DMS | NIST CSF 2.0 Assessment

Section tracker

Click any section below to preview or revisit your answers.

How to Use About NIST CSF

1. Organization Profile

Tell us about your organization.

Organization Name *

Contact Email *

Industry *

Describe your industry *

Share a short description so we can tailor recommendations.

Employee Headcount *

Number of Locations *

Data Types Handled *

Personally Identifiable Information (PII) Names, addresses, IDs, or any data that can single out an individual.

Protected Health Information (PHI/HIPAA) Medical and patient data regulated by HIPAA privacy and security rules.

Payment Card Information (PCI-DSS) Credit/debit card numbers and related data governed by PCI-DSS.

Proprietary Business Data Trade secrets, product roadmaps, pricing, or internal strategies.

Other Sensitive Data Anything else your organization classifies as sensitive or restricted.

Applicable Compliance Frameworks *

NIST Cybersecurity Framework 2.0 U.S. National Institute of Standards guidance for managing cyber risk.

HIPAA Health Insurance Portability and Accountability Act for safeguarding patient data.

PCI-DSS Industry standard that sets controls for accepting or processing card payments.

GDPR European Union privacy regulation covering personal data collection and use.

SOC 2 Independent audit attesting to service organization security and availability controls.

ISO 27001 International standard for operating an information security management system.

None applicable No specific compliance frameworks currently apply to your organization.

Business Context Quick narrative so the assessment aligns with reality

Business overview *

2-4 sentences describing what you deliver, to whom, and scale.

Mission-critical processes *

List the processes or services that must stay online.

Business model *

B2B B2C SaaS / Subscription Services / Consulting Other

Describe your business model *

Customer base size *

Approximate number of active customers or typical range.

Revenue band *

Key industries served

Press Enter after each industry to add a chip.

Competitive landscape / differentiators

Technical Architecture Helps calibrate control expectations

Cloud platforms in scope

Matches how workloads are deployed today.

AWS Microsoft Azure Google Cloud Platform Other

Other cloud details

Primary workload types

Web apps / Portals APIs / Integrations Data pipelines / Analytics Desktop / Legacy software Mobile applications Off-the-shelf software only

Network segmentation?Dividing your network into separate zones so that a breach in one area cannot easily spread to others. Like having locked doors between departments.

Do you separate prod/dev/test networks? Is OT isolated from corporate IT?

Segmentation is marked flat while ransomware controls include segmentation. Align the answers or add context.

Add context (optional)

Application inventory summary

Client Data Lifecycle Track where client data lives across stages

Check all that apply; add brief systems for each stage (e.g., Store = S3; Dispose = policy + tool).

Receive

Primary systems/location

Store

Primary systems/location

Process

Primary systems/location

Transmit

Primary systems/location

Share with vendors

Primary systems/location

2. Infrastructure & Technology

Understand your IT environment.

IT Model *?How your organization manages its technology infrastructure. In-house means your own staff; MSP means an outside company handles it; Co-managed combines both.

In-house IT Managed Service Provider (MSP) Hybrid

Cloud Platforms Used *?Cloud services where you store data or run applications. Each platform has its own security features and responsibilities you must manage.

AWS Microsoft 365 / Azure Google Cloud Platform Other (specify below) None - On-premise only

Cloud platforms here don't line up with the Technical Architecture list. Double-check both before proceeding.

If other cloud platforms, please specify:

Number of Endpoints *?Devices that connect to your network, such as laptops, desktops, tablets, and smartphones. Each endpoint is a potential entry point for attackers.

Heads-up: headcount looks low compared to endpoints. Double-check both before continuing.

Give brief endpoint context (shared devices, kiosks, contractors, BYOD, etc.)

Since endpoints per headcount is high, add quick context to validate the count.

Number of Servers/VMs *?Physical servers and virtual machines (VMs) that run your applications and store data. Include both on-premises and cloud-hosted servers.

Remote Work Model *?Whether employees work from the office, home, or both. Remote work requires additional security controls to protect data outside the office network.

No remote work Hybrid Fully remote

Mobile device management (MDM) *

Indicate how mobile devices (laptops, tablets, phones) are onboarded and controlled.

No formal MDM Partial (limited enrollment or capabilities) Enforced for corporate devices Enforced for corporate + BYOD (containerization) Not applicable (no mobile devices)

Standardized device enrollment Remote wipe / lock App whitelisting / managed app store Compliance policies (encryption, OS version checks) Not applicable

Additional infrastructure context (optional)

3. Access & Authentication

How do you manage user access?

Authentication Methods Used *?How users prove their identity when logging into your systems. Stronger methods like MFA and SSO reduce the risk of unauthorized access.

Single Sign-On (SSO) Centralized login so users authenticate once for many applications.

Multi-Factor Authentication (MFA) Requires two or more factors (e.g., password + app code) to verify users.

LDAP / Active Directory Traditional directory services for centrally managing user accounts.

Local accounts only Users authenticate directly to each system without centralized controls.

Select all that apply

MFA Adoption Rate *?Multi-Factor Authentication requires users to verify their identity with two or more methods (e.g., password plus a code from their phone). Higher adoption means stronger protection against stolen passwords.

Estimate what percentage of your workforce must use MFA across key systems.

Not Implemented (0%) Limited (1-25%) Partial (26-75%) Universal (90-100%)

MFA adoption looks universal, but authentication methods don’t list MFA. Confirm both inputs match.

Privileged Access Management (PAM) *?Processes and tools that secure and monitor administrator and other high-privilege accounts.

Not in place Ad-hoc / Manual Tool-based (e.g., Okta, CyberArk)

Role-Based Access Control (RBAC) *?Grants permissions based on predefined job roles rather than individual users.

No formalized access control Manual / Documented roles Automated / Policy-enforced

Access Reviews *?Periodic audits where managers verify that employees still need the system access they have. Helps remove access from people who changed roles or left the company.

Never / Not tracked Annually Semi-annually Quarterly or more

Identity Lifecycle Management Deep dive on joiner/mover/leaver, privileged accounts, and federation

JML process maturity ? How standardized the joiner/mover/leaver (JML) process is between HR, IT, and security.

Deprovisioning SLA

Service accounts inventory ? How well non-human/service accounts are cataloged and governed.

None Partial Complete

Service account coverage is limited but logging/EDR is marked complete. Confirm inventories or monitoring scope.

Service account owner model

Privileged accounts inventory

None Partial Complete

Privileged review cadence

Break-glass accounts defined? ? Indicates whether emergency “break-glass” administrator accounts exist for crisis use.

Yes No

Break-glass controls ? Safeguards that govern how emergency accounts are stored, monitored, and reviewed.

Sealed credentials Exception logging Post-use review 24h rotation

Break-glass accounts are defined but no controls are selected. Document safeguards or adjust status.

Password minimum length

Password complexity requirements

Uppercase Lowercase Number Special character

Password reuse history (counts remembered)

Password rotation policy ? Describe if passwords rotate only after compromise or on a fixed schedule.

Federation used??Identity federation lets users log in once with a trusted provider (like Google or Microsoft) to access multiple applications, eliminating separate passwords for each system.

Yes No

Federation standards ? Protocols used for identity federation and provisioning across apps.

Federation controls

IdP MFA enforced Device posture checks Just-in-time provisioning Attribute-based access control (ABAC)

Federation notes

Additional access & authentication context (optional)

4. Asset Management & Data

How do you track and protect critical assets?

Asset Inventory *?A catalog of all hardware, software, and data your organization owns or manages. You cannot protect what you do not know you have.

No formal inventory Informal / Partial (spreadsheets) Automated tool (CMDB, asset mgmt) Fully maintained & updated

Criticality modeling is established but coverage is only 0-25% while asset inventory is complete. Reconcile scope or add context.

Data Classification *?Labeling data by sensitivity level (e.g., Public, Internal, Confidential, Restricted) so employees know how to handle it and systems can enforce appropriate protections.

No program Ad-hoc (inconsistent) Formal policy Automated enforcement (DLP, metadata)

Data Encryption *?Scrambling data so only authorized parties with the correct key can read it. Protects information if devices are lost or stolen.

No encryption Partial (some systems) Required for sensitive data Universal encryption

Data Retention Policy *

No policy Informal / Ad-hoc Documented policy Enforced & monitored

Encryption key management practices

Select the safeguards that govern how encryption keys are generated, stored, rotated, and retired.

Documented key generation procedures Secure key storage (HSM / key vault) Defined key rotation schedule Key escrow / backup with separation of duties Key revocation & destruction procedures Not applicable (no managed encryption keys)

Removable media controls

Identify how portable storage (USB drives, external disks) is governed.

Usage prohibited or tightly restricted Encryption required on approved devices Auto-run / autoplay disabled Logging & approval workflow Not applicable (no removable media use)

Additional asset & data context (optional)

5. Vulnerability & Patch Management

Identify and remediate weaknesses.

Vulnerability Scanning *?Automated tools that check your systems for known security weaknesses, like unlocked doors in a building inspection.

No scanning / Ad-hoc Annually Quarterly Continuous / Monthly

Patch Management *?The process of applying software updates that fix security vulnerabilities. Delays in patching leave known weaknesses open to attackers.

Ad-hoc / No process Quarterly or slower Monthly Automated / Rapid (days)

Penetration Testing *?Hiring ethical hackers to simulate real attacks against your systems to find vulnerabilities before criminals do.

Never Rarely Annually Multiple per year

Vulnerability Remediation *?How you track and fix security weaknesses once they are discovered. Formal tracking ensures nothing falls through the cracks.

No formal tracking Manual (spreadsheets) Tool-based (SIEM/ticketing) Formal SLAs & escalation

Additional vulnerability & patch context (optional)

6. Monitoring & Detection

How do you detect/respond to threats?

Logging & Monitoring *?Recording system activities and watching for suspicious behavior. Like security cameras and alarm systems for your IT environment.

No centralized logging Each system keeps its own logs without aggregation or correlation.

SIEM (Splunk/ELK/Sumo) Security Information and Event Management centralizes logs for analytics.

SOC / 24×7 monitoring Dedicated analysts watch alerts continuously, in-house or outsourced.

Managed Detection & Response Third-party service that hunts, triages, and contains threats on your behalf.

Log Retention *

Not retained ≤ 30 days 90 days ≥ 1 year

Intrusion Detection/Prevention *

Not in place Partial Comprehensive

Endpoint Detection & Response (EDR) *?Security tools on laptops and servers that detect, investigate, and contain malicious activity.

EDR agents watch endpoints for malicious behavior and enable rapid containment.

Not in place Partial Full (24×7)

Alert Response Time *

Not monitored Hours to days < 1 hour Real-time (minutes)

Security Operations Details Capture how day-to-day monitoring and response run

Threat intelligence sources

Security tool stack

Alert triage process

Mean time to detect/respond metrics

Detection & Monitoring Enhancements SIEM usage, behavioral baselines, and incident criteria

SIEM in use? ? Security Information and Event Management (SIEM) platform aggregating and correlating logs.

A SIEM ingests logs from many systems so you can correlate events and alert on threats.

Yes No

A SIEM is not in use despite broad log/EDR coverage. Consider centralized monitoring.

SIEM use cases ? Examples: MFA anomalies, admin role changes, egress spikes.

Behavioral baseline defined? ? Indicates if “normal” activity is profiled for alerting (UEBA/EDR baselines).

Yes No

Detection tools are deployed but behavioral baselines are not defined. Document scope or capabilities.

Baseline scope

Authentication Network Process / behavior Data egress Cloud API Email

Threat intel feeds?Subscriptions or memberships that provide early warning about new cyber threats, vulnerabilities, and attack techniques targeting your industry.

Incident declaration criteria ? Severity thresholds or triggers used to declare a cybersecurity incident.

Additional monitoring & detection context (optional)

7. Backup & Recovery

Recover from data loss or ransomware.

Backup Solution *?How you create copies of important data and systems so you can restore them if the originals are lost, corrupted, or encrypted by ransomware.

No formal backups Manual / Ad-hoc Automated (untested) Managed (regularly tested)

Backup Testing Frequency *?How often you verify that backups actually work by restoring them. Untested backups may fail when you need them most.

Never Annually Semi-annually Quarterly or more

Backup Location *?Where backup copies are stored. Off-site or cloud backups protect against disasters that could destroy both your primary systems and local backups.

Local only (same facility) Off-site / Secondary Cloud storage

Recovery Time Objective (RTO) *?Maximum acceptable downtime for a critical service after a disruption.

Auto-filled from Section 1; RTO is the maximum downtime your business can tolerate.

Recovery Point Objective (RPO) *?Maximum acceptable data loss measured by time between backups or replicas.

Auto-filled from Section 1; RPO is the maximum acceptable data loss window.

Ransomware Prevention *?Measures to prevent or limit damage from ransomware attacks, which encrypt your files and demand payment. Multiple layers of protection work together.

Immutable/air-gapped backups Network segmentation

EDR / Behavior monitoring Endpoint tools look for suspicious encryption spikes or known ransomware patterns.

Ransomware IR plan

Additional backup & recovery context (optional)

8. Incident Response & Breach History

Detect, respond, and learn from incidents.

Incident Response Plan *?A documented playbook describing how your organization will detect, contain, and recover from security incidents like data breaches or ransomware attacks.

No IR plan Draft / Informal Formal, documented Tested & maintained

Incident Response Testing *?Practicing your incident response plan through drills or simulations to ensure the team knows what to do when a real incident occurs.

Never Rarely (once yearly) Regular (multiple per year) Continuous / Quarterly

IR testing cadence suggests a plan exists. Confirm plan status or adjust the response cadence.

Incident Response Team *?The people responsible for managing security incidents. Can be internal staff, external specialists (CIRT), or a combination.

No dedicated team Informal roles Formal team External CIRT retained

Previous Security Incidents/Breaches *

None known Minor incidents Significant incident Major breach

Incident Response Program Details Deeper insight into response standards and readiness

Incident classification schema

Notification requirements & timelines

Forensics capabilities

Lessons learned process

Tabletop exercise frequency?Discussion-based practice sessions where the team walks through a hypothetical incident scenario to test decision-making and identify gaps in the response plan.

Communications & External Relations Outline who is notified internally and externally during incidents

Internal communications chain

External stakeholders to notify

Media handling procedure? ? Documented steps for interacting with press or public statements.

Yes No

Media owner / spokesperson

Media procedure is enabled but no owner is listed.

Regulatory contacts / counsel ? List DPA/AG agencies, supervisory authorities, or external counsel contacts.

Legal counsel on retainer?

Yes No

Cyber insurance broker contact

Law enforcement notification criteria ? Describe when to engage local/federal law enforcement.

Regulatory contacts are populated but legal counsel is not on retainer. Clarify counsel arrangements.

Additional incident response context (optional)

9. Third-Party Risk Management

Manage security risks from vendors/partners.

Number of Critical Vendors *?Third-party companies whose services are essential to your operations or who have access to your sensitive data. A security breach at these vendors could directly impact you.

Vendor Assessment Process *?How you evaluate the security practices of third-party companies before and during your business relationship. Weak vendor security can become your security problem.

No formal assessment Informal / Ad-hoc Formal assessment Ongoing audits/monitoring

Critical Vendor Details Track key vendors, data handling, and assurances

Critical vendors list

Press Enter after each vendor; select a chip to edit details.

You noted critical vendors above. Add them here so the count stays in sync.

Editing . Changes save automatically.

10. Business Continuity & Risk

How resilient is your organization?

Business Continuity Plan *

BCP explains how you keep critical services running during major disruptions.

No plan Draft / Incomplete Formal plan Tested & maintained

Disaster Recovery Plan *

DR plans describe how you restore systems and data after a severe outage.

No plan Draft / Incomplete Formal plan Tested & maintained

Critical System Redundancy *

No redundancy Partial Full redundancy

Security Budget/Resources *?Financial and staff resources dedicated to cybersecurity. This determines what tools, training, and expertise you can invest in.

Minimal / Ad-hoc Limited Adequate Strong investment

Security Team Maturity *?The size and structure of staff dedicated to cybersecurity. Larger teams can implement more controls, but even small teams can be effective with the right focus.

No dedicated team 1-2 people Small team (3-5) Large team (6+)

Most Significant Security Risks *

Additional Comments/Context

Compliance & Audit Surface assurance activities and exception handling

Internal audit frequency and scope

External audit / assessment schedule

Compliance monitoring processes

Policy exception management

Metrics & Continuous Improvement Track KRIs/KPIs, cadence, and roadmap ownership

KRIs tracked ? Key risk indicators (KRIs) show where risk is rising (e.g., overdue high risks).

KRIs flag when risk is increasing so leadership can act early.

KPIs tracked ? Key performance indicators (KPIs) track program health (MTTR, patch SLAs, training completion).

KPIs measure ongoing program performance (e.g., MTTR, training completion).

Metrics reporting cadence

Maturity assessment history ? Frequency of prior cybersecurity maturity or capability assessments.

None Ad-hoc Annual

Improvement roadmap exists?

Yes No

Improvement roadmap notes

No KRIs or KPIs are captured. Add at least one metric to track continuous improvement.

NIST CSF 2.0 Assessment Report

Cybersecurity Framework Readiness Analysis

Executive Summary

Maturity Analysis by Function

Implementation Tier Assessment

Analyzing…

Overall Tier

Awaiting analysis

Governance

Risk Management

Learn about NIST CSF Tiers →

Rationale

Analysis pending…

Priority Focus Areas

Analysis pending…

Data Quality Notes

No observations.

Key Recommendations

Data Quality Notes

Detailed Assessment Data

Unlock Your Complete Package

Get your full assessment report and customized security policy documents tailored to your organization.

Package includes: Complete Assessment Report + 8 Customized Security Policies (Information Security, Acceptable Use, Access Control, Data Classification, Logging & Monitoring, Incident Response, Backup & Recovery, Vendor Risk Management)

Thank You for Your Purchase

Your assessment package is ready for download.

8 Security Policy Documents (.docx)

Need Implementation Support?

Our team can help with policy implementation, staff training, and ongoing compliance support.

Schedule a Consultation

Progress saved in this browser.

1 of 10