Estimated Reading Time: 2 minutes

In my previous post, ‘My Three Wishes for 2019’, I had wished that we all find a way to give back to the industry, even a little bit. In an effort to fulfill that desire, I wanted to share a simple, but effective tool I’ve used, in various forms, for many years. The NIST CSF Maturity Tool is a fairly straightforward spreadsheet used to assess your security program against the 2018 NIST Cybersecurity Framework (CSF).

This spreadsheet has evolved over the many years since I first put it together as a consultant. It had originally started out as a way to measure firms against NIST 800-53 and BS 7799. These days, as the CSF is the only set of standards that are freely available, the tool has morphed once again.

While the CSF has become a de facto standard in the US, it closely relates to many of the other international standard such as ISO 27000 and COBIT. That said, many also treat it like a checklist, going through the requirements and answering a ‘yes/no’ to each one. As we all know, nothing we do is that clear cut, so a means to measure the effectiveness of each control it needed; hence the creation of this tool.

Policies vs. Practices

You will notice that the tool measures programs on two fronts – Policies and Practices. The reasoning for this is simple, but yet very powerful. In all of the assessments and audits I’ve done or been put through, there is a common occurance I’ve noticed that leads to overstating a programs true level of maturity. When asked the questions in the CSF (or ISO-27000, COBIT, or any other standard), people will typically answer with a response that aligns as closely to the policies as they can. As a CISO, having a false sense of where your program actually lies can result in not just failed audits, but significant hidden risks that could cause issues at any time. Fundamentally, it is far more important to understand what is occurring in your environment rather than what some piece of paper says should occur.

In an effort to separate what should be done from what is being done, the tool allows you to capture both aspects of each control.

  • Policy Maturity: The Policy Maturity evaluation measures how well your written policy satisfies the requirements of the CSF. It provides clear delineation around the levels of policy maturity that generally align with industry best practices.
  • Practice Maturity: The Practice Maturity evaluation will attempt to assess how mature your actual operational practices in relation to the CSF. This is where it is critical to be completely honest when answering the assessment questions.

I encourage you to review the Maturity Levels tab in the sheet and adjust to better fit your company/industry/program. The requirements of each level are generally around best practices, but obviously, that doesn’t fit every situation.

And finally, this is in no way intended to infringe upon any work the good folks over at NIST have done. All of the questions and associated information on the ‘NIST CSF Details’ tab is completely owned by NIST.

Copyright © 2002-2019 John Masserini. All rights reserved.

Last Updated on


Comments (3)

  1. Eugene Davydov


    Thank you for sharing the NIST CSF Maturity Tool with the broader community, John.

    Until now, many of us have been using the rudimentary CIS Top 20 template, which was sorely missing the automation and visualization components found in your template.

    Also, the categorization and cross-referencing features are particularly useful.

    Thanks again!

Leave a comment

Your email address will not be published. Required fields are marked *