Is there an easy-to-use tool that I can use the NIST Cyber Security Framework (CSF) matrix and calculate a score, to know cybersecurity position?
One tool that I am recommended is the CSET self assessment tool.
CSET is a desktop software tool that guides asset owners and operators through a step-by-step process to evaluate their industrial control system (ICS) and information technology (IT) network security practices. Using recognized government and industry standards and recommendations, users can evaluate their own cybersecurity stance using CSET.
Once the questionnaires are complete, CSET then provides asset owners with a dashboard of charts including areas of strengths and weaknesses, as well as a prioritized list of recommendations for increasing cybersecurity posture.
In the final report, CSET provides recommendations, common practices, compensating actions, and suggested component enhancements or additions. Using CSET, you can also compare, merge, and trend multiple assessments at once to better understand your organization’s past and present cybersecurity posture.
Here are step-by-step instructions to get the assessment process started:
- Select Standards
- Determine Assurance Level
- Create the Diagram
- Answer the Questions
- Review Analysis and Reports
Some of the cybersecurity standards that you can choose from include:
- DHS Catalog of Control Systems Security: Recommendations for Standards Developers
- NERC Critical Infrastructure Protection (CIP) Standards 002-009
- NIST Special Publication 800-82, Guide to Industrial Control Systems Security
- NIST Special Publication 800-53, Recommended Security Controls for Federal Information Systems
- NIST Cybersecurity Framework (CSF)
- NRC Regulatory Guide 5.71 Cyber Security Programs for Nuclear Facilities
- Committee on National Security Systems Instruction (CNSS) 1253
- INGAA Control Systems Cyber Security Guidelines for the Natural Gas Pipeline Industry
- NISTIR 7628 Guidelines for Smart Grid Cyber Security
It’s a big question as cybersecurity is a huge area and there are entire companies based on offering what your asking for. There are tools available but they usually form part of a much wider package and need a fair bit of knowledge to work with.
If you just want a tool that does scans and outputs numbers here is a link worth a try: NIST Network Scanners
Understanding the output and acting on it is another matter however. There was a tool from NIST but it’s no longer supported, and I’m not sure if it’s what you’re after as its more about understanding the various vulnerabilitiues and what to do with them. This may be useful in taking action following scans: NIST Cybersecurity Framework (CSF) Reference Tool