Watkins NIST Cybersecurity Framework Excel Workbook

NIST CSF Excel Workbook

Watkins Consulting designed an Excel-based workbook to automate the tracking of cybersecurity compliance activities with respect to the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) version 1.1. We are pleased to offer a free download of this Excel workbook.The latest version includes a copy of the NIST 800-53 risk controls, mapping for the FFIEC Cybersecurity Assessment Tool, Appendix B, and a rudimentary risk register aligned with the CSF subcategories.

Upon downloading and deciding to use this tool, please register it so we can send you update notices. If you need help expanding this assessment into governance or need help with cybersecurity compliance efforts, please contact us at solutions@watkinsconsulting.com. When you register with us, we will send you a link for an Excel tool that will allow you to compare two or more workbooks at the category level.

Download Excel Workbook Download User Guide

Additional download information is below.


In 2014 NIST published version 1.0 of the Framework for Improving Critical Infrastructure Cybersecurity to help improve the cybersecurity readiness of the United States. Although it is intended use is in the critical infrastructure sectors as indicated in Presidential Executive Order 13636, the framework is general and can be used by any firm to evaluate their cybersecurity preparedness. NIST released version 1.1 in April 2018.

The core of the framework is to categorize cybersecurity into five functions: Identify, Protect, Detect, Respond, and Recover. These are then broken down into more specific categories and sub-categories. Watkins views the sub-categories as 108 best practices covering the breadth of cybersecurity issues. A firm that is able to describe their strategies and tactics across these 108 sub-categories can be assured of the breadth of their cybersecurity practice and is likely on track to create an effective implementation of that practice.

In order to assist our clients, Watkins has built an Excel workbook that automates the tracking of cyber risk management by sub-category with a roll-up to category and function. The intent of the workbook is to provide a straightforward method of record keeping which can be used to facilitate risk assessments, gap analysis, and historical comparisons.

An immediate benefit is that our clients, contacts, and everyone on the web can download and use the NIST CSF Excel workbook. It is our hope that this tool will reduce the level of clerical work involved, allowing you to immediately engage in the important work of effective cybersecurity governance. Watkins is offering this tool for your use free of charge; however, we do recommend that you register your tool so that you can receive version updates as they become available. We recommend that you let us know that you are using the Excel workbook by sending us an email.

The purpose of this tool is to record responses at the sub-category level and provide a convenient roll-up to the category and functional levels. Should your institution require further explanation of results or interpretation of the NIST Cybersecurity Framework, please contact us at solutions@watkinsconsulting.com or (888) 230-3032.

Download Information

The Excel file contains macros and has the “.xlsm” file extension type. The version 4.5 file size is 569,987 bytes (556 KB) and the SHA-1 checksum is 852755d3fbf10f9b986109b7252422b143b4ae48.

Free Excel Cybersecurity Assessment Tool Change Log

Version (link) Change SHA-1
4.5 (link) cleared controls selection, better name 852755d3fbf10f9b986109b7252422b143b4ae48
4.5 (link) copy user inputs from earlier versions 9A1D0AEF47A8E2B27D25AA58D68BC7BA8BC9FD97
4.03 (link) updated for CSF 1.1; Identify function score now includes ID.SC 56D82EE415BED47AFBCC15477525E5F1387F88F2
4.02 (superseded) updated for CSF 1.1 4AADD7EEBF6C8C381378CEE1F9EEFEFE8CCC3D2E
3.1 (link) Added 0-5 scoring option, risk register 1CA12A3944E9F24B31391C19F108F2F2078EA97F
2.21 (link) Corrected HTML link 04FFEE9369C57AB83AA3767BA0912A79CC9A90D1
2.2 (link) Added 800-53 reference 30E7B245EF4E0D52BAF534F622B33BCEF2992627
1.02 (link) Prepared for external use E6E065D3B06712A13AE1EBC8E297516169ECF619
1.01 Internal Release Only

12,918 total views, 14 views today

Tags: cybersecurity, internal controls, risk management