DMS | NIST CSF 2.0 Assessment

1. Organization Profile

Tell us about your organization.

Organization Name

Contact Email

Industry

Employee Headcount

Number of Locations

Data Types Handled

Personally Identifiable Information (PII) Names, addresses, IDs, or any data that can single out an individual.

Protected Health Information (PHI/HIPAA) Medical and patient data regulated by HIPAA privacy and security rules.

Payment Card Information (PCI-DSS) Credit/debit card numbers and related data governed by PCI-DSS.

Proprietary Business Data Trade secrets, product roadmaps, pricing, or internal strategies.

Other Sensitive Data Anything else your organization classifies as sensitive or restricted.

Applicable Compliance Frameworks

NIST Cybersecurity Framework 2.0 U.S. National Institute of Standards guidance for managing cyber risk.

HIPAA Health Insurance Portability and Accountability Act for safeguarding patient data.

PCI-DSS Industry standard that sets controls for accepting or processing card payments.

GDPR European Union privacy regulation covering personal data collection and use.

SOC 2 Independent audit attesting to service organization security and availability controls.

ISO 27001 International standard for operating an information security management system.

None applicable No specific compliance frameworks currently apply to your organization.

Business Context Your organization in context

Business overview

2-4 sentences describing what you deliver, to whom, and scale.

Mission-critical processes

List the processes or services that must stay online.

Business model

B2B B2C SaaS / Subscription Services / Consulting Other

Customer base size

Revenue band

Key industries served

Press Enter after each industry to add a chip.

Competitive landscape / differentiators (optional)

Skip this if it doesn't apply. If it does, a few words about what makes you unique helps us tailor risk priorities.

Technical Architecture Your IT environment

Cloud platforms you currently use

AWS Microsoft Azure Google Cloud Platform Other

Primary workload types

What kinds of software your business runs or builds.

Web apps / Portals APIs / Integrations Data pipelines / Analytics Desktop / Legacy software Mobile applications Off-the-shelf software only

Pick the closest match. If you're not sure, "Flat" is the honest answer for many small businesses.

Application inventory summary (optional)

A quick list helps us tailor policies to your actual stack. Bullets or sentences both work.

Client Data Lifecycle Where client data lives

Add a brief system or location for each stage (e.g., Store = AWS S3; Dispose = NIST 800-88 sanitization).

Receive Store Process Transmit Share with vendors Archive Dispose / Destroy

Risk Management Framework Risk tolerance, acceptance, and enterprise-risk linkage

None documented Qualitative (low/medium/high) Quantified thresholds

Risk register exists?

Yes No

Risk register update cadence

Structured Data Flows How data moves through your business

Identify major sources→stores→movements (e.g., endpoints → S3 → ETL → warehouse).

Sources

Stores

Movements

Additional notes

Risk & Compliance Requirements Regulatory and contractual obligations

Regulatory obligations

HIPAA U.S. healthcare privacy and security requirements for PHI.

PCI-DSS Payment Card Industry Data Security Standard for handling cardholder data.

GDPR EU-wide regulation setting strict expectations for personal data protection.

SOC 2 Assurance report demonstrating controls for security, availability, or confidentiality.

ISO 27001 ISO standard that certifies your information security management system.

State / Local mandates Other None identified

Contractual obligations with customers/partners

Note any SLAs, audit rights, or security addenda.

Threat model focus

Ransomware BEC / Phishing Insider risk Supply chain compromise Web application abuse Other No formal threat modeling

Documented risks

List the top known risks or open issues (no placeholders).

Stakeholders & Risk Appetite Risk ownership and escalation

Executive sponsor name & role

Security owner

Risk appetite

How comfortable is leadership with taking security/operational risk?

Low (risk averse, high controls) Moderate (balanced risk vs. agility) High (aggressive growth, accepts more risk)

Top 3 concerns from leadership

Governance & Programs Policies, awareness, and oversight

Policy gaps or improvement plans (optional)

Policy review frequency

Security awareness program details

Security metrics / KPIs tracked

KPIs quantify program health (e.g., MTTR, patch SLAs, phishing click rate).

AI / ML in your organization (optional)

Which best describes how AI is used today? Select all that apply.

Commercial AI assistants (ChatGPT, Microsoft Copilot, Claude, Gemini, or similar) AI features built into SaaS you already use Vendor-deployed AI in a product you've adopted AI / ML systems you build or fine-tune yourselves AI in customer-facing products or decisions No AI use today

Physical & environmental security controls

Select controls in place for facilities where company assets or data are stored.

Badge / smart card access Visitor sign-in management Camera surveillance Restricted data center / server room access Secure disposal / media destruction Environmental monitoring / alarms Not applicable (fully virtual / colocated)

Secure development practices

Highlight activities that keep custom code secure.

Secure coding standards / guidelines Peer / pull-request code reviews Static application security testing (SAST) Dynamic application security testing (DAST) Dependency / SBOM scanning Not applicable (no in-house development)

Email & communication security

Capture controls that protect email and collaboration platforms.

Email retention policy Email encryption (TLS / secure portal) Email / collaboration DLP Acceptable use guidelines for messaging Approved / managed messaging platforms Not applicable (no corporate email)

Security Awareness Program Training delivery, phishing simulations, and security champions

Training delivery method

Training frequency by role

Phishing simulation cadence

Developers SysAdmins Executives Helpdesk Privacy Finance No role-based training

Manual LMS HRIS-synced

Security onboarding timeline

Champions program in place?

Yes No

Champions program notes

Operations & Change Management Clarify how changes and incidents are handled

Change management in place?

Yes Partial No formal process

Secure Development & Platform Security Software development lifecycle, security gates, and change control

Threat modeling SAST DAST SCA Secrets scan IaC scan Pre-prod pen test Security sign-off No formal security gates

Code review requirement

Security testing tools

Pen test scope for applications

Change management notes

Additional secure development context (optional)

2. Infrastructure & Technology

Understand your IT environment.

In-house IT Managed Service Provider (MSP) Hybrid

AWS Microsoft 365 / Azure Google Cloud Platform Other (specify below) None - On-premise only

If other cloud platforms, please specify:

No remote work Hybrid Fully remote

Additional infrastructure context (optional)

3. Access & Authentication

How do you manage user access?

Estimate what percentage of your workforce must use MFA across key systems.

Not Implemented (0%) Limited (1-25%) Partial (26-75%) Universal (90-100%)

Not in place Ad-hoc / Manual Tool-based (e.g., Okta, CyberArk)

No formalized access control Manual / Documented roles Automated / Policy-enforced

Never / Not tracked Annually Semi-annually Quarterly or more

Identity Lifecycle Management How identities are managed from hire to exit

Deprovisioning SLA

None Partial Complete

Service account owner model

Privileged accounts inventory

None Partial Complete

Privileged review cadence

Yes No

Sealed credentials Exception logging Post-use review 24h rotation

Password minimum length

Password complexity requirements

Uppercase Lowercase Number Special character

Password reuse history (counts remembered)

Yes No

Federation controls

IdP MFA enforced Device posture checks Just-in-time provisioning Attribute-based access control (ABAC)

Federation notes

Additional access & authentication context (optional)

4. Asset Management & Data

How do you track and protect critical assets?

No formal inventory Informal / Partial (spreadsheets) Automated tool (CMDB, asset mgmt) Fully maintained & updated

No program Ad-hoc (inconsistent) Formal policy Automated enforcement (DLP, metadata)

No encryption Partial (some systems) Required for sensitive data Universal encryption

Data Retention Policy

No policy Informal / Ad-hoc Documented policy Enforced & monitored

Encryption key management practices

Select the safeguards that govern how encryption keys are generated, stored, rotated, and retired.

Documented key generation procedures Secure key storage (HSM / key vault) Defined key rotation schedule Key escrow / backup with separation of duties Key revocation & destruction procedures Not applicable (no managed encryption keys)

Removable media controls

Identify how portable storage (USB drives, external disks) is governed.

Usage prohibited or tightly restricted Encryption required on approved devices Auto-run / autoplay disabled Logging & approval workflow Not applicable (no removable media use)

Additional asset & data context (optional)

5. Vulnerability & Patch Management

Identify and remediate weaknesses.

No scanning / Ad-hoc Annually Quarterly Continuous / Monthly

Ad-hoc / No process Quarterly or slower Monthly Automated / Rapid (days)

Never Rarely Annually Multiple per year

No formal tracking Manual (spreadsheets) Tool-based (SIEM/ticketing) Formal SLAs & escalation

Additional vulnerability & patch context (optional)

6. Monitoring & Detection

How do you detect/respond to threats?

No centralized logging Each system keeps its own logs without aggregation or correlation.

SIEM (Splunk/ELK/Sumo) Security Information and Event Management centralizes logs for analytics.

SOC / 24×7 monitoring Dedicated analysts watch alerts continuously, in-house or outsourced.

Managed Detection & Response Third-party service that hunts, triages, and contains threats on your behalf.

Log Retention

Not retained ≤ 30 days 90 days ≥ 1 year

Intrusion Detection/Prevention

Not in place Partial Comprehensive

Not in place Partial Full (24×7)

Alert Response Time

Not monitored Hours to days < 1 hour Real-time (minutes)

Security Operations Details Day-to-day monitoring and response

Threat intelligence sources

Security tool stack

Alert triage process

Mean time to detect/respond metrics

Detection & Monitoring Enhancements SIEM, behavioral baselines, and incident criteria

Yes No

Baseline scope

Authentication Network Process / behavior Data egress Cloud API Email

Additional monitoring & detection context (optional)

7. Backup & Recovery

Recover from data loss or ransomware.

No formal backups Manual / Ad-hoc Automated (untested) Managed (regularly tested)

Never Annually Semi-annually Quarterly or more

Local only (same facility) Off-site / Secondary Cloud storage

Auto-filled from Section 1; RTO is the maximum downtime your business can tolerate.

Auto-filled from Section 1; RPO is the maximum acceptable data loss window.

Immutable/air-gapped backups Network segmentation

EDR / Behavior monitoring Endpoint tools look for suspicious encryption spikes or known ransomware patterns.

Ransomware IR plan

Additional backup & recovery context (optional)

8. Incident Response & Breach History

Detect, respond, and learn from incidents.

No IR plan Draft / Informal Formal, documented Tested & maintained

Never Rarely (once yearly) Regular (multiple per year) Continuous / Quarterly

No dedicated team Informal roles Formal team External CIRT retained

Previous Security Incidents/Breaches

None known Minor incidents Significant incident Major breach

Incident Response Program Details Response standards and readiness

Incident classification schema

Notification requirements & timelines

Forensics capabilities

Lessons learned process

Communications & External Relations Incident notifications, internal and external

Internal communications chain

External stakeholders to notify

Yes No

Legal counsel on retainer?

Yes No

Cyber insurance broker contact

Additional incident response context (optional)

9. Third-Party Risk Management

Manage security risks from vendors/partners.

No formal assessment Informal / Ad-hoc Formal assessment Ongoing audits/monitoring

Critical Vendor Details Key vendors, data handling, and assurances

Critical vendors list

Press Enter after each vendor; select a chip to edit details.

Add a vendor above, then select it to capture category, services, data access, and requirements.

Vendor Security Requirements

None NDA / Data protection contract SOC 2 / Security attestation Penetration testing / Audit SLA w/ breach notification

Vendor Contracts Include Security Clauses

Example: Annual SOC 2 Type II; 24-hour breach notification; right-to-audit clause.

None (0%) Few (1-25%) Some (26-75%) All (90-100%)

Cyber Insurance Coverage, limits, and insurer expectations

Coverage present?

Yes No Unknown

Insurer requirements / conditions

Expanded Third-Party Risk Vendor onboarding, ongoing monitoring, and offboarding

Vendor onboarding security requirements

Ongoing vendor assessment frequency

Fourth-party risk management

Vendor exit procedures

Additional third-party risk context (optional)

10. Business Continuity & Risk

How resilient is your organization?

Business Continuity Plan

BCP explains how you keep critical services running during major disruptions.

No plan Draft / Incomplete Formal plan Tested & maintained

Disaster Recovery Plan

DR plans describe how you restore systems and data after a severe outage.

No plan Draft / Incomplete Formal plan Tested & maintained

Critical System Redundancy

No redundancy Partial Full redundancy

Minimal / Ad-hoc Limited Adequate Strong investment

No dedicated team 1-2 people Small team (3-5) Large team (6+)

Most Significant Security Risks

Additional Comments/Context

Compliance & Audit Assurance activities and exception handling

Internal audit frequency and scope

External audit / assessment schedule

Compliance monitoring processes

Policy exception management

Metrics & Continuous Improvement Key indicators, cadence, and roadmap ownership

KRIs flag when risk is increasing so leadership can act early.

KPIs measure ongoing program performance (e.g., MTTR, training completion).

Metrics reporting cadence

None Ad-hoc Annual

Improvement roadmap exists?

Yes No

Improvement roadmap notes

11. Supporting Documents Optional

Add files or screenshots to make your report and policies more specific, or skip this step entirely.

Your typed answers are everything we need to build your report. This step is an optional bonus: if you have any of the items below handy, our system reads them to pull in concrete details (named systems, vendors, dates, and observed gaps) that make your results and policies sharper. Don't have something? Just skip it.

Processed in memory, never saved. Our system reads each file only to generate your report and policies, then discards it the moment processing finishes. Nothing you upload is written to disk, stored on our servers, or used to train AI.

All optional. Accepted: PDF, Word, Excel, CSV, text, and PNG / JPG / WebP images. Up to 25 MB per file, 30 files, and 75 MB total.

Dynamic Management Services

1. Organization Profile

2. Infrastructure & Technology

3. Access & Authentication

4. Asset Management & Data

5. Vulnerability & Patch Management

6. Monitoring & Detection

7. Backup & Recovery

8. Incident Response & Breach History

9. Third-Party Risk Management

10. Business Continuity & Risk

11. Supporting Documents Optional

Building your report

Your Cybersecurity Maturity Report

Your assessment is ready.

Executive Summary

CSF 2.0 Function Coverage

Implementation Tier Ladder

Function Performance & Gap Analysis

Implementation Tier Analysis

What this assessment is based on

What We Found

Unlock your full report and policy suite

Thank You for Your Purchase

Need Implementation Support?

Methodology & Source Data

Data Quality Notes

Detailed Assessment Data