance (PR.MA-P)
3.00 3.00
2.00 4.00
Data Security (PR.DS-P)
1.00 5.00
5.00 1.00
3.00 3.00
2.00 4.00
5.00 1.00
4.00 2.00
2.00 4.00
1.00 5.00
Communication Policies, Processes, and Procedures (CM.PO-P)
5.00 1.00
5.0
.MA-P) Business Environment (ID.BE-P)
5 - Optimal
4 - Managed
3 - Defined
2 - Acknowledged
1 - Initial
Risk Assessment (ID.RA-P)
0 - Non-existent
0.0
Target Score
Policy Score
Practice Score
Risk Management Strategy (GV.RM-P)
Data Processing Management (CT.DM-P) Data Processing Policies, Processes, and Procedures (CT.PO-P)
cessing (CT.DP-P) Monitoring and Review (GV.MT-P)
Data Processing Management (CT.DM-P) Data Processing Policies, Processes, and Procedures (CT.PO-P)
)
V.PO-P)
NIST Privacy Framework: A Tool for Improving Privacy through Enterprise Risk
Management Version 1.0 Core
NIST Privacy Framework Core
Function Category
IDENTIFY-P (ID-P): Develop Inventory and Mapping (ID.IM-P): Data
the organizational processing by systems, products, or
understanding to manage services is understood and informs the
privacy risk for individuals management of privacy risk.
arising from data processing.
Identity Management,
Authentication, and Access Control
(PR.AC-P): Access to data and devices
is limited to authorized individuals,
processes, and devices, and is
managed consistent with the assessed
risk of unauthorized access.
Data Security (PR.DS-P): Data are
managed consistent with the
organization’s risk strategy to protect
individuals’ privacy and maintain data
confidentiality, integrity, and
availability.
Shading
Key:
cy Framework Core Policy
Subcategory Score
ID.IM-P1: Systems/products/services that process data
The Function, Category, or Subcategory aligns with the Cybersecurity Framework, but the text has been adapted for the Privacy Framework.
The Category or Subcategory is identical to the Cybersecurity Framework.
are inventoried.
5.0
4.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
2.0
2.0
2.0
3.0
3.0
3.0
3.0
3.0
4.0
4.0
4.0
4.0
4.0
5.0
5.0
5.0
5.0
5.0
5.0
1.0
1.0
1.0
2.0
2.0
2.0
2.0
3.0
3.0
3.0
3.0
3.0
3.0
3.0
4.0
4.0
4.0
4.0
5.0
5.0
5.0
5.0
5.0
5.0
5.0
5.0
5.0
5.0
1.0
1.0
1.0
1.0
1.0
2.0
2.0
3.0
3.0
3.0
3.0
3.0
3.0
3.0
3.0
4.0
4.0
4.0
4.0
4.0
4.0
4.0
4.0
4.0
4.0
5.0
5.0
5.0
5.0
5.0
5.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
2.0
2.0
3.0
3.0
3.0
3.0
Document
NIST 800-53
CIS CSC
COBIT 5
ISA 62443 (All)
ISO/IEC 27001
Link
https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final
https://www.cisecurity.org/controls/
http://www.isaca.org/cobit/pages/default.aspx
https://www.isa.org/standards-and-publications/isa-standards/find-isa-standards-in-numerical-order/
https://www.iso.org/isoiec-27001-information-security.html