NIST Cybersecurity Framework 2.0 Assessment

Evaluate cybersecurity maturity using NIST CSF 2.0 core functions: Govern, Identify, Protect, Detect, Respond, Recover - designed for all sectors including healthcare and critical infrastructure

HealthcareBiotechFinanceTechnologyAll20 minutes20 questions

1. Govern (GV)

Has executive leadership established cybersecurity governance roles and responsibilities?*

GV.OC: Organizational cybersecurity risk management strategy owned by leadership

Do you maintain a cybersecurity policy approved by executive leadership?*

GV.PO: Policies establish expectations and requirements for security

Is cybersecurity risk integrated into enterprise risk management (ERM)?*

GV.RM: Cyber risk prioritized alongside operational, financial, strategic risks

Do you have a supply chain risk management (SCRM) program for vendors and third parties?*

GV.SC: Third-party cyber risks assessed and managed

2. Identify (ID)

Have you inventoried all assets (hardware, software, data, systems)?*

ID.AM: Asset inventory enables risk-based security decisions

Is sensitive data classified and mapped across systems?*

ID.AM: Understand where PHI, PII, intellectual property resides

Do you perform vulnerability assessments and penetration testing regularly?*

ID.RA: Identify vulnerabilities before adversaries exploit them

Are cybersecurity threats and threat intelligence monitored?*

ID.RA: Understand evolving threat landscape (ransomware, phishing, APTs)

3. Protect (PR)

Is access control enforced with least privilege and multi-factor authentication (MFA)?*

PR.AC: Limit access to authorized users, devices, processes

Is data encrypted at rest and in transit per industry standards?*

PR.DS: AES-256 for data at rest, TLS 1.2+ for data in transit

Are security awareness training and phishing simulations conducted for all staff?*

PR.AT: Human firewall - employees trained on threats and safe practices

Are systems patched and updated on a defined schedule?*

PR.IP: Vulnerability management - timely patching prevents exploitation

4. Detect (DE)

Do you have continuous monitoring for security events and anomalies?*

DE.CM: SIEM, IDS/IPS, endpoint detection and response (EDR)

Are security logs collected, retained, and reviewed regularly?*

DE.CM: Centralized logging enables incident investigation and forensics

Do you perform regular malware scanning and behavioral analysis?*

DE.CM: Detect malicious code, ransomware, insider threats

5. Respond (RS)

Do you have an incident response plan with defined roles and procedures?*

RS.MA: IR plan covers detection, containment, eradication, recovery

Is the incident response plan tested with tabletop exercises or simulations?*

RS.MA: Test IR readiness annually (ransomware, breach scenarios)

Are communication procedures established for breach notification and disclosure?*

RS.CO: Legal, regulatory, customer notification per HIPAA/GDPR timelines

6. Recover (RC)

Do you maintain backups with tested restoration procedures?*

RC.RP: 3-2-1 backup rule - immutable backups prevent ransomware destruction

Is there a business continuity/disaster recovery (BC/DR) plan?*

RC.RP: RTOs and RPOs defined for critical systems and operations

Please answer all required questions to see your results