What is NIST CSF Maturity?

National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) maturity refers to how ingrained or “mature” cybersecurity procedures are in a company’s overall culture and operating procedures.

NIST CSF Maturity Levels

The NIST CSF is not a maturity model, but it defines five maturity levels that describe an organization's cybersecurity risk management practices. These levels range from:

• Partial: Basic cybersecurity practices are in place but may not be well-defined or consistently implemented.
• Risk-Informed: The organization identifies and prioritizes its cybersecurity risks.
• Repeatable: Defined cybersecurity practices are in place and consistently followed.
• Documented: Cybersecurity practices are documented and formally managed.
• Adaptive: The organization can continuously improve its cybersecurity posture in response to evolving threats.

The security and risk team should conduct NIST CSF maturity assessments regularly. These risk assessments evaluate an organization's cyber practices against the NIST CSF and assign a maturity level for each function (Identify, Protect, Detect, Respond, Recover, and Govern).

Govern was added to the core functions in NIST CSF 2.0. 

Return to NIST Glossary