NIST CSF Control Mapping Template
Free NIST CSF control mapping template and worksheet. Map your existing security controls to the NIST Cybersecurity Framework and identify gaps quickly.
Use this NIST CSF control mapping template to align your existing security controls with the NIST Cybersecurity Framework. This worksheet helps you document current protections, identify gaps, and create a remediation roadmap.
How to Map Controls to NIST CSF
Follow these five steps to complete your NIST CSF mapping worksheet:
Step 1: Inventory Your Assets (ID.AM)
List all critical assets, processes, and systems that store or process sensitive data. Include cloud services, on-premises infrastructure, endpoints, and third-party vendors.
- Hardware assets (servers, workstations, mobile devices)
- Software applications and SaaS platforms
- Data repositories and databases
- Network infrastructure and connectivity
- Third-party service providers
Step 2: Document Existing Controls
For each asset, record what security controls are currently in place. Be specific—note the technology, process, or policy that provides protection.
Step 3: Map to NIST CSF Functions and Categories
Match each control to the appropriate NIST CSF function and category. Use the identifier format (e.g., PR.AC-7 for Identity Management and Access Control).
Step 4: Identify Gaps
Compare your current controls against NIST CSF subcategory requirements. Mark gaps where controls are missing, insufficient, or not documented.
Step 5: Create Remediation Roadmap
Prioritize gaps by risk and business impact. Assign remediation priorities: Critical, High, Medium, or Low.
NIST CSF Control Mapping Template
Copy this table to create your own NIST CSF mapping worksheet:
| Asset/Process | Current Control | NIST Function | NIST Category | Subcategory | Gap? | Remediation Priority |
|---|---|---|---|---|---|---|
Column Definitions:
- Asset/Process: System, application, or business process being protected
- Current Control: Existing security measure (technology, policy, or procedure)
- NIST Function: One of five: ID, PR, DE, RS, RC
- NIST Category: Function category (e.g., PR.AC, DE.CM)
- Subcategory: Specific NIST CSF subcategory identifier (e.g., PR.AC-7)
- Gap?: Yes/No—control missing or insufficient?
- Remediation Priority: Critical, High, Medium, Low
Example Mapping Entries
Use these examples to understand how to fill out your NIST CSF gap analysis template:
Example 1: User Access Control
| Asset/Process | Current Control | NIST Function | NIST Category | Subcategory | Gap? | Remediation Priority |
|---|---|---|---|---|---|---|
| User access to cloud storage | MFA enforced for all admin accounts | PR (Protect) | PR.AC (Access Control) | PR.AC-7 | Yes | High |
Gap Note: MFA not enforced for standard user accounts—only 40% coverage.
Example 2: Data Backup
| Asset/Process | Current Control | NIST Function | NIST Category | Subcategory | Gap? | Remediation Priority |
|---|---|---|---|---|---|---|
| Production database backups | Automated nightly backups with 30-day retention | RC (Recover) | RC.RP (Recovery Planning) | RC.RP-1 | No | N/A |
Example 3: Vulnerability Management
| Asset/Process | Current Control | NIST Function | NIST Category | Subcategory | Gap? | Remediation Priority |
|---|---|---|---|---|---|---|
| Server patch management | Monthly manual patching; no automated scanning | ID (Identify) | ID.RA (Risk Assessment) | ID.RA-1 | Yes | Critical |
Gap Note: No continuous vulnerability scanning; patches delayed average 45 days.
Quick Reference: NIST CSF Functions and Categories
Five Core Functions
- ID (Identify) - Understand and manage cybersecurity risk
- PR (Protect) - Implement safeguards to ensure delivery of services
- DE (Detect) - Develop activities to identify cybersecurity events
- RS (Respond) - Take action regarding detected incidents
- RC (Recover) - Maintain plans for resilience and restore capabilities
Key Categories by Function
| Function | Key Categories |
|---|---|
| ID | Asset Management (ID.AM), Risk Assessment (ID.RA), Governance (ID.GV) |
| PR | Access Control (PR.AC), Data Security (PR.DS), Protective Technology (PR.PT) |
| DE | Anomalies/Events (DE.AE), Continuous Monitoring (DE.CM), Detection Processes (DE.DP) |
| RS | Response Planning (RS.RP), Communications (RS.CO), Analysis (RS.AN), Mitigation (RS.MI) |
| RC | Recovery Planning (RC.RP), Improvements (RC.IM), Communications (RC.CO) |
Next Steps
Use this NIST CSF control mapping template to document your current security posture and identify improvement opportunities. Update the worksheet quarterly as controls evolve and new assets are added.
For a comprehensive overview of the framework, including implementation guidance for small and mid-sized businesses, visit our NIST CSF framework guide.