This NIST CSF questionnaire template will help you understand the degree of each vendor’s alignment with the high-level function of the NIST CSF framework - Identity, Protect, Detect, Respond, and Recover. Though this assessment only offers a superficial understanding of compliance, it’s sufficient for getting a sense of a prospective vendor’s security posture, especially when coupled with an external attack surface scanning solution.
For a more comprehensive evaluation of NIST CSF compliance, UpGuard offers a NIST Cybersecurity Framework questionnaire that automatically highlights specific compliance gaps based on responses.
Learn how UpGuard streamlines Vendor Risk Management >
To use this template in your VRM program, download it as an editable PDF.
Download Template >
Identity
[ID:AM] Asset Management
Description: The data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to organizational objectives and the organization’s risk strategy.
Do you have a policy for inventorizing information system components?
- Yes
- No
- Comments
Can you provide documentation outlining this policy?
- Yes
- No
- Comments
Do you have a proces for tracking inventory of physical devices?
- Yes
- No
- Comments
How do you ensure your information system inventory is always up-to-date?
- Comments
Do you automatoin mechanisms for keeping your physical inventory up-to-date?
- Yes
- No
- Comments
Learn how to choose a NIST CSF compliance product >
Do you haven Information Security policy for keeping an up-to-date inventory of all Information Technology devices, such as SaaS solutions, cloud software, and applications?
- Yes
- No
- Comments
Can you provide evidence of your policy for inventorizing applications, software platforms and cloud solutions?
- Yes
- No
- Comments
Does your information system follow best security practices in terms of limiting application access to minimal level required to fulfill operational needs?
- Yes
- No
- Comments
Do you have security standards in place to support the following actions - Identification of unauthorized software, enforcement of a 'deny-all, permit by exception' policy for software execution, and maintenance of an updated list of unauthorized software?
- Yes
- No
- Comments
Learn what's different in NIST CSF 2.0 >
Has your organization classified its information and information system in accordance with FIPS 199-200 and NIST 800-53 guidelines?
- Yes
- No
- Comments
Do you have a policy outlining and explaining your informatoin system categorization processes?
- Yes
- No
- Comments
Can you provide documentation specifically outlining your methods for categorizing mission-critical systems requiring critical security controls? Also, can you provide supporting documentation for a ‘Moderate’ classification?
Learn more about the importance of vendor tiering in risk assessment processes >
Is your recorded system categorization across all information systems, in line with FIPS 199 standards? Please provide evidence where possible.
- Yes
- No
- Comments
Has your security categorization methods (as defined bt FIPS 199) been reviewed by an official party?
- Yes
- No
- Comments
Do all third-party vendors with access to your systems aligned with the standards of NIST CSF? Can you provide evidence of their vendor security standards?
- Yes
- No
- Comments
Do you confirm NIST CSF aligment during the due diligence phase of your Third-Party Risk Management program?
- Yes
- No
- Comments
Do you have response plans in place for responding to data breaches, supply chain risks and cloud security exposures in line with the standards of the National Institute of Standards and Technology (NIST)?
- Yes
- No
- Comments
Learn how to prevent data breaches >
Do you have an intenral cyber threat awareness program equipping staff to avoid common cyber attack tactics? Do you track the efficacy of these programs with self assessments?
- Yes
- No
- Comments
Do you regularly review respond plans and inventory policies in line with emerging cyber threats and changing industry standards?
- Yes
- No
- Comments
Do you have policy in place for ensureing hardware and software assets are repurposes and disposed in line with the standards of NIST?
- Yes
- No
- Comments
[ID:BE] Business Environment
Description: The organization’s mission, objectives, stakeholders, and activities are understood and prioritized; this information is used to inform cybersecurity roles, responsibilities, and risk management decisions.
Do you have a Business Impact Analysis (BIA) and a Test Recovery Plan (TRP) in place?
- Yes
- No
- Comments
Do you perform a Business Impact Analysis (BIA) annually?
- Yes
- No
- Comments
Have you developed a Test Recovery Plan (TRP) based on the insights of your Business Impact Analysis (BIA)?
- Yes
- No
- Comments
How to you ensure BIAs and TRPs align with the standards of NIST CSF?
- Comments
Do you have process for identifying critical assets that are key to business operations and objectives?
- Yes
- No
- Comments
Do you regularity test the efficacy of disaster recovery and incident response plans?
- Yes
- No
- Comments
Could you provide the results of these tests?
- Yes
- No
- Comments
Do you involve third-party vendors in BIA processes?
- Yes
- No
- Comments
Do you involve third-party vendors in TRP testing to ensure end-to-end security of information system?
- Yes
- No
- Comments
[ID:GV] Governance
Description: The policies, procedures, and processes to manage and monitor the entity’s regulatory, legal, risk, environmental, and operational requirements are understood and inform the management of cybersecurity risk.
Do you perform security assessments across all systems at risk of compromising custeomr privacy, for example, Privacy Impact Assessments (PIAs)?
- Yes
- No
- Comments
Have you completed PIA security questionnaires across all activities potentially posing a risk to privacy?
- Yes
- No
- Comments
Do perform security assessments to measure aligment wth data security regulations,like GDPR, PCI DSS, HIPAA, etc?
- Yes
- No
- Comments
Do you send vendor questionnaires to assess data security regulation compliance or compliance with standards like ISO 27001, SOC 2, etc. ?
- Yes
- No
- Comments
Learn how to choose security questionnaire automation software >
Can you provide documentation of your company-wide privacy program and evidence that it is sufficiently resourced?
- Yes
- No
- Comments
Do you have a process ensuring your privacy plans and policies are regularly updated?
- Yes
- No
- Comments
Do only permit certain individuals to publish content on public-facing information systems?
- Yes
- No
- Comments
How often does your company review its internal risk management and third-party risk management policies?
- Comment
What are your Key Performance Indicators (KPIs) for tracking the efficacy of your risk management and information security programs?
- Comment
[ID:RA] Risk Assessment
Description: The entity understands the cybersecurity risk to entity operations (including mission, functions, image, or reputation), entity assets, and individuals.
Learn how UpGuard streamlines vendor risk assessments >
Can you provide evidence of your vulnerability detection, and risk management programs?
- Yes
- No
- Comments
Do you perform attack surface monitoring scans to identify internal and third-party security risks? If so, how often are these scans performed?
- Yes
- No
- Comments
Can you provide attack surface scans results for the pervious two months or more?
- Yes
- No
- Comments
Have you measured your risk exposure agaisnt the California Cybersecurity Vulnerability Metric (CCVM)?
- Yes
- No
- Comments
Have you achieved a score of “Moderate” or lower on the CCVM?
- Yes
- No
- Comments
Do you assess vendor security postures with risk assessment questionnaires? If so, why types of questionnaires do you use (SIG LIte, CIS, etc.)
- Yes
- No
- Comments
Learn about UpGuard’s questionnaires >
How regularly do you perform vendor risk assessments?
- Comments
How do you determing which internal and third-party security risks needs to be prioritized in remediation efforts?
- Comments.
How often is your vulnerability management program updated?
- Comments.
What is your process for feeding newly discovered vulnerabilities into risk management programs?
- Comments.
Protect
[PR:AC] Access Control
Description: Access to assets and associated facilities is limited to authorized users, processes, or devices, and to authorized activities and transactions.
Can you provide information about your access control policy? Has it been shared with all of employees?
- Yes
- No
- Comments
What procedures do you have in place to enforce your access control policies?
- Comments
Do you have a password management system in place? Does it enforce the use of uppercase and lowercase letters, numerals and special characters?
- Yes
- No
- Comments
Do you regularly perform penetration testing on your information system comments?
- Yes
- No
- Comments
Have your information systems been exposed to red team penetration testing mimicking real breach attempt tactics (including account compromise)?
- Yes
- No
- Comments
Do you test the resilience of physical security controls with penetration testing focued on social engineering tactics?
- Yes
- No
- Comments
Have you implemented the least privileged principle for all users, including external contractors?
- Yes
- No
- Comments
Do you have separate accounts for general access and privileged users?
- Yes
- No
- Comments
Within the security boundary, does your organization use automated tools to manage information system accounts, which includes auditing account creation, modification, enabling, disabling, and removal actions? Can you provide a matrix or spreadsheet identifying different account types, assigned users, and approving managers?
- Yes
- No
- Comments
What is your policy for disabling accounts after inactivity?
- Comments
What is your policy for removing employee access to information systems after dismissal / voluntary departure?
- Comments
What is your policy for removing third-party access to information systems after dismissal / voluntary departure?
- Comments
Do you have a zero-trust architecture implemented?
- Yes
- No
- Comments
What IT boundary controls do you have in place (for example, firewalls, etc)
- Comments
Have you implemented a role-based access control (RBAC) strategy?
- Yes
- No
- Comments
Do you implement encryption technologies protecting sensitive information in static and transit forms?
- Yes
- No
- Comments
What policy do you have in place for isolating network regions compromised in a cyber attack?
- Comments
Do you have a business continuity plan in place and is it kept up-to-date?
- Yes
- No
- Comments
[PR:AT] Awareness and Training
Description: The organization’s personnel and partners are provided cybersecurity awareness education and are adequately trained to perform their information security-related duties and responsibilities consistent with related policies, procedures, and agreements.
Has your threat awareness training policy been shared with all stakeholders?
- Yes
- No
- Comments
Do you confirm the efficacy of awareness training with simulated phishing attacks?
- Yes
- No
- Comments
Do you offer generic and role-specific threat awareness training?
- Yes
- No
- Comments
Do you retain evidence of threat awareness training events for a minimum of one year?
- Yes
- No
- Comments
Can you provide evidence that at least 80% of users requiring role-specific cyber threat awareness have completed their training?
- Yes
- No
- Comments
Do you ensure threat awareness training is provided to new employees within 30 days of their start date?
- Yes
- No
- Comments
[PR:DS] Data Security
Description: Information and records (data) are managed consistent with the organization’s risk strategy to protect the confidentiality, integrity, and availability of information.
What are your methods for ensuring the security of data at rest and in transit?
- Comments
What encryption technology do you use for data at rest and in transit?
- Comments
What are your policies for managing cryptographic keys?
- Comments
What are your encryption policies for non-mobile assets requiring sensitive data access?
- Comments
If you use an encryption method for securing mobile devices, does it comply with FIPS 140-2?
- Yes
- No
- Comments
What methodology do you use for analyzing encrypted network traffic?
- Comment
How often are your encryption policies reviewed and updated?
- Comment
Do you keep a record of the current baseline configuration of your data security systems?
- Yes
- No
- Comments
How do you manage your encryption key lifecycle?
- Comments
Does your incident response plan address breaches of your cryptographic system?
- Yes
- No
- Comments
Does your data protection strategy extend to cloud storage and other third-party data storage solutions?
- Yes
- No
- Comments
[PR:IP] Information Protection Processes and Procedures
Description: Security policies (that address purpose, scope, roles, responsibilities, management commitment, and coordination among organizational entities), processes, and procedures are maintained and used to manage the protection of information systems and assets.
Do you have configuration baselines for workstations and servers?
- Yes
- No
- Comments
Does this baseline have a compliance score between 50% and 75%, as per an approved SCAP template like USGCB or STIG?
- Yes
- No
- Comments
What is your police for change management?
- Comments
How do you address non-compliant configurations discovered from risk assessments?
- Comments
How do you ensure the continued efficacy of configuration controls?
- Comments
How ofter do you review your physical and environmental protection policies?
- Comments
What is your process for identifying control gaps against physical and environmental protection policies?
- Comments
Detect
[DE:AE] Anomalies and Events
Description: Anomalous activity is detected in a timely manner, and the potential impact of events is understood.
Do you track the following events - successful/failed logins, data views, updates, deletions, data access modification, user account deletions>
- Yes
- No
- Comments
In the event of an audit process failure, what is your alert issuing policy?
- Comments
Do you use automation technology to streamline audit reviews and analysis?
- Yes
- No
- Comments
Who is provided audit reports following a review (i.e., security manager, CISO, etc.)?
- Comments
What is your policy for keeping audit policies up-to-date?
- Comments
What security measures do you have in place for protecting audit logs from unauthorized access and modification?
- Comments
Is audit data used to continuously improve security measures and risk management strategies?
- Yes
- No
- Comments
What is your policy for reporting data breaches and security incidents in a timely manner?
- Comments
[DT:CM] Security Continuous Monitoring
Description: The information system and assets are monitored at discrete intervals to identify cybersecurity events and verify the effectiveness of protective measures.
Can you provide details of your IT network defense strategies?
- Yes
- No
- Comments
Can you include a network diagram illustrating network security strategies?
- Yes
- No
- Comments
Do you use automated tools for continuous monitoring? If so, please provide details.
- Yes
- No
- Comments
Do you monitor all communications across your IT boundary?
- Yes
- No
- Comments
Do you continuously monitor your vendor network for emerging security risks?
- Yes
- No
- Comments
Do you prioritize any specific events or transactions in your monitoring efforts?
- Yes
- No
- Comments
What is your process for discovering indicators of compromise and indicators of attacks?
- Comments
Do you have any anti-malware solutions in place?
- Yes
- No
- Comments
What security controls fo you have in place for mitigating malicious code injections?
- Comments
What is your process for promptly alerting staff to new and live cyber threats?
- Yes
- No
- Comments
[DT:DP] Detection Processes
Description: Detection processes and procedures are maintained and tested to ensure timely and adequate awareness of anomalous events.
Have you assigned roles and responsibilities within information security strategies?
- Yes
- No
- Comments
How often are these roles and responsibilities reviewed and updated?
- Comments
Please provide information regarding your escalation protocols when executive-level decision-making is required.
- Yes
- No
- Comments
Do you share pertinent event metadata with Cal-CSIC or other appropriate coordinating bodies?
- Yes
- No
- Comments
How do you ensure any shared metadata doesn’t violate privacy regulations?
- Comments
Respond
[RS:RP] Response Planning
Description: Response processes and procedures are executed and maintained, to ensure timely response to detected cybersecurity events.
Do you have an incident response plan in place?
- Yes
- No
- Comments
How does your incident response plan fit with your overall business continuity and disaster recovery plans?
- Comments
Learn how to create an incident response plan >
How oftern is the IRP tested?
- Comments
Do you keep a record of response times for each IRP test?
- Yes
- No
- Comments
What is your process for feeding lessons learned into IRP update processes?
- Comment
Can you detect a phishing threat and notify your cybersecurity teams within 60 minutes of detection?
- Yes
- No
- Comments
What is your average response time to phishing threats and other data breach risks?
- Comments
Does your IRP include flowcharts to simplify process understanding?
- Yes
- No
- Comments
Does your IRP account for incidents occurring outside of business hours?
- Yes
- No
- Comments
Do you have a dedicated incident response team or is this effort outsourced to a third party?
- Comments
[RS:RP] Recovery Planning
Description: Recovery processes and procedures are executed and maintained to ensure timely restoration of systems or assets affected by cybersecurity events.
Do you have a plan in place for removing information systems compromied in a cyberattack?
- Yes
- No
- Comments
How often is this plan tested?
- Comments
What is your average timeframe for a complete system recovery, such as during a ransomware attack?
- Comments
Do you have a dedicated system recovery team or is this effort outsourced?
- Yes
- No
- Comments
What is your policy for reviewing the roles and responsibilities of your recovery plans?
- Comments
How do you keep stakeholders informed of your recovery efforts?
- Comments
How does your recovery plan align with your incident response and business continuity plans?
- Comments
How do you verify the success of recovery efforts and integrity of replaced data?
- Comments
[RC:IM] Improvements
Description: Recovery planning and processes are improved by incorporating lessons learned into future activities.
Do you discuss key learning from response efforts following a real or simulated cyber event?
- Yes
- No
- Comments
What is your process for incorporating these key learning in incident response, recovery and business continuity plans?
- Comments
Are stakeholders involved in key learning discussions?
- Comment
What is your process of updating threat awareness training (general and role-based) based on key learning insights?
- Comment
Can you provide an example of a lesson learned that was used to improve the resilience of a mission-critical system?
- Yes
- No
- Comments
How is the efficacy of lessons learned tested?
- Comments
[RC:CO] Communications
Description: Restoration activities are coordinated with internal and external parties, such as coordinating centers, Internet Service Providers, owners of attacking systems, victims, other CSIRTs, and vendors.
How do you ensure your stakeholders are kept informed of your risk management efforts?
- Comments
Learn how UpGuard streamlines cybersecurity reporting >
How do you manage communications between your security teams and thrid-party vendors, especially in the area of Vendor Risk Management?
- Comments
How do you communicate with external parties during the recovery phase of a cyber attack?
- Comments
What is your process for engaging with vendors that have fallen vicitm to a data breach?
- Comment
How do you ensure the reliability of all communication channels during the recovery phase of a security event?
- Comments
How do you handle communications with law enforcement or regulatory bodies during the recovery process?
- Comments
Can you provide an example of when communicating with third-party vendor or other external parties aided your recovery efforts?
- Yes
- No
- Comments
How do you ensure efficient communications with vendors to streamline risk assessment processes?
- Comments
Watch this video to learn how UpGuard improves vendor relationships through better collaboration.
