Template: NIST CSF Questionnaire

Download this template to track your vendor's compliance against NIST CSF.

Download Now

This NIST CSF questionnaire template will help you understand the degree of each vendor’s alignment with the high-level function of the NIST CSF framework - Identity, Protect, Detect, Respond, and Recover. Though this assessment only offers a superficial understanding of compliance, it’s sufficient for getting a sense of a prospective vendor’s security posture, especially when coupled with an external attack surface scanning solution.

For a more comprehensive evaluation of NIST CSF compliance, UpGuard offers a NIST Cybersecurity Framework questionnaire that automatically highlights specific compliance gaps based on responses.

Learn how UpGuard streamlines Vendor Risk Management >

To use this template in your VRM program, download it as an editable PDF.

Download Template >

Identity

[ID:AM] Asset Management

Description: The data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to organizational objectives and the organization’s risk strategy.

Do you have a policy for inventorizing information system components?

  • Yes
  • No
  • Comments

Can you provide documentation outlining this policy?

  • Yes
  • No
  • Comments

Do you have a proces for tracking inventory of physical devices?

  • Yes
  • No
  • Comments

How do you ensure your information system inventory is always up-to-date?

  • Comments

Do you automatoin mechanisms for keeping your physical inventory up-to-date?

  • Yes
  • No
  • Comments

Learn how to choose a NIST CSF compliance product >

Do you haven Information Security policy for keeping an up-to-date inventory of all Information Technology devices, such as SaaS solutions, cloud software, and applications?

  • Yes
  • No
  • Comments

Can you provide evidence of your policy for inventorizing applications, software platforms and cloud solutions?

  • Yes
  • No
  • Comments

Does your information system follow best security practices in terms of limiting application access to minimal level required to fulfill operational needs?

  • Yes
  • No
  • Comments

Do you have security standards in place to support the following actions -  Identification of unauthorized software, enforcement of a 'deny-all, permit by exception' policy for software execution, and maintenance of an updated list of unauthorized software?

  • Yes
  • No
  • Comments

Learn what's different in NIST CSF 2.0 >

Has your organization classified its information and information system in accordance with FIPS 199-200 and NIST 800-53 guidelines?

  • Yes
  • No
  • Comments

Do you have a policy outlining and explaining your informatoin system categorization processes?

  • Yes
  • No
  • Comments

Can you provide documentation specifically outlining your methods for categorizing mission-critical systems requiring critical security controls? Also, can you provide supporting documentation for a ‘Moderate’ classification?

Learn more about the importance of vendor tiering in risk assessment processes >

Is your recorded system categorization across all information systems, in line with FIPS 199 standards? Please provide evidence where possible.

  • Yes
  • No
  • Comments

Has your security categorization methods (as defined bt FIPS 199) been reviewed by an official party?

  • Yes
  • No
  • Comments

Do all third-party vendors with access to your systems aligned with the standards of NIST CSF? Can you provide evidence of their vendor security standards?

  • Yes
  • No
  • Comments

Do you confirm NIST CSF aligment during the due diligence phase of your Third-Party Risk Management program?

  • Yes
  • No
  • Comments

Do you have response plans in place for responding to data breaches, supply chain risks and cloud security exposures in line with the standards of the National Institute of Standards and Technology (NIST)?

  • Yes
  • No
  • Comments

Learn how to prevent data breaches >

Do you have an intenral cyber threat awareness program equipping staff to avoid common cyber attack tactics? Do you track the efficacy of these programs with self assessments?

  • Yes
  • No
  • Comments

Do you regularly review respond plans and inventory policies in line with emerging cyber threats and changing industry standards?

  • Yes
  • No
  • Comments

Do you have policy in place for ensureing hardware and software assets are repurposes and disposed in line with the standards of NIST?

  • Yes
  • No
  • Comments

[ID:BE] Business Environment

Description: The organization’s mission, objectives, stakeholders, and activities are understood and prioritized; this information is used to inform cybersecurity roles, responsibilities, and risk management decisions.

Use this free NIST CSF risk assessment template to verify your vendors' alignment with NIST CSF standards.

Do you have a Business Impact Analysis (BIA) and a Test Recovery Plan (TRP) in place?

  • Yes
  • No
  • Comments

Do you perform a Business Impact Analysis (BIA) annually?

  • Yes
  • No
  • Comments

Have you developed a Test Recovery Plan (TRP) based on the insights of your Business Impact Analysis (BIA)?

  • Yes
  • No
  • Comments

How to you ensure BIAs and TRPs align with the standards of NIST CSF?

  • Comments

Do you have process for identifying critical assets that are key to business operations and objectives?

  • Yes
  • No
  • Comments

Do you regularity test the efficacy of disaster recovery and incident response plans?

  • Yes
  • No
  • Comments

Could you provide the results of these tests?

  • Yes
  • No
  • Comments

Do you involve third-party vendors in BIA processes?

  • Yes
  • No
  • Comments

Do you involve third-party vendors in TRP testing to ensure end-to-end security of information system?

  • Yes
  • No
  • Comments

[ID:GV] Governance

Description: The policies, procedures, and processes to manage and monitor the entity’s regulatory, legal, risk, environmental, and operational requirements are understood and inform the management of cybersecurity risk.

Do you perform security assessments across all systems at risk of compromising custeomr privacy, for example, Privacy Impact Assessments (PIAs)?

  • Yes
  • No
  • Comments

Have you completed PIA security questionnaires across all activities potentially posing a risk to privacy?

  • Yes
  • No
  • Comments

Do perform security assessments to measure aligment wth data security regulations,like GDPR, PCI DSS, HIPAA, etc?

  • Yes
  • No
  • Comments

Do you send vendor questionnaires to assess data security regulation compliance or compliance with standards like ISO 27001, SOC 2, etc. ?

  • Yes
  • No
  • Comments

Learn how to choose security questionnaire automation software >

Can you provide documentation of your company-wide privacy program and evidence that it is sufficiently resourced?

  • Yes
  • No
  • Comments

Do you have a process ensuring your privacy plans and policies are regularly updated?

  • Yes
  • No
  • Comments

Do only permit certain individuals to publish content on public-facing information systems?

  • Yes
  • No
  • Comments

How often does your company review its internal risk management and third-party risk management policies?

  • Comment

What are your Key Performance Indicators (KPIs) for tracking the efficacy of your risk management and information security programs?

  • Comment

[ID:RA] Risk Assessment

Description: The entity understands the cybersecurity risk to entity operations (including mission, functions, image, or reputation), entity assets, and individuals.

Learn how UpGuard streamlines vendor risk assessments >

Can you provide evidence of your vulnerability detection, and risk management programs?

  • Yes
  • No
  • Comments

Do you perform attack surface monitoring scans to identify internal and third-party security risks? If so, how often are these scans performed?

  • Yes
  • No
  • Comments

Can you provide attack surface scans results for the pervious two months or more?

  • Yes
  • No
  • Comments

Have you measured your risk exposure agaisnt the California Cybersecurity Vulnerability Metric (CCVM)?

  • Yes
  • No
  • Comments

Have you achieved a score of “Moderate” or lower on the CCVM?

  • Yes
  • No
  • Comments

Do you assess vendor security postures with risk assessment questionnaires? If so, why types of questionnaires do you use (SIG LIte, CIS, etc.)

  • Yes
  • No
  • Comments

Learn about UpGuard’s questionnaires >

How regularly do you perform vendor risk assessments?

  • Comments

How do you determing which internal and third-party security risks needs to be prioritized in remediation efforts?

  • Comments.

How often is your vulnerability management program updated?

  • Comments.

What is your process for feeding newly discovered vulnerabilities into risk management programs?

  • Comments.

Protect

[PR:AC] Access Control

Description: Access to assets and associated facilities is limited to authorized users, processes, or devices, and to authorized activities and transactions.

Can you provide information about your access control policy? Has it been shared with all of employees?

  • Yes
  • No
  • Comments

What procedures do you have in place to enforce your access control policies?

  • Comments

Do you have a password management system in place? Does it enforce the use of uppercase and lowercase letters, numerals and special characters?

  • Yes
  • No
  • Comments

Do you regularly perform penetration testing on your information system comments?

  • Yes
  • No
  • Comments

Have your information systems been exposed to red team penetration testing mimicking real breach attempt tactics (including account compromise)?

  • Yes
  • No
  • Comments

Do you test the resilience of physical security controls with penetration testing focued on social engineering tactics?

  • Yes
  • No
  • Comments

Have you implemented the least privileged principle for all users, including external contractors?

  • Yes
  • No
  • Comments

Do you have separate accounts for general access and privileged users?

  • Yes
  • No
  • Comments

Within the security boundary, does your organization use automated tools to manage information system accounts, which includes auditing account creation, modification, enabling, disabling, and removal actions? Can you provide a matrix or spreadsheet identifying different account types, assigned users, and approving managers?

  • Yes
  • No
  • Comments

What is your policy for disabling accounts after inactivity?

  • Comments

What is your policy for removing employee access to information systems after dismissal / voluntary departure?

  • Comments

What is your policy for removing third-party access to information systems after dismissal / voluntary departure?

  • Comments

Do you have a zero-trust architecture implemented?

  • Yes
  • No
  • Comments

What IT boundary controls do you have in place (for example, firewalls, etc)

  • Comments

Have you implemented a role-based access control (RBAC) strategy?

  • Yes
  • No
  • Comments

Do you implement encryption technologies protecting sensitive information in static and transit forms?

  • Yes
  • No
  • Comments

What policy do you have in place for isolating network regions compromised in a cyber attack?

  • Comments

Do you have a business continuity plan in place and is it kept up-to-date?

  • Yes
  • No
  • Comments

[PR:AT] Awareness and Training

Description: The organization’s personnel and partners are provided cybersecurity awareness education and are adequately trained to perform their information security-related duties and responsibilities consistent with related policies, procedures, and agreements.

Has your threat awareness training policy been shared with all stakeholders?

  • Yes
  • No
  • Comments

Do you confirm  the efficacy of awareness training with simulated phishing attacks?

  • Yes
  • No
  • Comments

Do you offer generic and role-specific threat awareness training?

  • Yes
  • No
  • Comments

Do you retain evidence of threat awareness training events for a minimum of one year?

  • Yes
  • No
  • Comments

Can you provide evidence that at least 80% of users requiring role-specific cyber threat awareness have completed their training?

  • Yes
  • No
  • Comments

Do you ensure threat awareness training is provided to new employees within 30 days of their start date?

  • Yes
  • No
  • Comments

[PR:DS] Data Security

Description: Information and records (data) are managed consistent with the organization’s risk strategy to protect the confidentiality, integrity, and availability of information.

What are your methods for ensuring the security of data at rest and in transit?

  • Comments

What encryption technology do you use for data at rest and in transit?

  • Comments

What are your policies for managing cryptographic keys?

  • Comments

What are your encryption policies for non-mobile assets requiring sensitive data access?

  • Comments

If you use an encryption method for securing mobile devices, does it comply with FIPS 140-2?

  • Yes
  • No
  • Comments

Learn about FIPS 140-3 >

What methodology do you use for analyzing encrypted network traffic?

  • Comment

How often are your encryption policies reviewed and updated?

  • Comment

Do you keep a record of the current baseline configuration of your data security systems?

  • Yes
  • No
  • Comments

How do you manage your encryption key lifecycle?

  • Comments

Does your incident response plan address breaches of your cryptographic system?

  • Yes
  • No
  • Comments

Does your data protection strategy extend to cloud storage and other third-party data storage solutions?

  • Yes
  • No
  • Comments

[PR:IP] Information Protection Processes and Procedures

Description: Security policies (that address purpose, scope, roles, responsibilities, management commitment, and coordination among organizational entities), processes, and procedures are maintained and used to manage the protection of information systems and assets.

Do you have configuration baselines for workstations and servers?

  • Yes
  • No
  • Comments

Does this baseline have a compliance score between 50% and 75%, as per an approved SCAP template like USGCB or STIG?

  • Yes
  • No
  • Comments

What is your police for change management?

  • Comments

How do you address non-compliant configurations discovered from risk assessments?

  • Comments

How do you ensure the continued efficacy of configuration controls?

  • Comments

How ofter do you review your physical and environmental protection policies?

  • Comments

What is your process for identifying control gaps against physical and environmental protection policies?

  • Comments

Detect

[DE:AE] Anomalies and Events

Description: Anomalous activity is detected in a timely manner, and the potential impact of events is understood.

Do you track the following events - successful/failed logins, data views, updates, deletions, data access modification, user account deletions>

  • Yes
  • No
  • Comments

In the event of an audit process failure, what is your alert issuing policy?

  • Comments

Do you use automation technology to streamline audit reviews and analysis?

  • Yes
  • No
  • Comments

Who is provided audit reports following a review (i.e., security manager, CISO, etc.)?

  • Comments

What is your policy for keeping audit policies up-to-date?

  • Comments

What security measures do you have in place for protecting audit logs from unauthorized access and modification?

  • Comments

Is audit data used to continuously improve security measures and risk management strategies?

  • Yes
  • No
  • Comments

What is your policy for reporting data breaches and security incidents in a timely manner?

  • Comments

[DT:CM] Security Continuous Monitoring

Description: The information system and assets are monitored at discrete intervals to identify cybersecurity events and verify the effectiveness of protective measures.

Can you provide details of your IT network defense strategies?

  • Yes
  • No
  • Comments

Can you include a network diagram illustrating network security strategies?

  • Yes
  • No
  • Comments

Do you use automated tools for continuous monitoring? If so, please provide details.

  • Yes
  • No
  • Comments

Do you monitor all communications across your IT boundary?

  • Yes
  • No
  • Comments

Do you continuously monitor your vendor network for emerging security risks?

  • Yes
  • No
  • Comments

Do you prioritize any specific events or transactions in your monitoring efforts?

  • Yes
  • No
  • Comments

What is your process for discovering indicators of compromise and indicators of attacks?

  • Comments

Do you have any anti-malware solutions in place?

  • Yes
  • No
  • Comments

What security controls fo you have in place for mitigating malicious code injections?

  • Comments

What is your process for promptly alerting staff to new and live cyber threats?

  • Yes
  • No
  • Comments

[DT:DP] Detection Processes

Description: Detection processes and procedures are maintained and tested to ensure timely and adequate awareness of anomalous events.

Have you assigned roles and responsibilities within information security strategies?

  • Yes
  • No
  • Comments

How often are these roles and responsibilities reviewed and updated?

  • Comments

Please provide information regarding your escalation protocols when executive-level decision-making is required.

  • Yes
  • No
  • Comments

Do you share pertinent event metadata with Cal-CSIC or other appropriate coordinating bodies?

  • Yes
  • No
  • Comments

How do you ensure any shared metadata doesn’t violate privacy regulations?

  • Comments

Respond

[RS:RP] Response Planning

Description: Response processes and procedures are executed and maintained, to ensure timely response to detected cybersecurity events.

Do you have an incident response plan in place?

  • Yes
  • No
  • Comments

How does your incident response plan fit with your overall business continuity and disaster recovery plans?

  • Comments

Learn how to create an incident response plan >

How oftern is the IRP tested?

  • Comments

Do you keep a record of response times for each IRP test?

  • Yes
  • No
  • Comments

What is your process for feeding lessons learned into IRP update processes?

  • Comment

Can you detect a phishing threat and notify your cybersecurity teams within 60 minutes of detection?

  • Yes
  • No
  • Comments

What is your average response time to phishing threats and other data breach risks?

  • Comments

Does your IRP include flowcharts to simplify process understanding?

  • Yes
  • No
  • Comments

Does your IRP account for incidents occurring outside of business hours?

  • Yes
  • No
  • Comments

Do you have a dedicated incident response team or is this effort outsourced to a third party?

  • Comments

[RS:RP] Recovery Planning

Description: Recovery processes and procedures are executed and maintained to ensure timely restoration of systems or assets affected by cybersecurity events.

Do you have a plan in place for removing information systems compromied in a cyberattack?

  • Yes
  • No
  • Comments

How often is this plan tested?

  • Comments

What is your average timeframe for a complete system recovery, such as during a ransomware attack?

  • Comments

Do you have a dedicated system recovery team or is this effort outsourced?

  • Yes
  • No
  • Comments

What is your policy for reviewing the roles and responsibilities of your recovery plans?

  • Comments

How do you keep stakeholders informed of your recovery efforts?

  • Comments

How does your recovery plan align with your incident response and business continuity plans?

  • Comments

How do you verify the success of recovery efforts and integrity of replaced data?

  • Comments

[RC:IM] Improvements

Description: Recovery planning and processes are improved by incorporating lessons learned into future activities.

Do you discuss key learning from response efforts following a real or simulated cyber event?

  • Yes
  • No
  • Comments

What is your process for incorporating these key learning in incident response, recovery and business continuity plans?

  • Comments

Are stakeholders involved in key learning discussions?

  • Comment

What is your process of updating threat awareness training (general and role-based) based on key learning insights?

  • Comment

Can you provide an example of a lesson learned that was used to improve the resilience of a mission-critical system?

  • Yes
  • No
  • Comments

How is the efficacy of lessons learned tested?

  • Comments

[RC:CO] Communications

Description: Restoration activities are coordinated with internal and external parties, such as coordinating centers, Internet Service Providers, owners of attacking systems, victims, other CSIRTs, and vendors.

How do you ensure your stakeholders are kept informed of your risk management efforts?

  • Comments

Learn how UpGuard streamlines cybersecurity reporting >

How do you manage communications between your security teams and thrid-party vendors, especially in the area of Vendor Risk Management?

  • Comments

How do you communicate with external parties during the recovery phase of a cyber attack?

  • Comments

What is your process for engaging with vendors that have fallen vicitm to a data breach?

  • Comment

How do you ensure the reliability of all communication channels during the recovery phase of a security event?

  • Comments

How do you handle communications with law enforcement or regulatory bodies during the recovery process?

  • Comments

Can you provide an example of when communicating with third-party vendor or other external parties aided your recovery efforts?

  • Yes
  • No
  • Comments

How do you ensure efficient communications with vendors to streamline risk assessment processes?

  • Comments

Watch this video to learn how UpGuard improves vendor relationships through better collaboration.

Ready to see
UpGuard in action?

Ready to save time and streamline your trust management process?