NIST CSF 2.0 Self-Assessment Workbook

The entry-tier acquisition workbook for the ciso.diy catalog — built around the February 26, 2024 final publication of NIST CSF 2.0 (NIST.CSWP.29). All 106 Subcategories with verbatim outcome statements, not paraphrases.

14-tab architecture (270 formulas, zero errors):

Organizational Profile Generator — the new-in-2.0 concept that most vendors fail to implement well. Captures organizational context, sector, regulatory environment, and risk appetite to ground your tier assessments in business reality rather than abstract maturity scoring.

Function tabs (GV / ID / PR / DE / RS / RC) — all 6 Functions, all 22 Categories, all 106 Subcategories. Each Subcategory has the verbatim outcome statement from NIST.CSWP.29, Current Tier dropdown (0–4), Target Tier dropdown, and a nested-IF Gap calculation that works across all Excel versions. DETECT tab correctly handles the non-sequential numbering (DE.CM-01, -02, -03, -06, -09) with guide notes for first-time assessors.

Heatmap — aggregates Subcategory ratings up to Category and Function levels using SUMPRODUCT/ISNUMBER-SEARCH pattern. Blank-aware: unrated Categories show empty, not zero — critical for partial assessments. Function colors match NIST's published wheel (purple=GOVERN, teal=IDENTIFY, green=PROTECT, amber=DETECT, rose=RESPOND, indigo=RECOVER).

Dashboard — 8 KPI tiles and Function-level summary table. Auto-populates from all assessment tabs.

Gap Analysis — pre-populated with 12 representative 2026 high-gap scenarios including GV.SC-04 (supplier prioritization), PR.DS-10 (data-in-use protection), RC.RP-03 (backup integrity verification), and 9 others reflecting where organizations consistently score lowest in 2026 assessments.

Tier Assessment — maps your profile to CSF Tiers 1–4 with the four Tier dimensions (Risk Governance, Risk Management, Third-Party, Organizational Culture).

Crosswalks — 37 rows mapping Subcategories to SP 800-53 rev 5, SP 800-171 rev 3, CIS Controls v8.1, and ISO 27001:2022. Enables scope-once, satisfy-many compliance strategy.

Forest green palette — visually distinct from the teal US Privacy workbook, blue GDPR workbook, and burgundy executive products in the catalog.

User Guide (30 pages): Full walkthrough of all six Functions including the DETECT numbering gap, four Organizational Profile strategy templates (Balanced maturity, Governance-led, Operational depth, Minimum viable), and three worked examples — new FTE CISO at Series C SaaS, vCISO starting a 20h/month retainer, compliance lead pursuing SOC 2 + ISO 27001 dual-track.