The IT Services IT Risk team invites IT teams across campus to complete the Security Framework Assessment (SFA) annually. The assessment is built on a customized version of The National Institute of Standards and Technology (NIST)'s Cybersecurity Framework (CSF).

This article provides answers to the most commonly asked questions relating to the Annual Security Framework Assessment. To learn more, select a topic from below:

---

What is the Security Framework Assessment (SFA)?

• An annual self-assessment.
• Questions are based on the National Institute of Standards and Technology (NIST)'s Cybersecurity Framework (CSF).
• Administered through Isora Governance, Risk, and Compliance (GRC) tool, the web-based software application hosts the SFA .

What is the timing of this year's SFA?

Units must first complete SFA training (in Workday, in lieu of a kickoff meeting) before their unit's assessment is opened. Any participating member from a unit completing the training opens the assessment for all participants in their unit. Training will become available via Workday Learning by March 3, 2025. This kickoff date is intended to consider the demands of the University's academic year and allow units more time in the summer months to complete their SFA. SFAs are due on July 18, 2025.

What are the goals of the Security Framework Assessment?

• Demonstrate a thorough understanding of the University's cybersecurity posture. When federal funding agencies, prospective insurers, auditors, vendors, or our own leadership asks the IT Services IT Risk team how well the University protects its data, we need to have a defensible answer ready.
• Identify common gaps that can be addressed with centrally provided, shared policies, processes, or tools. Addressing information security at as high a level of the University as makes sense is efficient and minimizes our attack surface.
• Make consistent data-backed cases to University leadership to help them dedicate the resources necessary to close security gaps. We are all doing the best we can with limited resources, and we are all aware of gaps or pain points in our own units that we'd like to address. This assessment provides a way to quantify and contextualize those gaps.
• This assessment is NOT an evaluation of team skill or competence.

What is the scope of the assessment?

This assessment is designed to measure the maturity of assets and practices for which your unit IT team is officially responsible.

• For your quantitative answers (radio button selections), consider practices that your team manages directly and attest to one of five maturity tiers. Explanations (Clarifications field) are required to support your selection.
• For qualitative answers (Documentations field), documented processes, or runbooks (in any state of completion) are requested to help explain how your unit operates a practice.

We hope the assessment provides your team with an opportunity to clearly define the boundaries of your responsibilities. This can be complicated! For example, a lot of us manage software applications on servers that another group manages. In that case, score yourself only on your management of the software layer; we assume the team managing the hardware will speak to the way they manage the hardware. It'd be helpful to explain this situation in the notes field.

Who needs to complete the assessment?

Units that provide IT support to their students, faculty, and staff should complete the assessment. One designated primary IT person will facilitate the completion of the online assessment form (this person may designate others in their unit to participate), and unit leadership will acknowledge the responses.

What are the roles in the assessment process?

• Unit IT Staff
  
  • Primary: IT Risk's point of contact facilitates the assessment.
  • Supporting (if applicable): Provide information in areas of responsibility or expertise.
• Organizational Unit (OU) Head: The OU Head is non-IT leadership who acknowledges answers
• Assessment Managers: IT Risk team members who help create, publish, and review assessments.

How is the assessment structured?

The CSF on which the assessment is based contains:

• 5 Functions: Identify (ID), Protect (PR), Detect (DE), Respond (RS), and Recover (RC)
• The CSF includes a new function, Govern, which the Office of the CISO will complete. The Office of the CISO will evaluate the University's approach to these controls and whether it appropriately supports unit IT.
• There are 75 controls to answer (down from 137).

The subcategories are portrayed in their original statements and are referred to as 'controls'. To understand them better, they are presented as questions which you can read by activating a graphic button containing a question mark on the right side of the screen. The statement rephrased is the first item you see and may be followed by a menu of tools and practices to further guide you towards further understanding the security method required.

What types of questions does the assessment ask?

There are four types of questions:

• Risk Profile
  
  • The first four questions in the assessment
  • Yes or No questions, explanations required in some cases
• Implementation:
  
  • Answer choices are structured by selecting one of 5 maturity level tiers. Tier levels are sectioned by increased levels of security responsibilities ranging between 'not implemented' to 'managed completely with leadership trust'.
• Tier responses:
  
  • Tier 0 - Not implemented
  • Tier 1 - Partial
  • Tier 2 - Risk informed
  • Tier 3 - Repeatable
  • Tier 4 - Adaptive
• Documentation (.1):
  
  • Documentation controls have been simplified to require 'No', 'Partial', or 'Yes' answers.
  • Answering 'Partial' or 'Yes' requires an upload or link to your documentation.

How and why has the SFA changed since last year?

• The CSF has been updated to version 2.0. The SFA was updated to keep with the most current version of the standard.
• Documentation questions have changed so that units get credit for the documentation, even partial documentation, that they have regardless of the University's policies.
• The weighting of controls has changed.
• Information Assurance will be validating answers above a certain score threshold.
• The Isora Interface is updated.
• All questions require written explanations regarding how you're managing your unit. You get additional credit for providing documented processes and utilizing University centrally supported security methods (central options).

CSF 2.0 - Framework Changes

• Answers cannot be transferred over from last year's assessment because of the framework changes.
  • CSF categories have been reorganized. Categories were broken up, parts re-assigned to strengthen the focus of some or create new categories altogether. Some remain the same.
• For example: CSF 2.0's ID.IM-2: Improvements are identified from security tests and exercises, including those done in coordination with suppliers and relevant third parties replaces the following from CSF 1.1: ID.SC-5: Response and recovery planning and testing are conducted with suppliers and third-party providers.
• Maturity tiers: The CSF is designed to measure the progression of security adoption practices through maturity tiers. Rather than answering 'how much you cover a practice with a percentage, you will respond to 'how well' a practice is applied.

We will send you a spreadsheet of your answers from last year to use in completing this year's assessment.

NIST CSF 2.0 Tiers Explanation - Implementation Options Have Changed

Tiers are a combination of how work is done, the breadth of processes/documentation, and leadership involvement. When you answer implementation questions for your unit, you need to address all three parts of the question in the clarification field associated with your answer.

Tier 0 - Not Implemented.

Tier 1 - Partial:

• Work is done in an ad hoc manner.
• Your unit has a few documented processes and
• your leadership has no or limited awareness of your efforts.

Summary: Work is ad hoc; leadership is not well aware; documentation is limited

Tier 2 - Risk Informed:

• Work is done by prioritizing the highest risk issues as they emerge, which may be all you have capacity to address.
• Your unit has a moderate number of documented processes and
• Your leadership has reasonable awareness of your efforts.

Summary: Work is prioritized by highest risk only; leadership is somewhat aware; documentation exists but is not updated

Tier 3 - Repeatable:

• Work is done in a risk-informed manner and is repeatable over time to consistently address a backlog of issues.
• Your unit has many documented processes that are periodically reviewed and
• Your leadership has reasonable awareness of your efforts and is engaged in reviewing your approach.

Summary: Work is prioritized by addressing a risk backlog; leadership is well aware; documentation is thorough and updated periodically

Tier 4 - Adaptive:

• Work is done in a risk-informed manner and is repeatable over time to consistently address a backlog of issues.
• Your unit has formally documented processes that are updated as threats evolve,
• Your leadership has reasonable awareness of your efforts and is engaged in reviewing your approach and approves your approach as part of a larger picture.

Summary: Work is prioritized by addressing a risk backlog; leadership approves as part of a larger strategy; documentation is thorough and updated continuously as threats evolve.

How should I answer implementation questions?

NIST CSF 2.0 places an emphasis on maturity tiers, this year's SFA reflects this. For answering each control:

1. Read the control, refer to the guidance text, and reflect on your process.
2. Describe the work, processes, and leadership aspects needed for meeting this control for your unit.
3. Select a maturity tier that best matches your situation. If you are between two tiers, choose the lower of the two.
4. Review your answers from last year with NIST CSF Crosswalk: 2.0 to 1.1 Guide.
5. Decide what makes sense to include in your new answer (the text you wrote in step 2). When in doubt, include too much.

Quantitative part (drop-down menu)

• Tier 0 - Not Implemented
• Tier 1 - Partial
• Tier 2 - Risk Informed
• Tier 3 - Repeatable
• Tier 4 – Adaptive

Qualitative part (clarification field):

The assessment tool requires that you add explanatory context for every answer. This context is a gift to anyone interpreting the data, especially the people who will fill it out next year.

Answering controls and using help text:

• CSF 2.0 controls appear as statements.
• The help text provides guidance and understanding on how to answer each control. In the help text, the CSF statement is rewritten as a question designed for university practices.
• Your answers may be supported with the use of university offerings. A menu of tools and/or services are offered below the question.

How should I pick a maturity tier?

The maturity tier you choose should reflect how you answer 4 basic questions:

• Is the work being done at all? If so, is it with the right tools?
• When is the work done? Ad-hoc, highest-risk-only, or in a sustained manner?
• Is the work itself well defined with processes and documentation? Are these improved upon over time?
• Is your leadership aware of your efforts in this area? Are they involved with decision making or enforcement?
• Answer questions conservatively.
  
  • The IT Risk team wants to identify common gaps and cases in which your unit needs resources
  • Scoring favors progress over perfection; give yourself room to improve year over year
• Remember, you do not need to be exact.

What are University offerings (central options)?

Seventy percent of the implementation questions can fortify a maturity tier by using a service offered by IT Services or another central campus provider. These offerings appear in the Question Help portion of the control, by activating a graphic button containing a question mark on the right side of the screen.

These services directly support the objectives of the control, will enhance your security efforts, and offer insight on the types of tools required to address specific security issues. How you incorporate and manage the tool into your practice should be reflected in your maturity tier and supported by your written description, the extent of your documented process or playbook, and your leadership's awareness and support of your work.

How should I answer documentation questions?

Documentation controls have been simplified to require 'No', 'Partial', or 'Yes' answers. Answering 'Partial' or 'Yes' requires an upload or link to your documentation.

Documentation requests appear after answering an implementation control with Tier 1 or higher.

• No: Documentation has not been prepared yet.
• Partial: Documentation is under way but incomplete.
• Yes: Documentation is thorough.

Your maturity tier and your documentation controls are related. To select tier 3 or 4, your documentation must be complete (“Yes”).

• Tier 0 - No documentation
• Tier 1 - Usually partial documentation
• Tier 2 - Usually partial documentation
• Tier 3 - Yes documentation
• Tier 4 - Yes documentation

How is the assessment scored?

• Score averages within categories and functions determine your current security standing within the tiered model. How you improve your score in these areas can indicate your security trajectory over time. Claiming Tier 3 or Tier 4 answers will require defensible explanations in your written details and provided documentation. Any answer claiming these tiers without proof will be set to Tier 0.
• Answer questions conservatively.
  
  • IT Risk wants to identify common gaps and cases in which your unit needs resources
  • Scoring favors progress over perfection, so give yourself room to improve year over year

Will my score change significantly?

Yes. The necessary changes and improvements for this year's cycle will reset the baseline for all units. This understandably complicates demonstrating year-over-year improvement with your leadership.

To address this issue, once all SFAs have been submitted and analyzed, official reporting will include a communication that will help explain the shift, and how to evaluate new results in light of that shift.

Do I get to see my score?

Yes. Isora allows you to view your score immediately after the OU Head acknowledges the assessment. Additionally, Information Assurance develops unit score reports which include the anonymized aggregated data of all units.

May I change my answers after I submit my assessment?

Not for this new cycle. Changing submitted answers requires technical intervention and prevents campus-level calculations from being completed. Please double check your answers with your staff and OU to make sure they are correct. Budget time before the deadline to ask and have questions answered.

How much time will it take to complete this year?

This year, using the method described in these slides, completing IT Services answers took 2 staff 10 hours each to update answers. The work took place in a collaborative document, and the final OU-approved answers were filled out in Isora.

• Maturity tiers introduce new effort but depending on your familiarity with your previous answers and leadership experience, it may be quick.
• You will need to submit answers for 75 controls, and the NIST CSF Crosswalk: 2.0 to 1.1. Guide will help you translate your previous answers.
• You will need to answer documentation controls again, but the choice selection for answering is different and better acknowledges a Unit's efforts in documenting processes.

How do I prepare for the assessment?

We will provide the following key documents to help you with the assessment:

• NIST CSF Crosswalk: 2.0 to 1.1 Guide
  • The NIST CSF Crosswalk guide allows you to see where last year's answers are mapped to controls in this year's assessment.
• CSF Tiers Guide for the University's profile
• Your previous CSF 1.1 SFA-based answers
• SFA for your unit
• Read the questions in advance; email itrisk@uchicago.edu for a copy if you have not received them.
• If your unit has participated in an assessment before, speak to a primary IT staff person who can share copies of your unit's previous answers, or ask for a copy of your unit's previous report in order to understand the focus of the assessment.
• Help us identify staff from your group with special knowledge to add as participants.
• Gather information, including:
  • What type of inventory of devices and services do you have?
  • What written procedures or playbooks do you already have?
  • What types of training and communication methods do you have that enhance security awareness?
• Read up on how to understand maturity tiers

What kind of support can I get? What if I need help?

We have set aside time to meet with you to answer your questions. Email itrisk@uchicago.edu to schedule a meeting with us.

Participants who scheduled working sessions with us in the past years:

• Were able to better understand the assessment
• Completed the assessment faster
• Provided accurate data

Do I need to keep taking the assessment each year?

This assessment is conducted annually for IT units that manage and process sensitive data and information and every other year for IT units that manage and process low to medium sensitivity data.