Assessment to Assessment Mapping

There are similarities in different security models that lend themselves to assessment mapping options. For example, a completed NIST assessment, which requires input from all organizational controls, can be applied where applicable to the CFS assessment template. Providing mapping options between matching data collected for different security models saves organizations from redundant work and improves the consistency of control entries across various assessments.

In addition, after completing at least one assessment, the list of common controls creates a template for the assessment to assessment mapping. Customers can either

select from mapping templates created by Axio,
create their own mapping template (in progress, currently requires administrative steps by Axio), or
select from mapping templates created by industry peers (development in progress).

Editing a mapping template from any source provides granular control over the assessment mapping, whether updating a common control and having it applied to multiple assessments or how a specific control maps.

Available Maps

With the current deployment, Axio360 provides a list of preconfigured maps that users can select:

Available maps	Source model	Target Model
C2M2V2.1-to-CSFv1.1 DOE mapping	C2M2 v2.1	NIST CSF v 1.1
C2M2-v1.1-to-C2M2V2.1 DOE mapping	C2M2 v1.1	C2M2 v.2.1
CIS18-to-CSFv1.1 Axio Expert map	CIS v18	NIST CSF v1.1
CMMC-v1-to-CMMC-v2	CMMC v1	CMMC v2
CSF CMMI–>NIST-PF CMMI Axio map	CMMICSF v1.1	NIST Privacy Framework (CMMI)[1]
CSF–>NIST-PF FILIPINI Axio map	FILIPINI CSF v1.1	NIST Privacy Framework (FILIPINI)[2]
CSFv1.1-to-v2 CMMI Axio map	NIST CSF v1.1 (CMMI)	NIST CSF v2.0 (CMMI)
CSFv1.1-to-v2 FILIPINI Axio map	NIST CSF v1.1 (FILIPINI)	NIST CSF v2.0 (FILIPINI)
CSFV1.1GP–>CRIV1.2T1 CRI map	CSF v1.1 GP	CRI v1.2 CMMI Tier 1

Only CRI v1.2 Tier 1 is currently available as a mapping option from CSF V1.1. The other Tiers are following shortly.

If a mapping references Axio map or Axio Expert map in the name, the map has been developed or modified for use in Axio360 by Axio Cybersecurity Engineering team members. All maps provided by other organizations reference the organization’s name in the map title.

More maps will be uploaded as they become available. Check back for updates. If you are looking for additional maps, please contact us through the Support Portal to request or inquire.

How to Use an Assessment Map

C2M2 Example

To use the Assessment Mapping feature, follow these steps:

In the left navigation menu select the Assessments icon.
From the list of new assessments, select the type of assessment you want to create. For example C2M2 v2.1 Full Assessment.
On the New Assessment modal
1. provide an assessment name and meaningful description for easy identification.
2. specify tags and a target score from the available drop-down menus.
3. from the Select an assessment map (Optional) drop-down, select a completed assessment map. For this example, we selected a C2M2 v1.1 to v2.1 map, named C2M2 Take 2. This is just a test name and will be different for your environment.
4. from the Source Assessment to use (Optional) drop-down, select a previously completed assessment based on the model that you wish to map into the new assessment.
Click Save.

Once the new assessment opens with the mapped data, you can start your assessment work based on the new model.

Mapped assessment

The assessment practices show a status message if the data has been mapped from a source assessment. Practices that are net new in the target assessment show up as not implemented and need to have a mapped from status message.

CRI Example - Preview

CRI Assessments need to be mapped by tier:

CRI v1.2 Tier 1 to CRI v2.0 Tier 1
CRI v1.2 Tier 2 to CRI v2.0 Tier 2
CRI v1.2 Tier 3 to CRI v2.0 Tier 3
CRI v1.2 Tier 4 to CRI v2.0 Tier 4

To view detailed differences between the versions, refer to Map - CRI v1.2.1 to v2.0.