Home
This worksheet is the culmination of over a decade of measuring the maturity of various security programs. This current iteration is founded on the 2024 (February, 2024) NIST Cybersecurity Framework (CSF) v2.0 with the addition of maturity levels for both policy and practice.
- Policy Maturity: How well do your corporate policies, procedures, standards, and guidelines satisfy the NIST CSF requirements?
- Practice Maturity: How well do your actual operational practices satisfy the NIST CSF requirements regardless of what your policies & standards say?
The goal of the Maturity Level descriptions is to provide some guidance around what good practices look like. If, for example, you believe that a 5% policy exception rate is too high for a Level 3 maturity, feel free to change it to better suit your needs.
Finally, this is in no way intended to infringe upon any work the good folks over at NIST have done. All of the questions and associated information on the ‘NIST CSF Details’ tab is completely owned by NIST. Certain cells are protected so the user doesn't accidentally step on a formula.
- NIST CSF Framework v2.0 (February, 2024) - https://www.nist.gov/cyberframework
- NIST Privacy Framework 1.0 (January, 2020) - https://www.nist.gov/privacy-framework
I hope you find this useful.
All of the resources on this page are wholly owned by their respective authors and protected under the Creative Commons International’s Licenses.
This work is licensed under the: Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License. By downloading any of these resources, you acknowledge that you may not use directly, or any derivative of, in any commercial aspect including consulting or software development. Security professionals are free to use and modify these files to assess their own enterprise infrastructures.
The NIST CSF Maturity Toolkit is provided "as is," without any warranties or guarantees of any kind, express or implied, including but not limited to warranties of merchantability, fitness for a particular purpose, and non-infringement. The developers and contributors shall not be liable for any claims, damages, or other liabilities arising from the use, misuse, or inability to use this software. Users assume all risks associated with its use and are responsible for compliance with any applicable laws and regulations.