NIST CSF Questionnaire Upload Instructions
  • 2 Minutes to read
  • PDF

NIST CSF Questionnaire Upload Instructions

  • PDF

Article summary

About this document


This document gives step-by-step instructions to upload NIST CSF Assessment data in SAFE.

Introduction


SAFE allows you to assess the NIST CSF Questionnaires in SAFE. The system ingests the assessment into SAFE's risk scenario scoring algorithm. By providing your latest NIST CSF assessment to SAFE, you'll receive Prioritized Actionable Insights and Breach Likelihood based on the information.

Info
The questionnaire requirements are based on NIST CSF v1.1.

Upload Instructions


SAFE allows you to download the NICST CSF Questionnaire template in either CSV or Excel Format.

Here is a step-by-step procedure for uploading the NIST CSF Questionnaires in SAFE:

  1. Click the Questionnaire from the left navigation and go to the Questionnaire Profile for which you want to upload the assessment.
  2. Click the NIST CSF card.
    NIST CSF Card
  3. Click the + Upload button.
    NIST CSF 2
  4. Click the Download Template drop-down. 
  5. Click either CSV or Microsoft Excel template. The system automatically downloads the template to your computer.
    The template is available in CSV and MicrosoftExcel formats. Decide which format works best for you.
    1. Microsoft Excel Format: If you choose Excel, you'll find instructions on the first sheet and the questionnaire for assessment on subsequent sheets. The Excel format provides a quick drop-down in the options column, making it easy to select an answer.
    2. CSVFormat: If you choose CSV, you must manually write the answer in the CSV format.
  6. Open the downloaded template in your chosen format. 
  7. Review the NIST requirement in the "Standard Clause" column and select the appropriate option in the "Option" column. There are six options available for each question. Refer to Tier Definition for more details.
    1. Tier 1 - Partial
    2. Tier 2 - Risk Informed
    3. Tier 3 - Repeatable
    4. Tier 4 - Adaptive
    5. Not Applicable
    6. Not Implemented
  8. (Optional) You can accept risks by marking controls as "Accepted Failed." To mark a control as Accepted Failed, enter Yes in the Risk Accepted column of the template.
     NISTCSFUploadTemplate
  9. Save the assessment file in a CSV format. This ensures compatibility for uploading the data into SAFE.
Microsoft Excel CSV Formats
  • Please ensure that you export the CSV using the "CSV (Command Delimited))(*.csv) option. Other file formats may result in errors.
  • Make sure that the chosen settings include commas as the delimiter. Refer to Microsoft documentation here.
  1. Go to the NIST CSF Assessment Upload page, and browse and upload the file. Alternatively, you can drag the file to the upload area on this page.
  2. For a successful upload, the system displays a success message. You can see the upload details in the Upload History table available at the bottom of the page.
    NIST CSF 3

Tier Definition for NIST CSF


Tier 1PartialRisk management practices are not formalized, and risk is managed ad-hoc and sometimes reactive. Prioritization of cybersecurity activities may not be directly informed by organizational risk objectives, the threat environment, or business/mission requirements.
Tier 2Risk InformedRisk management practices are approved by management but may not be established as organizational-wide policy. Prioritization of cybersecurity activities and protection needs is directly informed by organizational risk objectives, the threat environment, or business/mission requirements.
Tire 3RepeatableRisk management practices are formally approved and expressed as policy. Organizational cybersecurity practices are regularly updated based on the application of risk management processes to changes in business/mission requirements and a changing threat and technology landscape.
Tire 4AdaptiveRisk management practices are based on previous and current risk management activities, including lessons learned and predictive indicators. Through a process of continuous improvement incorporating advanced cybersecurity technologies and practices, the organization actively adapts to a changing threat and technology landscape and responds in a timely and effective manner to evolving sophisticated threats.
Not Applicable
Not applicable to the organization.
Not Implemented
Risk management practices are non-existent as controls have not been established.

Watch Help Video - NIST CSF




Was this article helpful?