The Expel self-scoring tool for NIST CSF

version 1.0

How to use this spreadsheet

At the bottom of this spreadsheet you'll see tabs for seven other sheets in addition to this one.

Summary
When you're done inputing all your data, this sheet will contain the roll-up graph that shows where you are
from a CSF perspective. You don't need to edit anything here. This is a useful chart for communicating wit
board.

Identify/Protect/Detect/Recover/Respond
These sheets contain all the categories and subcategories in the corresponding functional area. We provid
fill these out in our blog post (https://expel.io/blog/get-started-with-the-nist-csf/). Fill in all the numbers that
data at the top will update automatically as you fill in the data below. The top of each page has graphs tha
states for each functional area.

Scratch
Don't touch this one. It's just a place where some intermediate calculations are being made.

If you have any comments on this workbook or find any bugs, please let us know at contact@expel.io

Additional resources:

Blog post
A quick tour and show-and-tell of exactly how Expel can positively affect your NIST CSF ratings — both no
https://expel.io/blog/get-started-with-the-nist-csf/

PDF
The PDF version of our tour and show-and-tell of exactly how Expel can positively affect your NIST CSF ra
long term.
https://expel.io/wp-content/uploads/2018/03/WP-Getting-started-NIST-1803.pdf

Self-scoring: Rank yourself on a score of 0 to 5

About Expel
Expel provides transparent managed security. It’s the antidote for companies trapped in failed relationships
provider (MSSP) and those looking to avoid the frustration of working with one in the first place. To learn m
at https://www.expel.io
o this one.

t shows where you are today and where you'd like to be

for communicating with business stakeholders and the

ctional area. We provide more detailed guidance on how to

in all the numbers that are shaded in light green. The roll up
ch page has graphs that correspond to your as-is and to-be

g made.

contact@expel.io

CSF ratings — both now ... and over the long term.

affect your NIST CSF ratings — both now ... and over the
d in failed relationships with their managed security service
first place. To learn more, check us out
Summary chart summarizing "As Is" and "To Be" security posture
This chart automatically updates based on scores entered on

Cyber Security Framewor

Asset Mgmt
Identify Bus. Enviro

Communications 4
4 4
Improvements 4 4

4
Recovery Planning

2
Recover 2
2 2 2
2 2
2 2
Improvements
4 2

00
Mitigation 4 2 0
00

2 1.2
4 2
Analysis
2
2
4 2 2
Communications 2
2

4
Response Planning

Respond 4 4
4
Detection Processes 4

Continuous Monitoring Detect

Anomalies and Events
 Be" security posture based on the NIST Cybersecurity Framework
es based on scores entered on other sheets in this workbook

Cyber Security Framework

Asset Mgmt
fy Bus. Environment

4 Governance
4 4
4 Risk Assessment

4
Risk Mgmt. Strategy

2
2 Supply Chain RM
2 2 2
4
2
2
Protect
2

00
0 2 4 Identity Mgt
00

2 2

2 4
Awareness and Training
2
2
2 2 4
2 Data Security
2

4
Info Protection
4

4 Maintence
4
4 Protective Tech

ng Detect
Anomalies and Events
mework
 IDEN
ID.A
ID-SC.5
ID-SC.4
ID.SC-3
ID.SC-2

ID.SC-1

ID.RM-3

ID.R M-2

ID.RM-1

ID.R A-6

ID.RA-5
ID.RA-4
ID.RA-3
ID.RA-2
ID.RA -1

Identify: Functional Area summary (note: this table will update automatically based on th
Category
Asset Management (ID.AM) Average
Business Environment (ID.BE) Average
Governance (ID.GV) Average
Risk Assessment (ID.RA) Average
Risk Management Strategy (ID.RM) Average
Supply Chain Risk Management (ID.SC) Average

Identify: Self-scoring worksheet (note: enter an "as is" and "to be" score, from 0 to 5, in c
Asset Management
ID.AM-1: Physical devices and systems within the organization are inventoried
ID.AM-2: Software platforms and applications within the organization are inventoried
ID.AM-3: Organizational communication and data flows are mapped
ID.AM-4: External information systems are catalogued
ID.AM-5: Resources (e.g., hardware, devices, data, time, and software) are prioritized based on their classification,
ID.AM-6: Cybersecurity roles and responsibilities for the entire workforce and third-party stakeholders (e.g., supplier
Business Environment
ID.BE-1: The organization’s role in the supply chain is identified and communicated
ID.BE-2: The organization’s place in critical infrastructure and its industry sector is identified and communicated
ID.BE-3: Priorities for organizational mission, objectives, and activities are established and communicated
ID.BE-4: Dependencies and critical functions for delivery of critical services are established
ID.BE-5: Resilience requirements to support delivery of critical services are established for all operating states (e.g.
Governance
ID.GV-1: Organizational information security policy is established
ID.GV-2: Information security roles & responsibilities are coordinated and aligned with internal roles and external pa
ID.GV-3: Legal and regulatory requirements regarding cybersecurity, including privacy and civil liberties obligations,
ID.GV-4: Governance and risk management processes address cybersecurity risks
Risk Assessment
ID.RA-1: Asset vulnerabilities are identified and documented
ID.RA-2: Cyber threat intelligence is received from information sharing forums and sources
ID.RA-3: Threats, both internal and external, are identified and documented
ID.RA-4: Potential business impacts and likelihoods are identified
ID.RA-5: Threats, vulnerabilities, likelihoods, and impacts are used to determine risk
ID.RA-6: Risk responses are identified and prioritized
Risk Management Strategy
ID.RM-1: Risk management processes are established, managed, and agreed to by organizational stakeholders
ID.RM-2: Organizational risk tolerance is determined and clearly expressed
ID.RM-3: The organization’s determination of risk tolerance is informed by its role in critical infrastructure and sector
Supply Chain Management
ID.SC-1: Cyber supply chain risk management processes are identified, established, assessed, managed, and agre
ID.SC-2: Identify, prioritize and assess suppliers and third-party partners of information systems, components and s
ID.SC-3: Suppliers and 3rd-party partners are required by contract to implement appropriate measures designed to
Supply Chain Risk Management Plan
ID.SC-4: Suppliers and 3rd-party partners are routinely assessed to confirm that they are meeting their contractual o
equivalent evaluations of suppliers/providers are conducted
ID.SC-5: Response and recovery planning and testing are conducted with suppliers and third-party providers
ws 37 to 70 below)
Name As Is To Be
Asset Mgmt 2 4
Bus. Environment 2 4
Governance 2 4
Risk Assessment 2 4
Risk Mgmt. Strategy 2 4
Supply Chain RM 2 4

haded light green)

As Is To Be
ID.AM-1 2 4
ID.AM-2 2 4
ID.AM-3 2 4
ID.AM-4 2 4
ID.AM-5 2 4
ID.AM-6 2 4
As Is To Be
ID.BE-1 2 4
ID.BE-2 2 4
ID.BE-3 2 4
ID.BE-4 2 4
ID.BE-5 2 4
As Is To Be
ID.GV-1 2 4
ID.GV-2 2 4
ID.GV-3 2 4
ID.GV-4 2 4
As Is To Be
ID.RA-1 2 4
ID.RA-2 2 4
ID.RA-3 2 4
ID.RA-4 2 4
ID.RA-5 2 4
ID.RA-6 2 4
As Is To Be
ID.RM-1 2 4
ID.RM-2 2 4
ID.RM-3 2 4
As Is To Be
ID.SC-1 2 4
ID.SC-2 2 4

ID.SC-3 2 4

ID-SC.4 2 4

ID-SC.5 2 4
 PR
PR.PT
PR.PT-1

PR.MA-2

PR.MA-1

PR.IP-12

PR.IP-11

PR.IP-10

PR.IP-9
PR.IP-8
PR.IP-7
PR.IP-6
PR.

Protect: Functional Area summary (note: this table will update automatically based on th
Category
Identity Management, Authentication and Access Control (PR.AC) - Average
Awareness and Training (PR.AT) - Average
Data Security (PR.DS) - Average
Information Protection Processes and Procedures (PR.IP) - Average
Maintenance (PR.MA) - Average
Protective Technology (PR.PT) - Average

Protect: Self-scoring worksheet (note: enter an "as is" and "to be" score, from 0 to 5, in c
Identity Management
PR.AC-1: Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, use
PR.AC-2: Physical access to assets is managed and protected
PR.AC-3: Remote access is managed
PR.AC-4: Access permissions and authorizations are managed, incorporating the principles of least privilege and se
PR.AC-5: Network integrity is protected, incorporating network segregation where appropriate
PR.AC-6: Identities are proofed and bound to credentials, and asserted in interactions when appropriate
PR.AC-7: Users, devices, and other assets are authenticated (e.g., single-factor, multi-factor) commensurate with th
Awareness and Training
PR.AT-1: All users are informed and trained
PR.AT-2: Privileged users understand roles and responsibilities
PR.AT-3: Third-party stakeholders (e.g., suppliers, customers, partners) understand roles and responsibilities
PR.AT-4: Senior executives understand roles and responsibilities
PR.AT-5: Physical and information security personnel understand roles and responsibilities
Data Security
PR.DS-1: Data-at-rest is protected
PR.DS-2: Data-in-transit is protected
PR.DS-3: Assets are formally managed throughout removal, transfers, and disposition
PR.DS-4: Adequate capacity to ensure availability is maintained
PR.DS-5: Protections against data leaks are implemented
PR.DS-6: Integrity checking mechanisms are used to verify software, firmware, and information integrity
PR.DS-7: The development and testing environment(s) are separate from the production environment
PR.DS-8: Integrity checking mechanisms are used to verify hardware integrity
Info Protection
PR.IP-1: A baseline configuration of information technology/industrial control systems is created and maintained inc
PR.IP-2: A System Development Life Cycle to manage systems is implemented
PR.IP-3: Configuration change control processes are in place
PR.IP-4: Backups of information are conducted, maintained, and tested periodically
PR.IP-5: Policy and regulations regarding the physical operating environment for organizational assets are met
PR.IP-6: Data is destroyed according to policy
PR.IP-7: Protection processes are continuously improved
PR.IP-8: Effectiveness of protection technologies is shared with appropriate parties
PR.IP-9: Response plans (Incident Response and Business Continuity) and recovery plans (Incident Recovery and
PR.IP-10: Response and recovery plans are tested
PR.IP-11: Cybersecurity is included in human resources practices (e.g., deprovisioning, personnel screening)
PR.IP-12: A vulnerability management plan is developed and implemented
Maintenance
PR.MA-1: Maintenance and repair of organizational assets are performed and logged in a timely manner, with appro
PR.MA-2: Remote maintenance of organizational assets are approved, logged, and performed in a manner that pre
Protective Tech
PR.PT-1: Audit/log records are determined, documented, implemented, and reviewed in accordance with policy
PR.PT-2: Removable media is protected and its use restricted according to policy
PR.PT-3: The principle of least functionality is incorporated by configuring systems to provide only essential capabili
PR.PT-4: Communications and control networks are protected
PR.PT-5: Systems operate in pre-defined functional states to achieve availability (e.g. under duress, under attack, d
Name As Is To Be
Identity Mgt 2 4
Awareness and Training 2 4
Data Security 2 4
Info Protection 2 4
Maintence 2 4
Protective Tech 2 4

As Is To Be
PR.AC-1 2 4
PR.AC-2 2 4
PR.AC-3 2 4
PR.AC-4 2 4
PR.AC-5 2 4
PR.AC-6 2 4
PR.AC-7 2 4
 As Is To Be
PR.AT-1 2 4
PR.AT-2 2 4
PR.AT-3 2 4
PR.AT-4 2 4
PR.AT-5 2 4
As Is To Be
PR-DS.1 2 4
PR-DS.2 2 4
PR-DS.3 2 4
PR-DS.4 2 4
PR-DS.5 2 4
PR-DS.6 2 4
PR-DS.7 2 4
PR-DS.8 2 4
As Is To Be
PR.IP-1 2 4
PR.IP-2 2 4
PR.IP-3 2 4
PR.IP-4 2 4
PR.IP-5 2 4
PR.IP-6 2 4
PR.IP-7 2 4
PR.IP-8 2 4
PR.IP-9 2 4
PR.IP-10 2 4
PR.IP-11 2 4
PR.IP-12 2 4
As Is To Be
PR.MA-1 2 4
PR.MA-2 2 4
As Is To Be
PR.PT-1 2 4
PR.PT-2 2 4
PR.PT-3 2 4
PR.PT-4 2 4
PR.PT-5 2 4
 DETECT
DE.AE-1
DE.AE-2
DE.DP-5 4

DE.DP-4

DE.DP-3 2

DE.DP-2
0

DE.DP-1

DE.CM-8

DE.CM-7 DE
DE.CM-6 DE.CM-5

Detect: Functional Area summary (note: this table will update automatically based on the
Category
Anomalies and Events (DE.AE) - Average
Security Continuous Monitoring (DE.CM) - Average
Detection Processes (DE.DP) - Average

Detect: Self-scoring worksheet (note: enter an "as is" and "to be" score, from 0 to 5, in co
Anomalies and Events
DE.AE-1: A baseline of network operations and expected data flows for users and systems is established and mana
DE.AE-2: Detected events are analyzed to understand attack targets and methods
DE.AE-3: Event data are collected and correlated from multiple sources and sensors
DE.AE-4: Impact of events is determined
DE.AE-5: Incident alert thresholds are established
Continous Monitoring
DE.CM-1: The network is monitored to detect potential cybersecurity events
DE.CM-2: The physical environment is monitored to detect potential cybersecurity events
DE.CM-3: Personnel activity is monitored to detect potential cybersecurity events
DE.CM-4: Malicious code is detected
DE.CM-5: Unauthorized mobile code is detected
DE.CM-6: External service provider activity is monitored to detect potential cybersecurity events
DE.CM-7: Monitoring for unauthorized personnel, connections, devices, and software is performed
DE.CM-8: Vulnerability scans are performed
Detection Process
DE.DP-1: Roles and responsibilities for detection are well defined to ensure accountability
DE.DP-2: Detection activities comply with all applicable requirements
DE.DP-3: Detection processes are tested
DE.DP-4: Event detection information is communicated to appropriate parties
DE.DP-5: Detection processes are continuously improved
 5

M-1

o be" scores you enter on rows 34 to 53 below)

Name As Is To Be
Anomalies and Events 2 4
Continuous Monitoring 2 4
Detection Processes 2 4

E for all of the cells that are shaded light green)

As Is To Be
DE.AE-1 2 4
DE.AE-2 2 4
DE.AE-3 2 4
DE.AE-4 2 4
DE.AE-5 2 4
As Is To Be
DE.CM-1 2 4
DE.CM-2 2 4
DE.CM-3 2 4
DE.CM-4 2 4
DE.CM-5 2 4
DE.CM-6 2 4
DE.CM-7 2 4
DE.CM-8 2 4
As Is To Be
DE.DP-1 2 4
DE.DP-2 2 4
DE.DP-3 2 4
DE.DP-4 2 4
DE.DP-5 2 4
 RESPOND
RS.RP-1

RS.IM-2 4

RS.IM-1

RS.MI-3
0

RS.MI-2

RS.MI-1

RS.AN-5
RS.AN-4 RS.AN-3

Respond: Functional Area summary (note: this table will update automatically based on
Category
Response Planning (RS.RP) - Average
Communications (RS.CO) - Average
Analysis (RS.AN) - Average
Mitigation (RS.MI) - Average
Improvements (RS.IM) - Average

Respond: Self-scoring worksheet (note: enter an "as is" and "to be" score, from 0 to 5, in
Response Planning
RS.RP-1: Response plan is executed during or after an incident
Communications
RS.CO-1: Personnel know their roles and order of operations when a response is needed
RS.CO-2: Incidents are reported consistent with established criteria
RS.CO-3: Information is shared consistent with response plans
RS.CO-4: Coordination with stakeholders occurs consistent with response plans
RS.CO-5: Voluntary information sharing occurs with external stakeholders to achieve broader cybersecurity situation
Analysis
RS.AN-1: Notifications from detection systems are investigated
RS.AN-2: The impact of the incident is understood
RS.AN-3: Forensics are performed
RS.AN-4: Incidents are categorized consistent with response plans
RS.AN-5: Processes are established to receive, analyze and respond to vulnerabilities disclosed to the organization
(e.g. internal testing, security bulletins, or security researchers)
Mitigation
RS.MI-1: Incidents are contained
RS.MI-2: Incidents are mitigated
RS.MI-3: Newly identified vulnerabilities are mitigated or documented as accepted risks
Improvements
RS.IM-1: Response plans incorporate lessons learned
RS.IM-2: Response strategies are updated
scores you enter on rows 36 to 55 below)
Name As Is To Be
Response Planning 0 4
Communications 1.2 4
Analysis 2 4
Mitigation 2 4
Improvements 2 4

ll of the cells that are shaded light green)

As Is To Be
RS.RP-1 0 4
As Is To Be
RS.CO-1 2 4
RS.CO-2 0 4
RS.CO-3 2 4
RS.CO-4 0 4
RS.CO-5 2 4
As Is To Be
RS.AN-1 2 4
RS.AN-2 2 4
RS.AN-3 2 4
RS.AN-4 2 4

2 4
RS.AN-5
As Is To Be
RS.MI-1 2 4
RS.MI-2 2 4
RS.MI-3 2 4
As Is To Be
RS.IM-1 2 4
RS.IM-2 2 4
 RECOVER
RC.RP-1

RC.CO-3

RC.CO-2

RC.CO-1

Recover: Functional Area summary (note: this table will update automatically based on t
Category
Recovery Planning (RC.RP) - Average
Improvements (RC.IM) - Average
Communications (RC.CO) - Average

Recover: Self-scoring worksheet (note: enter an "as is" and "to be" score, from 0 to 5, in
Recovery Planning
RC.RP-1: Recovery plan is executed during or after a cybersecurity incident
Improvements
RC.IM-1: Recovery plans incorporate lessons learned
RC.IM-2: Recovery strategies are updated
Communications
RC.CO-1: Public relations are managed
RC.CO-2: Reputation after an event is repaired
RC.CO-3: Recovery activities are communicated to internal stakeholders and executive and management teams
 RC.IM-1

.IM-2

nd "to be" scores you enter on rows 33 to 40 below)

Name As Is To Be
Recovery Planning 2 4
Improvements 2 4
Communications 2 4

and E for all of the cells that are shaded light green)
As Is To Be
RC.RP-1 2 4
As Is To Be
RC.IM-1 2 4
RC.IM-2 2 4
As Is To Be
RC.CO-1 2 4
RC.CO-2 2 4
RC.CO-3 2 4
 As-Is To-Be Q1 Q2 Q3
Identify
Asset Mgmt 2 4
Bus. Environment 2 4
Governance 2 4
Risk Assessment 2 4
Risk Mgmt. Strategy 2 4
Supply Chain RM 2 4
Protect
Identity Mgt 2 4
Awareness and Training 2 4
Data Security 2 4
Info Protection 2 4
Maintence 2 4
Protective Tech 2 4
Detect
Anomalies and Events 2 4
Continuous Monitoring 2 4
Detection Processes 2 4
Respond
Response Planning 0 4
Communications 1.2 4
Analysis 2 4
Mitigation 2 4
Improvements 2 4
Recover
Recovery Planning 2 4
Improvements 2 4
Communications 2 4
Identify
Q4