A tool designed to help organizations implement and assess their cybersecurity posture using the NIST Cybersecurity Framework (CSF). This application provides a structured approach to:
- Track and manage CSF outcomes
- Assign ownership and stakeholders to controls
- Document observations and findings
- Score current and desired security states
- Export to csv for data visualization in Excel (find a companion Excel template in public/Sample_Artifacts)
- Track remediation progress
The is an open source project, and improvement ideas to drive cyber risk reduction with CSF assessments are welcome from the Simply Cyber and other awesome communities.
Find in depth videos for CSF profile assessments and this tool in Simply Cyber Academy here: https://academy.simplycyber.io/p/accrp
View Screenshots - See the application in action
View Explainer Slides - Learn how CSF Profile assessments work
This software is provided under the MIT License. https://github.com/CPAtoCybersecurity/csf_profile/blob/main/LICENSE
By using this tool, you agree to the following:
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
The CSF Profile Assessment Database is intended for educational and informational purposes only. While efforts have been made to ensure accuracy and functionality, this tool does not guarantee compliance with any regulatory requirements or complete protection against cybersecurity threats. Users implement this software at their own risk.
The creator and contributors of this project cannot be held liable for any damages, data loss, or security incidents that may occur through the use of this tool. Organizations should verify all assessment findings independently and consult with qualified cybersecurity professionals when making security decisions.
By downloading, installing, or using this tool, you acknowledge that you understand these risks and accept full responsibility for any outcomes resulting from its use.
This tool is based on the NIST Cybersecurity Framework (CSF), developed by the National Institute of Standards and Technology. The framework and implementation examples that make up the basis of this assessment are sourced from NIST.gov. We acknowledge and appreciate NIST's work in creating this valuable resource for improving cybersecurity risk management.
As a demonstration of how to conduct CSF profile assessment, fictional company "Alma Security" is used, inspired by Daniel Miessler's open source Telos project here: https://github.com/danielmiessler/Telos/blob/main/corporate_telos.md
macOS typically comes with Git pre-installed. You only need to install Node.js:
-
Download and install Node.js from nodejs.org (LTS version recommended)
-
Verify installation by opening Terminal and running:
node --version npm --version
-
Install Git first: Download and install Git from git-scm.com
- During installation, you can accept the default options
-
Install Node.js: Download the MSI installer from nodejs.org (LTS version recommended)
- Run the MSI installer and follow the prompts
-
Open PowerShell to run the installation commands below
- Press
Win + Xand select "Windows PowerShell" or search for "PowerShell" in the Start menu
- Press
-
Update your package manager and install Node.js:
sudo apt update sudo apt install nodejs npm git
-
Clone the repository
git clone https://github.com/CPAtoCybersecurity/csf_profile cd csf_profile -
Install dependencies
npm install -
Start the development server
npm start -
Access the application Open your browser and navigate to http://localhost:3000
Some exports support optional password protection. If you provide a password, the downloaded file will be named like:
assessments_YYYY-MM-DD.enc.csv
This is an encrypted file format intended for secure backup/storage. It will not open directly in Excel/VS Code.
Use the provided Node script to decrypt an encrypted export back into a regular CSV:
Note: The script works on modern Node versions (Node 18+ recommended). On Node 22+ globalThis.crypto is read-only; the script handles this internally.
node scripts/decrypt-export.mjs --in <input.enc.csv> --out <output.csv>Example:
node scripts/decrypt-export.mjs --in assessments_2026-01-19.enc.csv --out assessments_2026-01-19.csvIf the password is wrong (or the file is modified), decryption will fail.
Security note: Passing --password on the command line may save it in your shell history. If needed for automation, you can still provide --password "...".
The application supports integration with JIRA and Confluence for enhanced tracking capabilities. To enable these integrations, you'll need to configure environment variables with your API credentials.
-
Copy the example file:
cp .env.example .env
-
Edit the
.envfile and add your credentials:REACT_APP_JIRA_INSTANCE_URL- Your JIRA instance URL (e.g., https://your-domain.atlassian.net)REACT_APP_JIRA_API_TOKEN- Your JIRA API tokenREACT_APP_CONFLUENCE_INSTANCE_URL- Your Confluence URL (e.g., https://your-domain.atlassian.net/wiki)REACT_APP_CONFLUENCE_API_TOKEN- Your Confluence API token
-
Generate API tokens at: https://id.atlassian.com/manage-profile/security/api-tokens
For local development on Windows, you can set environment variables using PowerShell or Command Prompt:
Using PowerShell:
# Set environment variables for current session
$env:REACT_APP_JIRA_INSTANCE_URL="https://your-domain.atlassian.net"
$env:REACT_APP_JIRA_API_TOKEN="your-jira-token"
$env:REACT_APP_CONFLUENCE_INSTANCE_URL="https://your-domain.atlassian.net/wiki"
$env:REACT_APP_CONFLUENCE_API_TOKEN="your-confluence-token"
# Then start the app
npm startUsing Command Prompt:
set REACT_APP_JIRA_INSTANCE_URL=https://your-domain.atlassian.net
set REACT_APP_JIRA_API_TOKEN=your-jira-token
set REACT_APP_CONFLUENCE_INSTANCE_URL=https://your-domain.atlassian.net/wiki
set REACT_APP_CONFLUENCE_API_TOKEN=your-confluence-token
npm startRecommended: Using a .env file (All platforms)
The easiest approach for all platforms is to use a .env file in the project root:
- Copy
.env.exampleto.env - Edit
.envand fill in your values - The
.envfile is automatically excluded from version control - Run
npm startas normal
Important Security Notes:
- Never commit your
.envfile to version control - Never share your API tokens publicly
- Rotate tokens periodically for security
- The
.envfile is already listed in.gitignoreto prevent accidental commits
If you encounter issues with react-scripts not installing correctly on Kali Linux:
-
Delete node_modules and reinstall:
cd csf_profile rm -rf node_modules rm package-lock.json npm install -
If issues persist, try installing with the
--legacy-peer-depsflag:npm install --legacy-peer-deps
-
Verify react-scripts is installed:
ls node_modules/.bin/ | grep react-scripts
Docker support is planned for a future release. Draft Docker files are available in _future/docker/ for reference. These require updates for production use with the new backend integration.
Contributed by @SecBurg
This application supports fetching control documentation from Confluence Cloud using a secure backend integration.
Set the following environment variables in your backend .env file:
CONFLUENCE_BASE_URL=https://your-company.atlassian.net
CONFLUENCE_EMAIL=your-email@example.com
CONFLUENCE_API_TOKEN=your-api-tokenThis project supports two paths depending on your infrastructure needs:
File-based exports for users without backend infrastructure:
- CSV Export: Import into Excel, Google Sheets, or any spreadsheet tool
- JSON Export: Import into Jira via Jira Importers plugin, or use with other tools
- No backend required - runs entirely in the browser
Status: In active development. Not recommended for production use.
Real-time API integration for teams with infrastructure support:
- Jira Cloud API: Create issues directly from assessment findings
- Confluence Cloud API: Link control documentation and sync content
- Requires backend service for OAuth/token handling
See the feature/api-integration branch for development progress.
Thank you to our amazing contributors! See CONTRIBUTORS.md for the full list.
The Export CSV function allows you to:
- Export your entire assessment database to a CSV file
- Include all control details, observations, scores, and action plans
- Generate date-stamped files for version control
- Add it to the companion Excel template for reporting
To export your data, click the "Export CSV" button in the controls view. The file will be automatically downloaded with a filename that includes the current date.
The Import CSV function allows you to:
- Import assessment data from a CSV file
- Update your assessment with data from external sources
- Restore from a previous export
- Collaborate by sharing and merging assessment files
Important Note: Importing a CSV will overwrite all data currently in the database. Make sure to export your current data first if you want to preserve it. CSV files are particularly useful for creating charts and visualizations in Excel or other spreadsheet applications.
The application includes several key sections:
- Subcategories: View and manage all CSF controls
- Dashboard: Visualize assessment data and progress
- Scoring: Reference the scoring legend and methodology
- Artifacts: Audit artifacts with links, to map to CSF subcategories for "test once - assure many" efficiencies
- User Management: Manage users involved in the assessment
The tool uses a scoring system from 0-10 to assess the current and desired state of each control. It comes from the Mastering Cyber Resilience textbook by AKYLADE.
- 0-1.9: Insecurity - Organization rarely or never implements this control
- 2.0-4.9: Some Security - Organization sometimes implements this control, but unreliably
- 5.0-5.9: Minimally Acceptable Security - Organization consistently implements this control with minor flaws
- 6.1-6.9: Optimized Security - Organization consistently implements this control with great effectiveness
- 7.0-7.9: Fully Optimized Security - Organization implements this control with fully optimized effectiveness
- 8.1-10.0: Too Much Security - Organization implements this control at excessive financial cost
-
Obtain API Tokens
- Jira Cloud: https://id.atlassian.com/manage/api-tokens
- Confluence Cloud: same token can be used
-
Required Permissions
- Jira: Browse Projects, Edit Issues, Create Issues
- Confluence: View and Add Content, Edit Pages
-
Environment Variables (.env)
JIRA_BASE_URL=https://your-domain.atlassian.net
JIRA_EMAIL=your-email@example.com
JIRA_API_TOKEN=your-jira-api-token
CONFLUENCE_BASE_URL=https://your-domain.atlassian.net/wiki
- Service Account with minimum required permissions
- Store API tokens securely (do not commit to repo)
- Set environment variables on server
- Configure SSO in Jira/Confluence if company uses Microsoft EntraID
401 Unauthorized: Invalid token or email mismatch403 Forbidden: Missing permissionsInvalid URL: Ensure/wikipath is included for ConfluenceRate Limits: Reduce request frequency or batch requests