cybersecurity-maturity-score
v1.0.0
Published
Score your organization's cybersecurity maturity across NIST CSF functions with industry benchmarking
Maintainers
cvcsoReadme
Cybersecurity Maturity Score
Score your organization's cybersecurity maturity across the five NIST Cybersecurity Framework (CSF) core functions with industry benchmarking.
Install
Python
pip install cybersecurity-maturity-scoreJavaScript
npm install cybersecurity-maturity-scoreQuick Start
Python
from cybersecurity_maturity_score import (
score_maturity,
get_assessment_questions,
generate_gap_report,
benchmark,
maturity_level_label,
)
# 1. Get the assessment questions
questions = get_assessment_questions()
for q in questions[:3]:
print(f"{q['id']} — {q['name']}: {q['question']}")
# 2. Score your responses (all 23 subcategories, scored 1-5)
responses = {
"ID.AM": 3, "ID.BE": 2, "ID.GV": 3, "ID.RA": 2, "ID.RM": 2, "ID.SC": 1,
"PR.AC": 3, "PR.AT": 2, "PR.DS": 3, "PR.IP": 3, "PR.MA": 2, "PR.PT": 3,
"DE.AE": 2, "DE.CM": 2, "DE.DP": 1,
"RS.RP": 2, "RS.CO": 1, "RS.AN": 2, "RS.MI": 2, "RS.IM": 1,
"RC.RP": 2, "RC.IM": 1, "RC.CO": 1,
}
result = score_maturity(responses)
print(f"Composite: {result['composite_score']}/5.0 ({result['composite_label']})")
# Composite: 2.0/5.0 (Developing)
for func, score in result["function_scores"].items():
print(f" {func}: {score}/5.0 ({result['function_labels'][func]})")
# 3. Generate a gap report
report = generate_gap_report(responses)
print(f"\n{report['summary']}")
for gap in report["critical_gaps"][:3]:
print(f" [{gap['priority']}] {gap['id']} {gap['name']}: {gap['recommendation']}")
# 4. Benchmark against industry and company size
comparison = benchmark(result["composite_score"], industry="healthcare", company_size="smb")
print(f"\nIndustry delta: {comparison['industry_benchmark']['delta']:+.1f}")
print(f"Assessment: {comparison['industry_benchmark']['assessment']}")JavaScript
const {
scoreMaturity,
getAssessmentQuestions,
generateGapReport,
benchmark,
maturityLevelLabel,
} = require('cybersecurity-maturity-score');
// 1. Get the assessment questions
const questions = getAssessmentQuestions();
questions.slice(0, 3).forEach((q) => {
console.log(`${q.id} — ${q.name}: ${q.question}`);
});
// 2. Score your responses
const responses = {
'ID.AM': 3, 'ID.BE': 2, 'ID.GV': 3, 'ID.RA': 2, 'ID.RM': 2, 'ID.SC': 1,
'PR.AC': 3, 'PR.AT': 2, 'PR.DS': 3, 'PR.IP': 3, 'PR.MA': 2, 'PR.PT': 3,
'DE.AE': 2, 'DE.CM': 2, 'DE.DP': 1,
'RS.RP': 2, 'RS.CO': 1, 'RS.AN': 2, 'RS.MI': 2, 'RS.IM': 1,
'RC.RP': 2, 'RC.IM': 1, 'RC.CO': 1,
};
const result = scoreMaturity(responses);
console.log(`Composite: ${result.composite_score}/5.0 (${result.composite_label})`);
// Composite: 2.0/5.0 (Developing)
// 3. Generate a gap report
const report = generateGapReport(responses);
console.log(report.summary);
// 4. Benchmark against industry
const comparison = benchmark(result.composite_score, 'healthcare', 'smb');
console.log(`Industry delta: ${comparison.industry_benchmark.delta}`);API Reference
score_maturity(responses) / scoreMaturity(responses)
Score cybersecurity maturity across all five NIST CSF functions.
Parameters:
responses— dict/object mapping subcategory IDs (e.g."ID.AM") to numeric maturity scores (1-5). All 23 subcategories should be present; missing ones are excluded from the average.
Returns: Object with:
| Key | Type | Description |
|-----|------|-------------|
| function_scores | object | Average maturity score (1.0-5.0) per NIST function |
| function_labels | object | Maturity label per function |
| composite_score | float | Overall average across all scored subcategories |
| composite_label | string | Maturity label for the composite score |
| subcategory_scores | object | Copy of the input responses |
| coverage | int | Number of subcategories scored (out of 23) |
get_assessment_questions() / getAssessmentQuestions()
Return the full list of 23 assessment questions grouped by NIST CSF function.
Returns: Array of objects, each with:
| Key | Type | Description |
|-----|------|-------------|
| id | string | NIST subcategory ID (e.g. "ID.AM") |
| function | string | NIST CSF function name |
| name | string | Subcategory name |
| question | string | Assessment question text |
| criteria | object | Scoring criteria for levels 1-5 |
maturity_level_label(score) / maturityLevelLabel(score)
Map a numeric score (1-5) to its label.
| Score | Label | |-------|-------| | 1 | Initial | | 2 | Developing | | 3 | Defined | | 4 | Managed | | 5 | Optimized |
generate_gap_report(responses) / generateGapReport(responses)
Identify the lowest-scoring areas and return prioritized recommendations.
Parameters:
responses— same format asscore_maturity.
Returns: Object with:
| Key | Type | Description |
|-----|------|-------------|
| gaps | array | All subcategories sorted by score ascending, with recommendations |
| critical_gaps | array | Subset of gaps where current score <= 2 |
| summary | string | Human-readable summary of findings |
Each gap includes: id, function, name, current_score, current_label, target_score, target_label, priority, and recommendation.
benchmark(composite_score, industry?, company_size?) / benchmark(compositeScore, industry?, companySize?)
Compare a composite maturity score against industry and/or company-size benchmarks.
Parameters:
composite_score— float, 1.0-5.0industry— one of:financial_services,healthcare,technology,manufacturing,retailcompany_size— one of:smb,mid_market,enterprise
At least one of industry or company_size must be provided.
Returns: Object with industry_benchmark and/or size_benchmark, each containing benchmark_score, delta, percentile_estimate, and assessment.
NIST CSF Subcategories
The 23 subcategories assessed, grouped by function:
| Function | ID | Subcategory | |----------|----|-------------| | Identify | ID.AM | Asset Management | | | ID.BE | Business Environment | | | ID.GV | Governance | | | ID.RA | Risk Assessment | | | ID.RM | Risk Management Strategy | | | ID.SC | Supply Chain Risk Management | | Protect | PR.AC | Identity Management & Access Control | | | PR.AT | Awareness & Training | | | PR.DS | Data Security | | | PR.IP | Information Protection Processes & Procedures | | | PR.MA | Maintenance | | | PR.PT | Protective Technology | | Detect | DE.AE | Anomalies & Events | | | DE.CM | Security Continuous Monitoring | | | DE.DP | Detection Processes | | Respond | RS.RP | Response Planning | | | RS.CO | Communications | | | RS.AN | Analysis | | | RS.MI | Mitigation | | | RS.IM | Improvements | | Recover | RC.RP | Recovery Planning | | | RC.IM | Improvements | | | RC.CO | Communications |
Benchmark Data
By Industry
| Industry | Composite | Identify | Protect | Detect | Respond | Recover | |----------|-----------|----------|---------|--------|---------|---------| | Financial Services | 3.8 | 3.9 | 4.0 | 3.8 | 3.7 | 3.6 | | Healthcare | 2.9 | 3.0 | 3.1 | 2.7 | 2.8 | 2.9 | | Technology / SaaS | 3.5 | 3.4 | 3.6 | 3.7 | 3.5 | 3.3 | | Manufacturing | 2.4 | 2.5 | 2.6 | 2.2 | 2.3 | 2.4 | | Retail | 2.6 | 2.7 | 2.8 | 2.5 | 2.5 | 2.5 |
By Company Size
| Size Category | Composite | Identify | Protect | Detect | Respond | Recover | |---------------|-----------|----------|---------|--------|---------|---------| | SMB (< 500 employees) | 2.1 | 2.2 | 2.3 | 1.9 | 2.0 | 2.1 | | Mid-Market (500-5,000) | 3.0 | 3.1 | 3.2 | 2.9 | 2.9 | 2.9 | | Enterprise (5,000+) | 3.7 | 3.8 | 3.9 | 3.6 | 3.6 | 3.6 |
Methodology
Scoring
Each of the 23 NIST CSF subcategories is scored on a 1-5 maturity scale:
- Initial — Ad-hoc, reactive, undocumented processes
- Developing — Basic processes exist but are inconsistent
- Defined — Documented, repeatable processes with assigned ownership
- Managed — Measured, automated, and regularly improved processes
- Optimized — Continuous improvement with advanced automation and real-time adaptation
Calculation
- Function scores are the arithmetic mean of all scored subcategories within that function.
- Composite score is the arithmetic mean of all 23 subcategory scores.
- Gap analysis sorts subcategories by score ascending and assigns priority levels: Critical (1-2), High (3), Medium (4), Low (5).
- Benchmarking compares your composite score against industry and company-size averages derived from published survey data. Percentile estimates assume a roughly normal distribution with a standard deviation of ~0.7 around the benchmark mean.
Partial Assessments
You can submit fewer than 23 subcategories. The scorer will calculate averages using only the provided responses. Functions with no scored subcategories will return null. This is useful for focused assessments of specific NIST functions.
Further Reading
For a deeper dive into cybersecurity maturity models and how to interpret results, see the Cybersecurity Maturity Assessment Guide on vCSO.ai.
To conduct a comprehensive risk assessment that complements maturity scoring, read Security Risk Assessment: A Complete Guide.
For guidance on building a governance framework around your maturity findings, see Cybersecurity Governance.