The IT Services IT Risk team invites IT teams across campus to complete the Security Framework Assessment (SFA) annually. The assessment is built on a customized version of The National Institute of Standards and Technology (NIST)'s Cybersecurity Framework (CSF).

This article provides answers to the most commonly asked questions relating to the Annual Security Framework Assessment. To learn more, select a topic from below:

---

What is the Security Framework Assessment (SFA)?

• An annual self-assessment.
• Questions are based on the National Institute of Standards and Technology (NIST)'s Cybersecurity Framework (CSF).
• Administered through Isora Governance, Risk, and Compliance (GRC) tool, the web-based software application hosts the SFA.

What is the timing of this year's SFA?

Units must first complete SFA training in Workday before their unit's assessment is opened. Any participating member from a unit completing the training opens the assessment for all participants in their unit. Training will become available via Workday Learning by March 12, 2026. This kickoff date is intended to consider the demands of the University's academic year and allow units more time in the summer months to complete their SFA. SFAs are due on July 17, 2026.

What are the goals of the Security Framework Assessment?

• Demonstrate a thorough understanding of the University's cybersecurity posture. When federal funding agencies, prospective insurers, auditors, vendors, or our own leadership asks the IT Services IT Risk team how well the University protects its data, we need to have a defensible answer ready.
• Identify common gaps that can be addressed with centrally provided, shared policies, processes, or tools. Addressing information security at as high a level of the University as makes sense is efficient and minimizes our attack surface.
• Make consistent data-backed cases to University leadership to help them dedicate the resources necessary to close security gaps. We are all doing the best we can with limited resources, and we are all aware of gaps or pain points in our own units that we'd like to address. This assessment provides a way to quantify and contextualize those gaps.
• This assessment is NOT an evaluation of team skill or competence.

What is the scope of the assessment?

The annual SFA utilizes maturity tier-based metrics of the NIST cybersecurity framework to evaluate how volunteering academic, research, and administrative IT units structure their cybersecurity practices. Units are required to document their processes and tools related to the management of data and systems for supporting critical University functions. 

By aggregating these results, we determine the University's overall maturity range. The core objective is continuous improvement: as each unit strategically improves based on its resources, these gains incrementally drive up the campus average, which is reported as the University’s annual maturity score.

Who needs to complete the assessment?

Units that provide IT support to their students, faculty, and staff should complete the assessment. One designated primary IT person will facilitate completion of the online assessment form (this person may designate others in their unit to participate), and unit leadership will acknowledge the responses.

1. Does your unit process any sensitive/restricted data? If so, please specify the types of sensitive/restricted data.
2. Does your unit support any research contracts that require Moderate or High protection levels? If so, please specify the research entity or entities.
3. Is your unit responsible for any web properties that process sensitive data?
   • Note: if your unit’s answers to the above questions about sensitive/restricted data, research contracts, or externally facing web applications change significantly, your unit should report those changes by emailing itrisk@uchicago.edu.
4. Do you manage your own servers or containers on-premises or in the cloud?
5. Do you manage your own desktops independently of ITS?
6. Do you manage operationally significant applications outside of ITS management?
7. Are your servers included in InsightVM?
8. Do you rely solely on an environment audited to NIST standards?
9. If you are a subunit, do you inherit your parent unit’s practices?

What are the roles in the assessment process?

• Unit IT Staff
  
  • Primary: IT Risk's point of contact facilitates the assessment.
  • Supporting (if applicable): Provide information in areas of responsibility or expertise.
  • Technology Director (if applicable): Primary IT Staff’s senior leadership manager and security liaison to the OU Head
• Organizational Unit (OU) Head: The OU Head is non-IT leadership who acknowledges answers

How is the assessment structured?

The CSF on which the assessment is based contains:

• 5 Functions: Identify (ID), Protect (PR), Detect (DE), Respond (RS), and Recover (RC)
• There are 75 controls to answer

The subcategories are presented as their original statements and are referred to as "controls." The guidance now includes instructions on how to select a Tier 3 response, helping you align your unit’s evidence and procedures with the control requirements.

What types of questions does the assessment ask?

There are four types of questions:

• Risk Profile/Privacy Profile/Leadership Awareness
  
  • The first ten questions in the assessment
  • Yes or No questions, explanations required in some cases
• Implementation:
  
  • Answer choices are structured by selecting one of 5 maturity level tiers. Tier levels are sectioned by increased levels of security responsibilities ranging between 'not implemented' to 'managed completely with leadership trust'.
• Tier responses:
  
  • Tier 0 - Not implemented
  • Tier 1 - Partial
  • Tier 2 - Risk informed
  • Tier 3 - Repeatable
  • Tier 4 - Adaptive
• Documentation (.1):
  
  • Documentation controls have been simplified to require 'No', 'Partial', or 'Yes' answers.
  • Answering 'Partial' or 'Yes' requires an upload or link to your documentation.

What do Tiers mean?

NIST CSF 2.0 Tiers Explanation 

Tiers are a combination of how work is done, the breadth of processes/documentation, and leadership involvement. When you answer implementation questions for your unit, you need to address all parts of the question in the clarification field associated with your answer.

Tier 0 - Not Implemented.

Tier 1 - Partial:

• Work is done in an ad hoc manner.
• Your unit has a few documented processes and
• your leadership has no or limited awareness of your efforts.

Summary: Work is ad hoc; leadership is not well aware; documentation is limited

Tier 2 - Risk Informed:

• Work is done by prioritizing the highest risk issues as they emerge, which may be all you have capacity to address.
• Your unit has a moderate number of documented processes and
• Your leadership has reasonable awareness of your efforts.

Summary: Work is prioritized by highest risk only; leadership is somewhat aware; documentation exists but is not updated

Tier 3 - Repeatable:

• Your unit has sufficient procedural documentation.  (A "Yes" answer to the corresponding documentation question.)
• Your procedures are consistently followed and reviewed on a regular basis.
• Your unit's approach is risk-informed, and repeatable, consistently addressing a backlog of issues.
• Your unit's leadership is aware of and engaged in reviewing your approach. (A “Yes” answer to the Leadership Awareness question). 
• You can attest to do all of the following. (copy and paste options will be provided for selection in the Guidance text (in the Question Help)).

Summary: Your current practices fully align with what is described in the Guidance text (in the Question Help).

Tier 4 - Adaptive:

• Your current practices fully align with what is described in the Guidance text (in the Question Help).
• An outside auditor (PWC, KMPG, another Third-Party Vendor) has essentially confirmed your Tier 3 response.
• The “Yes” for documentation references the formal documentation that has been validated through an external auditor.

Summary: Your current practices fully align with what is described in the Guidance text (in the Question Help). An outside auditor reviewed you favorably to the control, and your Yes to documentation points to the auditors document. 

How should I answer implementation questions?

NIST CSF 2.0 places an emphasis on maturity tiers, this year's SFA reflects this. For answering each control:

1. Read the control, refer to the guidance text, and reflect on your process.
2. Describe the work, processes, and leadership aspects needed for meeting this control for your unit.
3. Select a maturity tier that best matches your situation. If you are between two tiers, choose the lower of the two.
4. Review your answers from last year with NIST CSF Crosswalk: 2.0 to 1.1 Guide.
5. Decide what makes sense to include in your new answer (the text you wrote in step 2). When in doubt, include too much.

Quantitative part (drop-down menu)

• Tier 0 - Not Implemented
• Tier 1 - Partial
• Tier 2 - Risk Informed
• Tier 3 - Repeatable
• Tier 4 – Adaptive

Qualitative part (clarification field):

The assessment tool requires that you add explanatory context for every answer. This context is a gift to anyone interpreting the data, especially the people who will fill it out next year.

Answering controls and using help text:

• CSF 2.0 controls appear as statements.
• The help text provides guidance and understanding on how to answer each control at a Tier 3.
• If you are unable to fully meet what is outlined in the guidance, or you can, but your documentation is partial or incomplete, then select tier 0, 1, or 2.

How should I pick a maturity tier?

The maturity tier you choose should reflect how you answer 4 basic questions:

• Is the work being done at all? If so, is it with the right tools?
• When is the work done? Ad-hoc, highest-risk-only, or in a sustained manner?
• Is the work itself well defined with processes and documentation? Are these improved upon over time?
• Is your leadership aware of your efforts in this area? Are they involved with decision making or enforcement?
• Answer questions conservatively.
  
  • The IT Risk team wants to identify common gaps and cases in which your unit needs resources
  • Scoring favors progress over perfection; give yourself room to improve year over year
• Remember, you do not need to be exact.

How should I answer documentation questions?

Documentation controls have been simplified to require 'No', 'Partial', or 'Yes' answers. Answering 'Partial' or 'Yes' requires an upload or link to your documentation.

Documentation requests appear after answering an implementation control with Tier 1 or higher.

• No: Documentation has not been prepared yet.
• Partial: Documentation is under way but incomplete.
• Yes: Documentation is thorough.

Your maturity tier and your documentation controls are related. To select tier 3 or 4, your documentation must be complete (“Yes”).

• Tier 0 - No documentation
• Tier 1 - Usually partial documentation
• Tier 2 - Usually partial documentation
• Tier 3 - Yes documentation
• Tier 4 - Yes documentation that has been validated through an external auditor

How to select a tier 3 in Respond and Recover?

This year we are introducing an Incident Response (IR) procedure template. This template helps units define their internal roles, escalation processes, and procedures for identifying and reporting incidents, including when and how to engage IT Security.

To support the release and implementation of the template, Information Assurance requires units to participate in a brief meeting to review the template and answer any questions.

How do I use the Incident Response (IR) procedure template?

The template establishes a unit’s incident response governance structure, including roles, escalation processes, and alignment with the University Incident Response Standard. Completing the template helps units document their approach to incident response and supports applicable SFA Respond and Recover controls.

The template focuses on governance, accountability, and escalation expectations during an incident. It does not replace system-specific runbooks, playbooks, or other technical response procedures that units maintain for operational purposes.

Units may adapt the template to fit their operational needs, provided that key incident response roles, escalation processes, and alignment with institutional standards are clearly documented. Units seeking to demonstrate Tier 3 maturity should also ensure the process is reviewed regularly and approved by IT Security.

How do I submit my Incident Response (IR) procedure?

Complete the IR Procedure Google template located in your unit’s SFA Google folder. When your document is ready for review, email itrisk@uchicago.edu. Information Assurance (IA) will review the version stored in your unit’s Google folder as of the IR process submission deadline.

When will I hear back?

Shortly after the IR procedure submission deadline, IA will conduct an initial review of your document. We will let you know whether the procedure is sufficiently complete for you to use it as documentation when answering the Respond and Recover portions of the SFA and selecting Tier 3 maturity responses.

What happens if my IR procedure isn’t strong enough to support a Tier 3?

IA will provide targeted feedback directly in your Google document with recommendations for strengthening the procedure.

What happens if I don’t update the IR procedure after getting feedback?

Your responses from last year’s assessment will be carried forward into this year’s SFA. You may use those responses; however, completion of the IR procedure document is a prerequisite for selecting Tier 3 answers. If updates are not made, Information Assurance will manually adjust your responses in Isora, and no responses will be scored above Tier 2.

How is the assessment scored?

• Score averages within categories and functions determine your current security standing within the tiered model. How you improve your score in these areas can indicate your security trajectory over time. Claiming Tier 3 or Tier 4 answers will require defensible explanations in your written details and provided documentation. Any answer claiming these tiers without proof will be set to Tier 0.
• Answer questions conservatively.
  
  • IT Risk wants to identify common gaps and cases in which your unit needs resources
  • Scoring favors progress over perfection, so give yourself room to improve year over year

Do I get to see my score?

Yes. Your unit’s score will be shared in the report generated by Information Assurance after all assessments have been finalized. The report will also include anonymized, aggregated results across all units so you can understand how your unit compares to the broader University landscape.

May I change my answers after I submit my assessment?

Once submitted, answers cannot be changed without technical intervention, which can affect campus-level calculations. Please double check your answers with your staff and OU to make sure they are correct. Budget time before the deadline to ask and have questions answered.

How much time will it take to complete this year?

Since units completed the CSF 2.0 assessment last year, most teams are already familiar with the questions and structure. As a result, the time required should be shorter, particularly if you are building on or updating your prior responses. Most units can expect to spend time reviewing answers, updating documentation, and incorporating any new guidance.

How do I prepare for the assessment?

We will provide the following key documents to help you with the assessment:

• Your previous CSF 2.0 SFA-based answers
• Read the questions in advance; email itrisk@uchicago.edu for a copy if you have not received them.
• If your unit has participated in an assessment before, speak to a primary IT staff person who can share copies of your unit's previous answers, or ask for a copy of your unit's previous report in order to understand the focus of the assessment.
• Help us identify staff from your group with special knowledge to add as participants.
• Gather information, including:
  • What type of inventory of devices and services do you have?
  • What written procedures or playbooks do you already have?
  • What types of training and communication methods do you have that enhance security awareness?
• Read up on how to understand maturity tiers

What kind of support can I get? What if I need help?

We have set aside time to meet with you to answer your questions. Email itrisk@uchicago.edu to schedule a meeting with us.

Participants who scheduled working sessions with us in the past years:

• Were able to better understand the assessment
• Completed the assessment faster
• Provided accurate data