Interactive self-assessment across all 6 NIST CSF 2.0 functions, 22 categories, and 106 subcategories. Tier-based maturity scoring with evidence tracking. No signup, no install, no data leaves your browser.
This is a free, browser-based self-assessment. Looking for full program management? Our Assessment Tool — Pro is a professional browser tool with evidence tracking, gap analysis, and executive reporting.
Need More?
The free tool is a browser-based self-assessment. The Pro tool adds evidence tracking, gap analysis, and executive reporting.
| Feature | Free Tool | Professional |
|---|---|---|
| All 106 subcategories, 6 functions | ✓ | ✓ |
| Implementation tier scoring (0–4) | ✓ | ✓ |
| Evidence notes per subcategory | ✓ | ✓ |
| Save progress & export to CSV | ✓ | ✓ |
| Current vs. target gap tracking | — | ✓ |
| Priority-weighted remediation planning | — | ✓ |
| Evidence tracker with control ownership | — | ✓ |
| Executive dashboard with charts | — | ✓ |
| Implementation roadmap generator | — | ✓ |
| Category-level maturity trending | — | ✓ |
Two ways to go deeper:
Browser Toolkit
Assessment Tool — Pro
Gap tracking, evidence ownership, exec summary & Risk Register export.
Learn More — $329Excel Workbook
Professional Toolkit
Dashboards, roadmap generator & maturity trending. Full program management.
Buy Now — $199Or get all tools: Complete Assessment Suite — $1,299
What's Included
Complete coverage of Govern, Identify, Protect, Detect, Respond, and Recover functions with every subcategory.
Rate each subcategory from Partial (Tier 1) through Adaptive (Tier 4) with automatic rollup scoring by function.
Attach notes and evidence references to each control for audit readiness and team collaboration.
Function-level maturity spider chart and category breakdown showing current vs target state.
Save progress as JSON to continue later. Export results to CSV for reporting and presentations.
Runs entirely in your browser. No server connection required — your assessment data stays on your device.
Methodology
Each subcategory is scored against the NIST implementation tiers, measuring the maturity and sophistication of your cybersecurity risk management practices.
| Tier | Level | Description |
|---|---|---|
| Tier 4 | Adaptive | Risk management practices are continuously improved based on lessons learned and predictive indicators |
| Tier 3 | Repeatable | Risk management practices are formally approved and expressed as policy, regularly updated |
| Tier 2 | Risk Informed | Risk management practices are approved by management but may not be established organization-wide |
| Tier 1 | Partial | Risk management practices are not formalized, ad hoc and sometimes reactive |
Getting Started
Click "Launch Tool" above. Everything runs in your browser — no data is sent anywhere.
Start with any of the 6 CSF functions: Govern, Identify, Protect, Detect, Respond, or Recover.
Rate your implementation tier (0–4) for each of the 106 subcategories.
Document your current controls and evidence for each subcategory.
Check your function-level maturity scores and identify gaps.
Save as JSON to continue later, or export to CSV for reporting.
Next Step
Once you save your assessment, you can import it directly into the free Risk Treatment Plan tool. It reads your results, identifies Tier 1 and 2 gaps, and auto-generates a remediation plan with checklists for each gap — no re-entry required.
Open Risk Treatment Plan →Free Assessment Tools