NIST CSF Questionnaire Upload Instructions
  • 2 Minutes to read
  • PDF

NIST CSF Questionnaire Upload Instructions

  • PDF

Article summary

About this document

This document gives step-by-step instructions to upload NIST CSF Assessment data in SAFE.


SAEF allows you to bring your NIST CSF Questionnaire assessment data in SAFE. The system ingests the assessment into SAFE's risk scenario scoring algorithm. By providing your latest NIST CSF assessment to SAFE, you'll receive Prioritized Actionable Insights and Breach Likelihood based on the information.

The questionnaire requirements are based on NIST CSF v1.1.

Upload Instructions

SAFE allows you to download the NIST CSF Questionnaire template in either CSV or Excel Format.

Here is a step-by-step procedure for uploading the NIST CSF Questionnaires in SAFE:

  1. Navigate to Groups.
  2. Click on the Group for that you want to assess the NIST CSF Questionnaire. 
  3. Click the Questionnaire tab and then click NIST CSF Questionnaire.
    If the NIST CSF Questionnaire is not available for a group, it means that you did not include it during the group's creation. You can edit and add the NIST CSF Questionnaire to a group.
  4. Click the + Upload button.
  5. Click the Download Template drop-down.
  6. Click either CSV or Microsoft Excel template. The system automatically downloads the template to your computer.
    The template is available in CSV and MicrosoftExcel formats. Decide which format works best for you.
    1. Microsoft Excel Format: If you choose Excel, you'll find instructions on the first sheet and the questionnaire for assessment on subsequent sheets. The Excel format provides a quick drop-down in the options column, making it easy to select an answer.
    2. CSV Format: If you choose CSV, you must manually write the answer in the CSV format.
  7. Open the downloaded template in your chosen format. 
  8. Review the NIST requirement in the "Standard Clause" column and select the appropriate option in the "Option" column. There are six options available for each question. Refer to Tier Definition for more details.
    1. Tier 1 - Partial
    2. Tier 2 - Risk Informed
    3. Tier 3 - Repeatable
    4. Tier 4 - Adaptive
    5. Not Applicable
    6. Not Implemented
  9. Save the assessment file in a CSV format. This ensures compatibility for uploading the data into SAFE.
Microsoft Excel CSV Formats
  • Please ensure that you export the CSV using the "CSV (Command Delimited))(*.csv) option. Other file formats may result in errors.
  • Make sure that the chosen settings include commas as the delimiter. Refer to Microsoft documentation here.
  1. Go to the NIST CSF Assessment Upload page, and browse and upload the file. Alternatively, you can drag the file to the upload area on this page.
  2. For a successful upload, the system displays a success message. You can see the upload details in the Upload History table available at the bottom of the page.

Tier Definition for NIST CSF

Tier 1PartialRisk management practices are not formalized, and risk is managed ad-hoc and sometimes reactive. Prioritization of cybersecurity activities may not be directly informed by organizational risk objectives, the threat environment, or business/mission requirements.
Tier 2Risk-InformedRisk management practices are approved by management but may not be established as organizational-wide policy. Prioritization of cybersecurity activities and protection needs is directly informed by organizational risk objectives, the threat environment, or business/mission requirements.
Tire 3RepeatableRisk management practices are formally approved and expressed as policy. Organizational cybersecurity practices are regularly updated based on the application of risk management processes to changes in business/mission requirements and a changing threat and technology landscape.
Tire 4AdaptiveRisk management practices are based on previous and current risk management activities, including lessons learned and predictive indicators. Through a process of continuous improvement incorporating advanced cybersecurity technologies and practices, the organization actively adapts to a changing threat and technology landscape and responds in a timely and effective manner to evolving sophisticated threats.
Not Applicable
Not applicable to the organization.
Not Implemented
Risk management practices are non-existent as controls have not been established.

Watch Help Video - NIST CSF

Was this article helpful?