NIST CSF Maturity Tool v2.1
NIST CSF Maturity Tool v2.1
Framework (CSF) with the addition of maturity levels for both policy and practice.
* Policy Maturity: How well do your corporate policies, procedures, standards, and guid
* Practice Maturity: How well do your actual operational practices satisfy the NIST CSF
The goal of the Maturity Level descriptions is to provide some guidance around what g
to high for a Level 3 maturity, feel free to change it to better suit your needs.
Finally, this is in no way intended to infringe upon any work the good folks over at NIST
tab is completely owned by NIST. Certain cells are protected so the user doesn't accide
'2018NISTCMM'
Directions:
1) Review the ‘Maturity Levels’ tab to gain an understanding of how to rank each of the controls in
column versus the practices column.
2) On the ‘CSF Summary’ tab, review the Target Scores for applicability within your organization. In
goal’ of what you think the right level of control for your organization.
3) Using the 1-5 values in the Maturity tab, enter a value in each of the Policy/Practice cells. In orde
values (i.e. 2.5) are permitted. Sample values are provided only to demonstrate the functionality of t
ring the maturity of various security programs. This current iteration is founded on the 2018 NI
h policy and practice.
dures, standards, and guidelines satisfy the NIST CSF requirements?
ctices satisfy the NIST CSF requirements regardless of what your policies & standards say?
e guidance around what good practices look like. If, for example, you believe that a 5% policy e
suit your needs.
he good folks over at NIST have done. All of the questions and associated information on the ‘N
so the user doesn't accidentally step on a formula. You can unprotect the worksheet using pass
st.gov/cyberframework
ww.nist.gov/privacy-framework
o rank each of the controls in the ‘NIST CSF Details’ tab. There are different meanings for each level of matur
y within your organization. In most cases, the target of some controls will be different than others. This is m
e Policy/Practice cells. In order to provide as much functionality as possible, you are not locked into a hard 0
monstrate the functionality of the chart on the ‘CSF Summary’ page.
s founded on the 2018 NIST Cybersecurity Change Log
* Feb/28/2022 - Release 2.1 - Corrected
cell reference in Privacy Summary tab
(E5-E6) which resulted in incorrect
calculations and cleaned up references
es & standards say? in NIST Summary for consistency.
believe that a 5% policy exception rate is * Feb/18/2022 - Release 2.0. Added
Privacy Framework. Reworked formulas
to support easier future updates.
ated information on the ‘NIST CSF Details’
the worksheet using password * Jan/19/2019 - Release 1.0. Original
Release.
Analysis (RS.AN
Security Continuous Monitoring (DE.CM) 3.00 5.00 2.00
Detection Processes (DE.DP) 3.00 2.00 3.00
Response Planning (RS.RP) 3.00 4.00 1.00
Communications (RS.C
Communications (RS.CO)
RESPOND (RS)
Security Continuous Monitoring (DE.CM) Information Protection Processes and Procedures (PR.IP)
nt (ID.BE)
5 - Optimal
4 - Managed
nance (ID.GV) 3 - Defined
2 - Acknowledged
1 - Initial
0 - Non-existent
Risk Assessment (ID.RA)
ecurity (PR.DS)
Target Score
Policy Score
Practice Score
Function Category Subcategory
IDENTIFY (ID)
ID.RA-1: Asset vulnerabilities are identified and
documented
· NIST SP 800-53 Rev. 4 CP-2, CP-4, IR-3, IR-4, IR-6, IR-8, IR-9
· CIS CSC 1, 5, 15, 16
· COBIT 5 DSS05.04, DSS06.03
· ISA 62443-2-1:2009 4.3.3.5.1
· ISA 62443-3-3:2013 SR 1.1, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9 3.0
· ISO/IEC 27001:2013 A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3
· NIST SP 800-53 Rev. 4 AC-1, AC-2, IA-1, IA-2, IA-3, IA-4, IA-5, IA-6, IA-7, IA-8, IA-9, IA-10,
IA-11
· COBIT 5 DSS01.04, DSS05.05
· ISA 62443-2-1:2009 4.3.3.3.2, 4.3.3.3.8
· ISO/IEC 27001:2013 A.11.1.1, A.11.1.2, A.11.1.3, A.11.1.4, A.11.1.5, A.11.1.6, A.11.2.1, 3.0
A.11.2.3, A.11.2.5, A.11.2.6, A.11.2.7, A.11.2.8
· NIST SP 800-53 Rev. 4 PE-2, PE-3, PE-4, PE-5, PE-6, PE-8
· CIS CSC 12
· COBIT 5 APO13.01, DSS01.04, DSS05.03
· ISA 62443-2-1:2009 4.3.3.6.6
3.0
· ISA 62443-3-3:2013 SR 1.13, SR 2.6
· ISO/IEC 27001:2013 A.6.2.1, A.6.2.2, A.11.2.6, A.13.1.1, A.13.2.1
· NIST SP 800-53 Rev. 4 AC-1, AC-17, AC-19, AC-20, SC-15
· CIS CSC 3, 5, 12, 14, 15, 16, 18
· COBIT 5 DSS05.04
· ISA 62443-2-1:2009 4.3.3.7.3
3.0
· ISA 62443-3-3:2013 SR 2.1
· ISO/IEC 27001:2013 A.6.1.2, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5
· NIST SP 800-53 Rev. 4 AC-1, AC-2, AC-3, AC-5, AC-6, AC-14, AC-16, AC-24
· CIS CSC 9, 14, 15, 18
· COBIT 5 DSS01.05, DSS05.02
· ISA 62443-2-1:2009 4.3.3.4
3.0
· ISA 62443-3-3:2013 SR 3.1, SR 3.8
· ISO/IEC 27001:2013 A.13.1.1, A.13.1.3, A.13.2.1, A.14.1.2, A.14.1.3
· NIST SP 800-53 Rev. 4 AC-4, AC-10, SC-7
· CIS CSC, 16
· COBIT 5 DSS05.04, DSS05.05, DSS05.07, DSS06.03
· ISA 62443-2-1:2009 4.3.3.2.2, 4.3.3.5.2, 4.3.3.7.2, 4.3.3.7.4
· ISA 62443-3-3:2013 SR 1.1, SR 1.2, SR 1.4, SR 1.5, SR 1.9, SR 2.1 3.0
· ISO/IEC 27001:2013, A.7.1.1, A.9.2.1
· NIST SP 800-53 Rev. 4 AC-1, AC-2, AC-3, AC-16, AC-19, AC-24, IA-1, IA-2, IA-4, IA-5, IA-8,
PE-2, PS-3
· CIS CSC 1, 12, 15, 16
· COBIT 5 DSS05.04, DSS05.10, DSS06.10
· ISA 62443-2-1:2009 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7,
4.3.3.6.8, 4.3.3.6.9
3.0
· ISA 62443-3-3:2013 SR 1.1, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 1.10
· ISO/IEC 27001:2013 A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, A.18.1.4
3.0
· NIST SP 800-53 Rev. 4 AC-7, AC-8, AC-9, AC-11, AC-12, AC-14, IA-1, IA-2, IA-3, IA-4, IA-5,
IA-8, IA-9, IA-10, IA-11
· CIS CSC 17, 18
· COBIT 5 APO07.03, BAI05.07
· ISA 62443-2-1:2009 4.3.2.4.2 5.0
· ISO/IEC 27001:2013 A.7.2.2, A.12.2.1
· NIST SP 800-53 Rev. 4 AT-2, PM-13
· CIS CSC 5, 17, 18
· COBIT 5 APO07.02, DSS05.04, DSS06.03
· ISA 62443-2-1:2009 4.3.2.4.2, 4.3.2.4.3 5.0
· ISO/IEC 27001:2013 A.6.1.1, A.7.2.2
· NIST SP 800-53 Rev. 4 AT-3, PM-13
· CIS CSC 17
· COBIT 5 APO07.03, APO07.06, APO10.04, APO10.05
· ISA 62443-2-1:2009 4.3.2.4.2 5.0
· ISO/IEC 27001:2013 A.6.1.1, A.7.2.1, A.7.2.2
· NIST SP 800-53 Rev. 4 PS-7, SA-9, SA-16
· CIS CSC 17, 19
· COBIT 5 EDM01.01, APO01.02, APO07.03
· ISA 62443-2-1:2009 4.3.2.4.2 5.0
· ISO/IEC 27001:2013 A.6.1.1, A.7.2.2
· NIST SP 800-53 Rev. 4 AT-3, PM-13
· CIS CSC 17
· COBIT 5 APO07.03
· ISA 62443-2-1:2009 4.3.2.4.2 5.0
· ISO/IEC 27001:2013 A.6.1.1, A.7.2.2
· NIST SP 800-53 Rev. 4 AT-3, IR-2, PM-13
· CIS CSC 13, 14
· COBIT 5 APO01.06, BAI02.01, BAI06.01, DSS04.07, DSS05.03, DSS06.06
· ISA 62443-3-3:2013 SR 3.4, SR 4.1 1.0
· ISO/IEC 27001:2013 A.8.2.3
· NIST SP 800-53 Rev. 4 MP-8, SC-12, SC-28
· CIS CSC 13, 14
· COBIT 5 APO01.06, DSS05.02, DSS06.06
· ISA 62443-3-3:2013 SR 3.1, SR 3.8, SR 4.1, SR 4.2 1.0
· ISO/IEC 27001:2013 A.8.2.3, A.13.1.1, A.13.2.1, A.13.2.3, A.14.1.2, A.14.1.3
· NIST SP 800-53 Rev. 4 SC-8, SC-11, SC-12
· CIS CSC 1
· COBIT 5 BAI09.03
· ISA 62443-2-1:2009 4.3.3.3.9, 4.3.4.4.1
1.0
· ISA 62443-3-3:2013 SR 4.2
· ISO/IEC 27001:2013 A.8.2.3, A.8.3.1, A.8.3.2, A.8.3.3, A.11.2.5, A.11.2.7
· NIST SP 800-53 Rev. 4 CM-8, MP-6, PE-16
· CIS CSC 1, 2, 13
· COBIT 5 APO13.01, BAI04.04
1.0
· ISA 62443-3-3:2013 SR 7.1, SR 7.2 1.0
· ISO/IEC 27001:2013 A.12.1.3, A.17.2.1
· NIST SP 800-53 Rev. 4 AU-4, CP-2, SC-5
· CIS CSC 13
· COBIT 5 APO01.06, DSS05.04, DSS05.07, DSS06.02
· ISA 62443-3-3:2013 SR 5.2
· ISO/IEC 27001:2013 A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, 1.0
A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1,
A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3
· NIST SP 800-53 Rev. 4 AC-4, AC-5, AC-6, PE-19, PS-3, PS-6, SC-7, SC-8, SC-13, SC-31, SI-4
· CIS CSC 2, 3
· COBIT 5 APO01.06, BAI06.01, DSS06.02
· ISA 62443-3-3:2013 SR 3.1, SR 3.3, SR 3.4, SR 3.8 1.0
· ISO/IEC 27001:2013 A.12.2.1, A.12.5.1, A.14.1.2, A.14.1.3, A.14.2.4
· NIST SP 800-53 Rev. 4 SC-16, SI-7
· CIS CSC 18, 20
· COBIT 5 BAI03.08, BAI07.04
1.0
· ISO/IEC 27001:2013 A.12.1.4
· NIST SP 800-53 Rev. 4 CM-2
· COBIT 5 BAI03.05
· ISA 62443-2-1:2009 4.3.4.4.4
1.0
· ISO/IEC 27001:2013 A.11.2.4
· NIST SP 800-53 Rev. 4 SA-10, SI-7
· CIS CSC 3, 9, 11
· COBIT 5 BAI10.01, BAI10.02, BAI10.03, BAI10.05
· ISA 62443-2-1:2009 4.3.4.3.2, 4.3.4.3.3
3.0
· ISA 62443-3-3:2013 SR 7.6
· ISO/IEC 27001:2013 A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4
· NIST SP 800-53 Rev. 4 CM-2, CM-3, CM-4, CM-5, CM-6, CM-7, CM-9, SA-10
· CIS CSC 18
· COBIT 5 APO13.01, BAI03.01, BAI03.02, BAI03.03
· ISA 62443-2-1:2009 4.3.4.3.3
3.0
· ISO/IEC 27001:2013 A.6.1.5, A.14.1.1, A.14.2.1, A.14.2.5
· NIST SP 800-53 Rev. 4 PL-8, SA-3, SA-4, SA-8, SA-10, SA-11, SA-12, SA-15, SA-17, SI-12, SI-
13, SI-14, SI-16, SI-17
· CIS CSC 3, 11
· COBIT 5 BAI01.06, BAI06.01
· ISA 62443-2-1:2009 4.3.4.3.2, 4.3.4.3.3
3.0
· ISA 62443-3-3:2013 SR 7.6
· ISO/IEC 27001:2013 A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4
· NIST SP 800-53 Rev. 4 CM-3, CM-4, SA-10
· CIS CSC 10
· COBIT 5 APO13.01, DSS01.01, DSS04.07
· ISA 62443-2-1:2009 4.3.4.3.9
3.0
· ISA 62443-3-3:2013 SR 7.3, SR 7.4
3.0
3.0
· COBIT 5 APO12.06
· ISA 62443-2-1:2009 4.3.4.5.6, 4.3.4.5.10 3.0
· ISO/IEC 27001:2013 A.12.2.1, A.16.1.5
· NIST SP 800-53 Rev. 4 IR-4
· CIS CSC 4
· COBIT 5 APO12.06
3.0
· ISO/IEC 27001:2013 A.12.6.1
· NIST SP 800-53 Rev. 4 CA-7, RA-3, RA-5
· COBIT 5 BAI01.13
· ISA 62443-2-1:2009 4.3.4.5.10, 4.4.3.4
4.0
· ISO/IEC 27001:2013 A.16.1.6, Clause 10
· NIST SP 800-53 Rev. 4 CP-2, IR-4, IR-8
· COBIT 5 BAI01.13, DSS04.08
· ISO/IEC 27001:2013 A.16.1.6, Clause 10 4.0
· NIST SP 800-53 Rev. 4 CP-2, IR-4, IR-8
· CIS CSC 10
· COBIT 5 APO12.06, DSS02.05, DSS03.04
5.0
· ISO/IEC 27001:2013 A.16.1.5
· NIST SP 800-53 Rev. 4 CP-10, IR-4, IR-8
· COBIT 5 APO12.06, BAI05.07, DSS04.08
· ISA 62443-2-1:2009 4.4.3.4
1.0
· ISO/IEC 27001:2013 A.16.1.6, Clause 10
· NIST SP 800-53 Rev. 4 CP-2, IR-4, IR-8
· COBIT 5 APO12.06, BAI07.08
· ISO/IEC 27001:2013 A.16.1.6, Clause 10 1.0
· NIST SP 800-53 Rev. 4 CP-2, IR-4, IR-8
· COBIT 5 EDM03.02
3.0
· ISO/IEC 27001:2013 A.6.1.4, Clause 7.4
· COBIT 5 MEA03.02
3.0
· ISO/IEC 27001:2013 Clause 7.4
· COBIT 5 APO12.06
· ISO/IEC 27001:2013 Clause 7.4 3.0
· NIST SP 800-53 Rev. 4 CP-2, IR-4
Practice
Maturity
2.0
2.0
2.0
2.0
2.0
2.0
1.0
1.0
1.0
1.0
1.0
3.0
3.0
3.0
3.0
4.0
4.0
4.0
4.0
4.0
4.0
4.0
2.0
2.0
2.0
3.0
3.0
3.0
3.0
3.0
3.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
3.0
3.0
3.0
3.0
3.0
3.0
3.0
3.0
3.0
3.0
3.0
3.0
3.0
3.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
4.0
4.0
4.0
2.0
2.0
2.0
2.0
2.0
5.0
5.0
5.0
5.0
5.0
5.0
2.0
2.0
2.0
2.0
2.0
2.0
2.0
2.0
2.0
3.0
3.0
3.0
3.0
3.0
1.0
4.0
4.0
4.0
4.0
4.0
4.0
5.0
5.0
5.0
5.0
5.0
2.0
2.0
2.0
2.0
2.0
2.0
3.0
3.0
3.0
3.0
3.0
3.0
2022
Target Policy Practice
NIST Privacy 1.0 Categories Score Score Score
Overall 3.00 3.17 2.83
Inventory and Mapping (ID.IM-P) 3.00 5.00 1.00
Business Environment (ID.BE-P)
IDENTIFY-P
0.0
Data Processing Management (CT.DM-P) Data Processing Policies, Processes, and Procedures (CT.P
NIST Privacy Framework
Inventory and Mapping (ID.IM-P)
Maturity Levels
Business Environment (ID.BE-P)
5 - Optimal
4 - Managed
3 - Defined
Risk Assessment (ID.RA-P)
2 - Acknowledged
1 - Initial
0 - Non-existent
Target Score
Monitoring and Review (GV.MT-P) Policy Score
Practice Score
essing Policies, Processes, and Procedures (CT.PO-P)
NIST Privacy Framework: A Tool for Improving Privacy through Enterprise Risk
Management Version 1.0 Core
NIST Privacy Framework Core
Function Category
IDENTIFY-P (ID-P): Develop Inventory and Mapping (ID.IM-P): Data
the organizational processing by systems, products, or
understanding to manage services is understood and informs the
privacy risk for individuals management of privacy risk.
arising from data processing.
Identity Management,
Authentication, and Access Control
(PR.AC-P): Access to data and devices
is limited to authorized individuals,
processes, and devices, and is
managed consistent with the assessed
risk of unauthorized access.
(PR.AC-P): Access to data and devices
is limited to authorized individuals,
processes, and devices, and is
managed consistent with the assessed
risk of unauthorized access.
Shading
Key:
cy Framework Core Policy Practice
Subcategory Score Score
ID.IM-P1: Systems/products/services that process data
The Function, Category, or Subcategory aligns with the Cybersecurity Framework, but the text has been adapted for the Privacy Framework.
The Category or Subcategory is identical to the Cybersecurity Framework.
are inventoried.
5.0 1.0
ID.IM-P5: The purposes for the data actions are 5.0 1.0
inventoried.
ID.IM-P6: Data elements within the data actions are 5.0 1.0
inventoried.
ID.IM-P7: The data processing environment is identified 5.0 1.0
(e.g., geographic
ID.IM-P8: location, internal,
Data processing cloud,
is mapped, third parties).
illustrating the data
actions and associated data elements for
systems/products/services, including components; roles
of the component owners/operators; and interactions of
individuals or third parties with the 5.0 1.0
systems/products/services.
4.0 2.0