Summary CSF Scores

3.3

3.0 3.0
2.8
2.7 2.6
2.3 2.3
2.2 2.2 2.2
2.0 2.0
1.8

1.3

0.8

0.3

Identify Protect Detect Recover Respond

Maturity 2.0 2.2 2.2 2.0 2.2
Target 3.0 2.3 3.0 2.7 2.6

This chart isn't available in your version of Excel.

Editing this shape or saving this workbook into a different file format will
permanently break the chart.
 NIST CSF Scores Breakdown
Current Maturity Target

Asset Mgmt Bus. Environment

Improvements Governance
2.7 2.6 4.0
Mitigation Risk Ass
2.2
0 Analysis Ri

Communications
2.0

Response Planning

Recover Respond 0.0

2.0 2.2
2.7 2.6
Communications

Improvements

ormat will Recovery Planning Inf

Maintenc

Detection Processes Protective Tech

Continuous Monitoring
Anomalies and Events
 res Breakdown
turity Target

Mgmt Bus. Environment

Governance
4.0
Risk Assessment

Risk Mgmt. Strategy

Supply Chain RM
2.0

0.0 Identity Mgt

Awareness and Training

Data Security

Info Protection

Maintence

Protective Tech
and Events
Asset Management (ID.AM)
ID.AM-1: Physical devices and systems within the organization are inventoried
ID.AM-2: Software platforms and applications within the organization are inventoried
ID.AM-3: Organizational communication and data flows are mapped
ID.AM-4: External information systems are catalogued
ID.AM-5: Resources (e.g., hardware, devices, data, time, and software) are prioritized based on their classification,
ID.AM-6: Cybersecurity roles and responsibilities for the entire workforce and third-party stakeholders (e.g., supplier
Business Environment (ID.BE)
ID.BE-1: The organization’s role in the supply chain is identified and communicated
ID.BE-2: The organization’s place in critical infrastructure and its industry sector is identified and communicated
ID.BE-3: Priorities for organizational mission, objectives, and activities are established and communicated
ID.BE-4: Dependencies and critical functions for delivery of critical services are established
ID.BE-5: Resilience requirements to support delivery of critical services are established for all operating states (e.g.
Governance (ID.GV)
ID.GV-1: Organizational information security policy is established
ID.GV-2: Information security roles & responsibilities are coordinated and aligned with internal roles and external pa
ID.GV-3: Legal and regulatory requirements regarding cybersecurity, including privacy and civil liberties obligations,
ID.GV-4: Governance and risk management processes address cybersecurity risks
Risk Assessment (ID.RA)
ID.RA-1: Asset vulnerabilities are identified and documented
ID.RA-2: Cyber threat intelligence is received from information sharing forums and sources
ID.RA-3: Threats, both internal and external, are identified and documented
ID.RA-4: Potential business impacts and likelihoods are identified
ID.RA-5: Threats, vulnerabilities, likelihoods, and impacts are used to determine risk
ID.RA-6: Risk responses are identified and prioritized
Risk Management Strategy (ID.RA)
ID.RM-1: Risk management processes are established, managed, and agreed to by organizational stakeholders
ID.RM-2: Organizational risk tolerance is determined and clearly expressed
ID.RM-3: The organization’s determination of risk tolerance is informed by its role in critical infrastructure and sector
Supply Chain Management (ID.SC)
ID.SC-1: Cyber supply chain risk management processes are identified, established, assessed, managed, and agre
ID.SC-2: Identify, prioritize and assess suppliers and third-party partners of information systems, components and s
ID.SC-3: Suppliers and 3rd-party partners are required by contract to implement appropriate measures designed to
Chain Risk Management Plan
ID.SC-4: Suppliers and 3rd-party partners are routinely assessed to confirm that they are meeting their contractual o
equivalent evaluations of suppliers/providers are conducted
ID.SC-5: Response and recovery planning and testing are conducted with suppliers and third-party providers
Current Maturity Target Maturity Summary Average
1
2
2
2
3 1.7
2
1
Current Maturity Target Maturity Summary Average
0
2
3 3 1.4
2
0
Current Maturity Target Maturity Summary Average
3
4
2
3 2.5
1
Current Maturity Target Maturity Summary Average
3
3
3
3
3 2.3
1
1
Current Maturity Target Maturity Summary Average
1
1 3 1.0
1
Current Maturity Target Maturity Summary Average
3
3

3
3 3.0
3

Total Average 2.0

Target Average 3.0
Asset Management (PR.AC)
PR.AC-1: Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, use
PR.AC-2: Physical access to assets is managed and protected
PR.AC-3: Remote access is managed
PR.AC-4: Access permissions and authorizations are managed, incorporating the principles of least privilege and se
PR.AC-5: Network integrity is protected, incorporating network segregation where appropriate
PR.AC-6: Identities are proofed and bound to credentials, and asserted in interactions when appropriate
PR.AC-7: Users, devices, and other assets are authenticated (e.g., single-factor, multi-factor) commensurate with th
other organizational risks)
Awareness and Training (PR.AT)
PR.AT-1: All users are informed and trained
PR.AT-2: Privileged users understand roles and responsibilities
PR.AT-3: Third-party stakeholders (e.g., suppliers, customers, partners) understand roles and responsibilities
PR.AT-4: Senior executives understand roles and responsibilities
PR.AT-5: Physical and information security personnel understand roles and responsibilities
Data Security (PR.DS)
PR.DS-1: Data-at-rest is protected
PR.DS-2: Data-in-transit is protected
PR.DS-3: Assets are formally managed throughout removal, transfers, and disposition
PR.DS-4: Adequate capacity to ensure availability is maintained
PR.DS-5: Protections against data leaks are implemented
PR.DS-6: Integrity checking mechanisms are used to verify software, firmware, and information integrity
PR.DS-7: The development and testing environment(s) are separate from the production environment
PR.DS-8: Integrity checking mechanisms are used to verify hardware integrity
Information Protection (PR.IT)
PR.IP-1: A baseline configuration of information technology/industrial control systems is created and maintained inc
functionality)
PR.IP-2: A System Development Life Cycle to manage systems is implemented
PR.IP-3: Configuration change control processes are in place
PR.IP-4: Backups of information are conducted, maintained, and tested periodically
PR.IP-5: Policy and regulations regarding the physical operating environment for organizational assets are met
PR.IP-6: Data is destroyed according to policy
PR.IP-7: Protection processes are continuously improved
PR.IP-8: Effectiveness of protection technologies is shared with appropriate parties
PR.IP-9: Response plans (Incident Response and Business Continuity) and recovery plans (Incident Recovery and
PR.IP-10: Response and recovery plans are tested
PR.IP-11: Cybersecurity is included in human resources practices (e.g., deprovisioning, personnel screening)
PR.IP-12: A vulnerability management plan is developed and implemented
Maintenance (PR.MA)
PR.MA-1: Maintenance and repair of organizational assets are performed and logged in a timely manner, with appro
PR.MA-2: Remote maintenance of organizational assets are approved, logged, and performed in a manner that pre
Protective Technology (PR.PT)
PR.PT-1: Audit/log records are determined, documented, implemented, and reviewed in accordance with policy
PR.PT-2: Removable media is protected and its use restricted according to policy
PR.PT-3: The principle of least functionality is incorporated by configuring systems to provide only essential capabili
PR.PT-4: Communications and control networks are protected
PR.PT-5: Systems operate in pre-defined functional states to achieve availability (e.g. under duress, under attack, d
Current Maturity Target Maturity Summary Average
2
2
2
2
2
2 2.1
3

Current Maturity Target Maturity Summary Average

2
2
2 3 2.0
2
2
Current Maturity Target Maturity Summary Average
2
2
2
3
5
2 2.5
2
2
2
Current Maturity Target Maturity Summary Average
2

2
3
3
2
3 2 2.7
2
3
2
4
4
2
Current Maturity Target Maturity Summary Average
2
2
2 2.0
Current Maturity Target Maturity Summary Average
2
2
2 3 2.0
 3 2.0
2
2

Total Average 2.2

Target Average 2.3
Anomalies and Events (DE.AE)
PR.AC-1: Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, use
PR.AC-2: Physical access to assets is managed and protected
PR.AC-3: Remote access is managed
PR.AC-4: Access permissions and authorizations are managed, incorporating the principles of least privilege and se
PR.AC-5: Network integrity is protected, incorporating network segregation where appropriate
PR.AC-6: Identities are proofed and bound to credentials, and asserted in interactions when appropriate
PR.AC-7: Users, devices, and other assets are authenticated (e.g., single-factor, multi-factor) commensurate with th
other organizational risks)
Continous Monitoring (DE.CE)
PR.AT-1: All users are informed and trained
PR.AT-2: Privileged users understand roles and responsibilities
PR.AT-3: Third-party stakeholders (e.g., suppliers, customers, partners) understand roles and responsibilities
PR.AT-4: Senior executives understand roles and responsibilities
PR.AT-5: Physical and information security personnel understand roles and responsibilities
Detection Process (PR.DS)
PR.DS-1: Data-at-rest is protected
PR.DS-2: Data-in-transit is protected
PR.DS-3: Assets are formally managed throughout removal, transfers, and disposition
PR.DS-4: Adequate capacity to ensure availability is maintained
PR.DS-5: Protections against data leaks are implemented
PR.DS-6: Integrity checking mechanisms are used to verify software, firmware, and information integrity
PR.DS-7: The development and testing environment(s) are separate from the production environment
PR.DS-8: Integrity checking mechanisms are used to verify hardware integrity
Current Maturity Target Maturity Summary Average
2
2
2
2
2
3 2.1
3

Current Maturity Target Maturity Summary Average

2
2
2 3 2.0
2
2
Current Maturity Target Maturity Summary Average
2
2
2
3
5
3 2.5
2
2
2

Total Average 2.2

Target Average 3.0
Recovery Planning (RC.RP)

RC.RP-1: Recovery plan is executed during or after a cybersecurity incident

Improvements (RC.IM)
RC.IM-1: Recovery plans incorporate lessons learned
RC.IM-2: Recovery strategies are updated
Communications (RC.CO)
RC.CO-1: Public relations are managed
RC.CO-2: Reputation after an event is repaired
RC.CO-3: Recovery activities are communicated to internal stakeholders and executive and management teams
Current Maturity Target Maturity Summary Average

2 2 2.0
Current Maturity Target Maturity Summary Average
2
2
3 2.0
Current Maturity Target Maturity Summary Average
2
2 3 2.0
2

Total Average 2.0

Target Average 2.7
Response Planning (RS.RP)
RS.RP-1: Response plan is executed during or after an incident
Communications (RS.CO)
RS.CO-1: Personnel know their roles and order of operations when a response is needed
RS.CO-2: Incidents are reported consistent with established criteria
RS.CO-3: Information is shared consistent with response plans
RS.CO-4: Coordination with stakeholders occurs consistent with response plans
RS.CO-5: Voluntary information sharing occurs with external stakeholders to achieve broader cybersecurity situation
Analysis (RS.AN)
RS.AN-1: Notifications from detection systems are investigated
RS.AN-2: The impact of the incident is understood
RS.AN-3: Forensics are performed
RS.AN-4: Incidents are categorized consistent with response plans
RS.AN-5: Processes are established to receive, analyze and respond to vulnerabilities disclosed to the organization
or security researchers)
Mitigation (RS.MI)
RS.MI-1: Incidents are contained
RS.MI-2: Incidents are mitigated
RS.MI-3: Newly identified vulnerabilities are mitigated or documented as accepted risks
Improvements (RS.IM)
RS.IM-1: Response plans incorporate lessons learned
RS.IM-2: Response strategies are updated
Current Maturity Target Maturity Summary Average
2 3 2.0
Current Maturity Target Maturity Summary Average
2
2
2 3 2.0
2
2
Current Maturity Target Maturity Summary Average
2
2
2
3
3 2.8
5

Current Maturity Target Maturity Summary Average

2
2 2 2.3
3
Current Maturity Target Maturity Summary Average
2
2
2 2.0
Total Average 2.2
Target Average 2.6
Do not change this sheet - it is used to calculate the Summary Graphs.

Maturity Target
Identify 2.0 3.0
Protect 2.2 2.3 Asset Mgmt
Detect 2.2 3.0 Bus. Environment
Recover 2.0 2.7 Governance
Respond 2.2 2.6 Risk Assessment
Risk Mgmt. Strategy
Supply Chain RM

Identity Mgt
Awareness and Training
Data Security
Info Protection
Maintence
Protective Tech

Anomalies and Events

Continuous Monitoring
Detection Processes

Recovery Planning
Improvements
Communications

Response Planning
Communications
Analysis
Mitigation
Improvements
Current Maturity Target

1.7 3.0
1.4 3.0
2.5 3.0
2.3 3.0
1.0 3.0
3.0 3.0

2.1 2.0
2.0 3.0
2.5 2.0
2.7 2.0
2.0 2.0
2.0 3.0

2.1 3.0
2.0 3.0
2.5 3.0

2.0 2.0
2.0 3.0
2.0 3.0

2.0 3.0
2.0 3.0
2.8 3.0
2.3 2.0
2.0 2.0