In this article:
Assessment to Assessment Mapping
There are similarities in different security models that lend themselves to assessment mapping options. For example, a completed NIST assessment, which requires input from all organizational controls, can be applied where applicable to the CFS assessment template. Providing mapping options between matching data collected for different security models saves organizations from redundant work and improves the consistency of control entries across various assessments.
In addition, after completing at least one assessment, the list of common controls creates a template for the assessment to assessment mapping. Customers can either
- select from mapping templates created by Axio,
- create their own mapping template (in progress, currently requires administrative steps by Axio), or
- select from mapping templates created by industry peers (development in progress).
Editing a mapping template from any source provides granular control over the assessment mapping, whether updating a common control and having it applied to multiple assessments or how a specific control maps.
Available Maps
With the current deployment, Axio360 provides a list of preconfigured maps that users can select:
Available maps | Source model | Target Model |
---|---|---|
C2M2V2.1-to-CSFv1.1 DOE mapping | C2M2 v2.1 | NIST CSF v 1.1 |
C2M2-v1.1-to-C2M2V2.1 DOE mapping | C2M2 v1.1 | C2M2 v.2.1 |
CIS18-to-CSFv1.1 Axio Expert map | CIS v18 | NIST CSF v1.1 |
CMMC-v1-to-CMMC-v2 | CMMC v1 | CMMC v2 |
CRIv1.2 T1 to CSFv1.1 Axio map | CRI v1.2 | NIST CSF v1.1 |
CRIv1.2 CMMI T1 to CSFv1.1 CMMI | CRI v1.2 CMMI | NIST CSF v1.1 CMMI |
CSF CMMI–>NIST-PF CMMI Axio map | CMMICSF v1.1 | NIST Privacy Framework (CMMI)[1] |
CSF–>NIST-PF FILIPINI Axio map | FILIPINI CSF v1.1 | NIST Privacy Framework (FILIPINI)[2] |
CSFv1.1-to-v2 CMMI Axio map | NIST CSF v1.1 (CMMI) | NIST CSF v2.0 (CMMI) |
CSFv1.1-to-v2 FILIPINI Axio map | NIST CSF v1.1 (FILIPINI) | NIST CSF v2.0 (FILIPINI) |
CSFV1.1GP–>CRIV1.2T1 CRI map | CSF v1.1 GP | CRI v1.2 CMMI Tier 1 |
Only CRI v1.2 Tier 1 is currently available as a mapping option from CSF V1.1. The other Tiers are following shortly.
If a mapping references Axio map or Axio Expert map in the name, the map has been developed or modified for use in Axio360 by Axio Cybersecurity Engineering team members. All maps provided by other organizations reference the organization’s name in the map title.
More maps will be uploaded as they become available. Check back for updates. If you are looking for additional maps, please contact us through the Support Portal to request or inquire.
How to Use an Assessment Map
C2M2 Example
To use the Assessment Mapping feature, follow these steps:
- In the left navigation menu select the Assessments icon.
- From the list of new assessments, select the type of assessment you want to create. For example C2M2 v2.1 Full Assessment.
- On the New Assessment modal
- provide an assessment name and meaningful description for easy identification.
- specify tags and a target score from the available drop-down menus.
-
from the Select an assessment map (Optional) drop-down, select a completed assessment map. For this example, we selected a C2M2 v1.1 to v2.1 map, named C2M2 Take 2. This is just a test name and will be different for your environment.
- from the Source Assessment to use (Optional) drop-down, select a previously completed assessment based on the model that you wish to map into the new assessment.
- Click Save.
Once the new assessment opens with the mapped data, you can start your assessment work based on the new model.
The assessment practices show a status message if the data has been mapped from a source assessment. Practices that are net new in the target assessment show up as not implemented and need to have a mapped from status message.
CRI Example - Preview
CRI Assessments need to be mapped by tier:
- CRI v1.2 Tier 1 to CRI v2.0 Tier 1
- CRI v1.2 Tier 2 to CRI v2.0 Tier 2
- CRI v1.2 Tier 3 to CRI v2.0 Tier 3
- CRI v1.2 Tier 4 to CRI v2.0 Tier 4
To view detailed differences between the versions, refer to Map - CRI v1.2.1 to v2.0.
To use the Assessment Mapping feature, follow these steps:
- In the left navigation menu select the Assessments icon.
- From the list of new assessments, select the type of assessment you want to create. For example CRI V2 Tier 1.
- On the New Assessment modal
-
provide an assessment name and meaningful description for easy identification.
- in the Prepared on Behalf of (Required) field, enter the company name for reference.
- specify tags and a target score from the available drop-down menus.
- from the Select an assessment map (Optional) drop-down, select a completed assessment map. For this example, we selected a CRI Profile 1.2 to CRI v2.0 Tier 1 map, named CRIProfilev1.2-to-v2 CRI T1 TEST. This is just a test name and will be different for your environment.
-
from the Source Assessment to use (Optional) drop-down, select a previously completed assessment based on the model that you wish to map into the new assessment. In this example: CRI Profile v1.2.1 tier 1.
-
- Click Save.
Once the new assessment opens with the mapped data, you can start your assessment work based on the new model.
The assessment practices show a status message if the data has been mapped from a source assessment, for example, “*Mapped from CRI Profile v1.2.1 tier 1”.