This tool implements the NIST Cybersecurity Framework 2.0 (published February 2024) assessment structure. Rate your organization's cybersecurity practices across all 6 functions and 19 categories on a 1–4 maturity scale. Results appear live as a radar chart, per-function score bars, gap analysis showing your lowest-rated categories, and an overall maturity tier. Export your completed assessment as a plain-text report.
GOVERN (GV) — New in CSF 2.0: sets cybersecurity strategy, policy, roles, and supply chain risk management at the executive level. Without a strong GV score, the other five functions lack authority and resources.
IDENTIFY (ID) — Understand the assets, systems, data, and risks that need protecting. You cannot protect what you haven't inventoried.
PROTECT (PR) — Implement safeguards: access control, awareness training, data encryption, system hardening, and resilience planning.
DETECT (DE) — Monitor continuously and analyze anomalies to find cybersecurity events before they become incidents.
RESPOND (RS) — Execute incident response plans: manage, analyze, communicate, contain, and learn from incidents.
RECOVER (RC) — Restore capabilities after incidents and incorporate lessons learned into future planning.
Tier 1 (Partial): Risk management is ad hoc and reactive. Individual heroics, no formal policy, limited executive awareness. Most small organizations start here.
Tier 2 (Risk Informed): Management has approved risk practices, but they are not consistently applied organization-wide. Some documentation exists. Common in mid-sized organizations.
Tier 3 (Repeatable): Practices are formally documented as policy, consistently applied, with defined metrics and periodic review. Regulatory compliance often requires Tier 3.
Tier 4 (Adaptive): Practices continuously improve based on real-time threat intelligence, lessons learned, and predictive analytics. Typical of mature security operations centers (SOC) and critical infrastructure operators.
Scoring honestly is critical — overrating your current state produces misleading gap analysis. Score where you ARE, not where you want to be.
The radar chart shows your maturity profile across all 6 functions at a glance — a pentagon shape toward the outer rings indicates consistent maturity; a lopsided shape reveals which functions lag. Use this to brief executive stakeholders.
The Gap Analysis panel lists your five lowest-rated categories — these are your highest-priority remediation targets. Start with Govern and Identify gaps, since those enable all other functions.
The per-function score bars let you compare functions side-by-side. A Detect score of 1.5 while Protect is at 3.0 means you may be building walls without smoke detectors — events will occur and go unnoticed.
Export the text report to document your current baseline before a remediation program. Re-run the assessment quarterly to track improvement over time.
For operational technology (OT) and industrial control system (ICS) environments, NIST CSF 2.0 aligns closely with IEC 62443 security levels. OT-specific scoring considerations:
GV.SC (Supply Chain Risk): In OT, this includes vendor remote access controls, firmware authenticity, hardware supply chain, and vendor security requirements in procurement.
PR.PS (Platform Security): OT hardening follows different timelines — patching is constrained by operational windows. Score this category against OT-specific guidance, not IT timelines.
DE.CM (Continuous Monitoring): OT monitoring must be passive (no active scanning that can disrupt PLCs) — passive network traffic analysis tools like Claroty or Dragos are the appropriate control.
RS.CO (Incident Reporting): OT incidents may require reporting to sector-specific agencies (CISA, NRC, TSA) — factor this into your reporting process maturity score.
CSF 2.0 (February 2024) adds a sixth function — Govern — to address organizational context, risk strategy, roles, policy, oversight, and supply chain risk. CSF 1.1 had five functions: Identify, Protect, Detect, Respond, Recover. CSF 2.0 also reorganized categories, made supply chain risk a top-level concern, and added guidance for all organization sizes.
Largely yes. CSF 2.0 retains the same four tiers: Partial (1), Risk Informed (2), Repeatable (3), and Adaptive (4). The descriptions were refined in CSF 2.0 to be more outcome-oriented and better aligned with supply chain and governance themes, but the fundamental maturity ladder is unchanged.
NIST CSF is outcome-based (WHAT to achieve). IEC 62443 provides prescriptive controls for OT/ICS systems and defines Security Levels (SL 1–4) for zones and conduits. ISO 27001 is a certifiable ISMS standard with specific Annex A controls. All three are complementary — use NIST CSF at the enterprise level, IEC 62443 for OT architecture, and ISO 27001 if regulatory certification is required.
This tool is for self-assessment and gap identification, not formal compliance documentation. For regulatory purposes (NERC CIP, HIPAA, PCI-DSS, FedRAMP, TSA Pipeline Security Directives), work with a licensed assessor or auditor. However, this assessment can serve as a useful preparation tool before a formal audit — it identifies gaps you can remediate in advance.
Prioritize in this order: (1) GV.RM and GV.RR — without executive support and clear ownership, nothing else sticks. (2) ID.AM — inventory your assets. (3) PR.AA — enforce least privilege and MFA. (4) DE.CM — implement basic logging and alerting. (5) RS.MA — document and test your incident response plan. Avoid the mistake of focusing on PR (protection) without DE (detection) — attackers who get past your perimeter will operate undetected indefinitely without monitoring.