Watkins NIST Cybersecurity Framework Excel Workbook

Watkins Consulting designed an Excel-based workbook to automate the tracking of cybersecurity compliance activities with respect to the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) version 1.1. We are pleased to offer a free download of this Excel workbook. The latest version includes a copy of the NIST 800-53 Rev. 5 risk controls, mapping for the FFIEC Cybersecurity Assessment Tool, Appendix B, and a rudimentary risk register aligned with the CSF subcategories.

Upon downloading and deciding to use this tool, please register it so we can send you update notices. If you need help expanding this assessment into governance or need help with cybersecurity compliance efforts, please contact us at [email protected]. When you register with us, we will send you a link for an Excel tool that will allow you to compare two or more workbooks at the category level.

Download Excel Workbook Download User Guide

Additional download information is below. Please note that this workbook includes macros. Microsoft now blocks macros by default for files downloaded from the internet (Macros from the internet are blocked by default in Office – Deploy Office | Microsoft Learn). To unblock the macros, open the file’s properties and check the unblock box on the general tab.

Image of unblocking macros in an Excel file downloaded from the internet.


In 2014 NIST published version 1.0 of the Framework for Improving Critical Infrastructure Cybersecurity to help improve the cybersecurity readiness of the United States. Although it is intended use is in the critical infrastructure sectors as indicated in Presidential Executive Order 13636, the framework is general and can be used by any firm to evaluate their cybersecurity preparedness. NIST released version 1.1 in April 2018.

The core of the framework is to categorize cybersecurity into five functions: Identify, Protect, Detect, Respond, and Recover. These are then broken down into more specific categories and sub-categories. Watkins views the sub-categories as 108 best practices covering the breadth of cybersecurity issues. A firm that is able to describe their strategies and tactics across these 108 sub-categories can be assured of the breadth of their cybersecurity practice and is likely on track to create an effective implementation of that practice.

In order to assist our clients, Watkins has built an Excel workbook that automates the tracking of cyber risk management by sub-category with a roll-up to category and function. The intent of the workbook is to provide a straightforward method of record keeping which can be used to facilitate risk assessments, gap analysis, and historical comparisons.

An immediate benefit is that our clients, contacts, and everyone on the web can download and use the NIST CSF Excel workbook. It is our hope that this tool will reduce the level of clerical work involved, allowing you to immediately engage in the important work of effective cybersecurity governance. Watkins is offering this tool for your use free of charge; however, we do recommend that you register your tool so that you can receive version updates as they become available. We recommend that you let us know that you are using the Excel workbook by sending us an email.

The purpose of this tool is to record responses at the sub-category level and provide a convenient roll-up to the category and functional levels. Should your institution require further explanation of results or interpretation of the NIST Cybersecurity Framework, please contact us at [email protected] or (888) 230-3032.

Download Information

The Excel file contains macros and has the “.xlsm” file extension type. The version 6.04 file size is 1,128,426 bytes (1,101 KB) and the SHA-1 checksum is C4A905985E930A7C3BC5355E696885CB7005A402.

Free Excel Cybersecurity Assessment Tool Change Log

Version (link) Change SHA-1
6.04 (link) 2022-07-26 Added SP 800-53 Rev. 5 and a Controls Builder (Beta)
4.51 (link) Print Subcategory worksheet updated and unlocked
4.5 (link) cleared controls selection, better name
4.5 (link) copy user inputs from earlier versions
4.03 (link) updated for CSF 1.1; Identify function score now includes ID.SC
4.02 (superseded) updated for CSF 1.1
3.1 (link) Added 0-5 scoring option, risk register
2.21 (link) Corrected HTML link
2.2 (link) Added 800-53 reference
1.02 (link) Prepared for external use
1.01 Internal Release Only
Total Views: 739