Estimated Reading Time: 3 minutes

In my previous post, ‘My Three Wishes for 2019’, I had wished that we all find a way to give back to the industry, even a little bit. In an effort to fulfill that desire, I wanted to share a simple, but effective, tool I’ve used in various forms for many years. The NIST CSF Maturity Tool is a fairly straightforward spreadsheet used to assess your security program against the 2018 NIST Cybersecurity Framework (CSF).

This spreadsheet has evolved over the many years since I first put it together as a consultant. It had originally started out as a way to measure firms against NIST 800-53 and BS 7799. These days, as the CSF is the only set of standards that are freely available, the tool has morphed once again.

While the CSF has become a de facto standard in the US, it closely relates to many of the other international standards such as ISO 27000 and COBIT. That said, many also treat it like a checklist, going through the requirements and answering a ‘yes/no’ to each one. As we all know, nothing we do is that clear cut, so a means to measure the effectiveness of each control it needed; hence the creation of this tool.

Policies vs. Practices

You will notice that the tool measures programs on two fronts – Policies and Practices. The reasoning for this is simple, but yet very powerful. In all of the assessments and audits I’ve done or been put through, there is a common occurrence I’ve noticed that leads to overstating a program’s true level of maturity. When asked the questions in the CSF (or ISO-27000, COBIT, or any other standard), people will typically answer with a response that aligns as closely to the policies as they can. As a CISO, having a false sense of where your program actually lies can result in not just failed audits, but significant hidden risks that could cause issues at any time. Fundamentally, it is far more important to understand what is occurring in your environment rather than what some piece of paper says should occur.

In an effort to separate what should be done from what is being done, the tool allows you to capture both aspects of each control.

  • Policy Maturity: The Policy Maturity evaluation measures how well your written policy satisfies the requirements of the CSF. It provides clear delineation around the levels of policy maturity that generally align with industry best practices.
  • Practice Maturity: The Practice Maturity evaluation will attempt to assess how mature your actual operational practices in relation to the CSF. This is where it is critical to be completely honest when answering the assessment questions.

I encourage you to review the Maturity Levels tab in the sheet and adjust them to better fit your company/industry/program. The requirements of each level are generally around best practices, but obviously, that doesn’t fit every situation.

And finally, this is in no way intended to infringe upon any work the good folks over at NIST have done. All of the questions and associated information on the ‘NIST CSF Details’ tab is completely owned by NIST.

Update 18/Feb/2022: With the release of version 2.0 of the tool, the old version has been removed. Please refer to this post for the most recent updates.

Copyright © 2002-2023 John Masserini. All rights reserved.


22 thoughts on “Free NIST CSF Maturity Tool”
  1. Thank you for sharing the NIST CSF Maturity Tool with the broader community, John.

    Until now, many of us have been using the rudimentary CIS Top 20 template, which was sorely missing the automation and visualization components found in your template.

    Also, the categorization and cross-referencing features are particularly useful.

    Thanks again!

  2. Thanks very much for sharing this tool. It is much better than the NCSR, which is too policy-focused. Ultimately, policy is only important to the extent that it promotes and enforces good practice. Scoring policy and practice separately is brilliant. I hope the feds adopt your model for the NCSR in the future.

  3. Thank you! This is the best tool for lobbying for InfoSec resources. Any chance you would share the passwd for the NIST CSF Details tab?


  4. Thank you for a great tool. I am wondering also if there is any chance you would share the passwd for the NIST CSF Details tab?

  5. John,
    Thanks for this terrific tool! As a virtual CISO, I’ve also pressed the case that policy and practice should be measured separately. In less mature companies, I’m inclined to press practice first (documented with standards) to protect IP and employee (or personal) data, and to learn what’s both practical and effective before formalizing into policy. This tool should help help build maturity without the false sense offered by policies.

  6. Thank you for sharing. I’m wondering why you use “Maturity Level” when the CSF uses “Tiers” and they seem to want to stay away from maturity levels with the CSF?

    1. As I mentioned in the original post, this worksheet predates the CSF and was originally developed to measure the maturity of a program against NIST 800-53 and BS 7799. When we first used the CSF in its native form, we could not associate the CSF tiers with the industry-standard SEI-CMM maturity levels that were already in place. This worksheet allows us to easily map our security posture to the rest of the enterprise risk management program that is based on maturity levels.

  7. This is an interesting tool, any chance you’re updating it for rev 5 of SP800-53? My org is going to be assessing and adopting the latest rev and this looks like a great visualization tool.

    1. Hi Brian: An update is already in the works for some other features, but I can see what it will take to get Rev5 in as well. Reach out via email and I can provide an update.

  8. Hi John – Great work in visualising the various categories – will certainly help prioritise resource and funding for my clients. I look forward to your efforts on the rev 5 of SP800-53.
    Best Regards, Andy

  9. That’s awesome! Thanks for sharing this incredible tool.
    Would you mind to share the password to unprotect the spreadsheet against change? As a way to follow up the items, I’d like to mark some of the lines, and I’m not able to do it at the moment.

    Thanks again for putting all this information together.

  10. This is great. Looking forward to the rev5 changes in your template.
    Btw, when I click ‘enable editing’, the CSF Summary page links do not NIST CSF Details page. Is this the default way it works or can this be fixed in your next version of the template? Thank you.

Leave a Reply

Your email address will not be published. Required fields are marked *

Chronicles of a CISO