NIST CSF Assessment Instructions

1. Introduction

The NIST Cybersecurity Framework helps organizations begin or improve their cybersecurity program. It draws upon established practices that have proven effectiveness, enabling organizations to elevate their cybersecurity stance. The framework promotes communication among various stakeholders within and outside the organization, fostering a collaborative approach to cybersecurity. In the case of larger organizations, it facilitates the integration and alignment of cybersecurity risk management with broader enterprise risk management processes, as outlined in the NISTIR 8286 series. For more information, refer to the official NIST publication.

2. Assessment Methodology

The NIST CSF recommends utilizing Framework Implementation Tiers as a means to evaluate security requirements. These tiers serve as a perspective through which one can assess an organization's approach to risk, specifically how the organization perceives cybersecurity risk and the measures in position to mitigate such risk.

SAFE understands the NIST CSF framework implementation tiers as follows:

• Tier 1 - Partial: Indicates 15% implementation progress
• Tier2 - Risk Informed: Indicates 40% implementation progress  
• Tier3 - Repeatable: Indicates 80% implementation progress
• Tier4 - Adaptive: Indicates 100% implementation progress

SAFE risk estimation takes into consideration the implementation progress percentage to attribute risk accordingly. 

Each security requirement has its own help text to guide the user in the assessment.

Additionally, the following assessment is supported:

• Not Applicable: This indicates the requirement is not applicable to the organization.
• NotImplemented: This indicates 0% implementation
• Mark as Accepted Failed: This option is an available post-assessment to accept the risk of not meeting the Tier-4 implementation for a security requirement.

3. Assess NIST CSF Questionnaire

You can assess the NIST CSF Questionnaire as follows:

• Upload CSV of the NIST CSF Questionnaire in SAFE.
• Assess NIST CSF Questionnaire on SAFE UI.

3.1. Upload CSV

Refer to NIST CSF Questionnaire Upload Instructions.

3.2. Assess NIST CSF Questionnaire on SAFE UI

To assess the NIST CSF Questionnaire:

1. Navigate to Groups.
2. Click on the Group for that you want to assess the NIST CSF Questionnaire. 
3. Click the Questionnaire tab and then click NIST CSF Questionnaire.
   If the NIST CSF Questionnaire is not available for a group, it means that you did not include it during the group's creation. You can edit and add the NIST CSF Questionnaire to a group.
4. On the NIST CSF Questionnaire page, read the Findings carefully.
5. Select an appropriate Finding Optionfor each finding one by one. SAFE autosave your selection.
   
6. Click a finding to navigate to the finding details page. 
7. If required, you can Accept Risk on the finding details page.
   Note: Findings marked as "Accept Risk" will not be considered for prioritized actionable insights within SAFE. Furthermore, when a finding is marked as "Accept Risk," it will have a minor impact on the Likelihood due to its residual risk.