NIST CSF Assessment Instructions

1. Introduction

The NIST Cybersecurity Framework helps organizations begin or improve their cybersecurity program. It draws upon established practices that have proven effectiveness, enabling organizations to elevate their cybersecurity stance. The framework promotes communication among various stakeholders within and outside the organization, fostering a collaborative approach to cybersecurity. In the case of larger organizations, it facilitates the integration and alignment of cybersecurity risk management with broader enterprise risk management processes, as outlined in the NISTIR 8286 series. For more information, refer to the official NIST publication.

2. Assessment Methodology

The NIST CSF recommends utilizing Framework Implementation Tiers as a means to evaluate security requirements. These tiers serve as a perspective through which one can assess an organization's approach to risk, specifically how the organization perceives cybersecurity risk and the measures in position to mitigate such risk.

SAFE understands the NIST CSF framework implementation tiers as follows:

• Tier 1 - Partial: Indicates 15% implementation progress
• Tier2 - Risk Informed: Indicates 40% implementation progress  
• Tier3 - Repeatable: Indicates 80% implementation progress
• Tier4 - Adaptive: Indicates 100% implementation progress

SAFE risk estimation takes into consideration the implementation progress percentage to attribute risk accordingly. 

Each security requirement has its own help text to guide the user in the assessment.

Additionally, the following assessment is supported:

• Not Applicable: This indicates the requirement is not applicable to the organization.
• NotImplemented: This indicates 0% implementation
• MarkasAcceptedFailed: This option is an available post-assessment to accept the risk of not meeting the Tier-4 implementation for a security requirement.

3. Assess NIST CSF Questionnaire

You can assess the NIST CSF Questionnaire as follows:

• Upload CSV of NIST CSF Questionnaire in SAFE.
• Assess NIST CSF Questionnaire on SAFE UI.
• Assess the NIST CSF Questionnaire using SAFE APIs.

3.1. Upload CSV

Refer to NIST CSF Questionnaire Upload Instructions.

3.2. Assess NIST CSF Questionnaire on SAFE UI

To assess the NIST CSF Questionnaire:

1. Navigate to  Questionnaire > NIST CSF.
2. On the NIST CSF Questionnaire page, read the Controls carefully.
3. Select an appropriate control optionfor each control one by one. SAFE autosave your selection.
   
4. Click a control to navigate to the control details page. 
5. If required, to accept the risk, you can mark the control as Accepted Failed on the control details page.
   Controls marked as "Accepted Failed" will not be considered for prioritized actionable insights within SAFE. Furthermore, when a control is marked as "Accepted Failed," it will have a minor impact on the SAFE Score due to its residual risk.