IAM Maturity Assessment for NIST CSF 2.0
The NIST Cybersecurity Framework 2.0 is a voluntary framework for managing cybersecurity risk. Identity, authentication, and access control live primarily in the PR.AA category, governance expectations in the GV function, and identity threat detection in the DE function. Implementation Tier 2 corresponds to risk-informed, repeatable processes.
- Maturity threshold
- 2.0 / 4.0
- Mapped questions
- 34
- IAM domains
- 9
- Assessment scope
- All scopes
What NIST CSF 2.0 Expects from Identity Programs
The identity-relevant themes below reflect the AXIS capabilities mapped to NIST CSF 2.0 citations in the question bank. They paraphrase where identity fits, not the legal text itself.
- Identity and credential management for users, services, and devices (PR.AA)
- Governance of identity risk: roles, policy, and executive oversight (GV)
- Detection of anomalous identity activity and response integration (DE)
- Coverage across all nine AXIS domains, from PAM and IGA to CIAM
AXIS Questions Mapped to NIST CSF 2.0
34 of the 37 questions in the AXIS bank carry NIST CSF 2.0 citations, including 7 domino controls (foundational capabilities that cap the overall score when weak).
| Question | Domain | Capability | NIST CSF 2.0 references |
|---|---|---|---|
| IGA-01 Domino | IGA | Lifecycle Management (Joiner / Mover / Leaver) | NIST CSF 2.0 PR.AA-01; NIST CSF 2.0 PR.AA-05; NIST CSF 2.0 GV.RM-5 |
| IGA-02 | IGA | Access Requests & Approvals | NIST CSF 2.0 PR.AA-01; NIST CSF 2.0 PR.AA-05 |
| IGA-03 | IGA | Access Reviews & Recertification | NIST CSF 2.0 PR.AA-05; NIST CSF 2.0 PR.AA-02 |
| IGA-04 | IGA | Role-Based Access Control (RBAC) & Access Modeling | NIST CSF 2.0 PR.AA-02; NIST CSF 2.0 PR.AA-01 |
| IGA-05 | IGA | Entitlement Discovery and Classification | NIST CSF 2.0 PR.AA-02 |
| IGA-06 | IGA | Segregation of Duties (SoD) | NIST CSF 2.0 PR.AA-05 |
| PAM-01 Domino | PAM | Admin Credential Protection | NIST CSF 2.0 PR.AA; NIST CSF 2.0 PR.AA-05 |
| PAM-02 Domino | PAM | Secrets Management (Non-Human & Application Credentials) | NIST CSF 2.0 PR.AA-01 |
| PAM-03 | PAM | Endpoint Privilege & Local Admin Control | NIST CSF 2.0 PR.AA-02 |
| PAM-04 | PAM | Just-In-Time (JIT) Cloud & Infrastructure Access | NIST CSF 2.0 PR.AA-05 |
| PAM-05 | PAM | Session Management and Recording | NIST CSF 2.0 DE.AE-3; NIST CSF 2.0 RS.AN-03 |
| AUTH-01 Domino | Auth/SSO | Adaptive MFA | NIST CSF 2.0 PR.AA + DE.CM (monitoring) |
| AUTH-02 | Auth/SSO | Single Sign-On (SSO) Coverage & Enforcement | NIST CSF 2.0 PR.AA-03; NIST CSF 2.0 PR.AA-01 |
| AUTH-03 | Auth/SSO | Device Trust & Zero Trust Enforcement | NIST CSF 2.0 PR.AA-05; NIST CSF 2.0 PR.AA-01 |
| AUTH-04 | Auth/SSO | Phishing-Resistant MFA & Session Integrity | NIST CSF 2.0 PR.AA-01 |
| AUTH-05 | Auth/SSO | Account Recovery & Identity Verification Resistance | NIST CSF 2.0 PR.AA-01; NIST CSF 2.0 PR.AA-02; NIST CSF 2.0 PR.AA-03 |
| CLOUD-01 Domino | Cloud | Multi-Cloud Permission Management (CIEM) | NIST CSF 2.0 PR.AA; NIST CSF 2.0 PR.AA-05; NIST CSF 2.0 PR.AA + DE.CM |
| CLOUD-02 | Cloud | Non-Human Identity (NHI) Governance | NIST CSF 2.0 PR.AA-01 |
| CLOUD-03 | Cloud | SaaS Application Discovery & Shadow IT Control | NIST CSF 2.0 ID.AM-2; NIST CSF 2.0 GV.OC-03; NIST CSF 2.0 GV.RM-01 |
| CLOUD-04 | Cloud | Infrastructure-as-Code (IaC) IAM Guardrails & Drift Control | NIST CSF 2.0 PR.PS-01 |
| CLOUD-05 | Cloud | AI Agent Identity Governance | NIST CSF 2.0 DE.AE-5; NIST CSF 2.0 PR.AA-05 |
| SEC-01 Domino | Security | Identity Threat Detection & Response (ITDR) | NIST CSF 2.0 DE.CM + RS; NIST CSF 2.0 DE + RS |
| SEC-02 | Security | Identity Resilience & Disaster Recovery | NIST CSF 2.0 RC.RP-01; NIST CSF 2.0 ID.IM-04 |
| SEC-03 | Security | User Behavioral Analytics (UBA) | NIST CSF 2.0 DE.AE-1; NIST CSF 2.0 DE.AE-2; NIST CSF 2.0 DE.AE-3; NIST CSF 2.0 DE.AE-4 |
| SEC-04 | Security | Data Security Posture & Identity-to-Data Risk Mapping (DSPM) | NIST CSF 2.0 PR.DS; NIST CSF 2.0 PR.DS-01 |
| SEC-05 | Security | Identity Posture & Attack-Surface Management (ISPM) | NIST CSF 2.0 ID.AM-05; NIST CSF 2.0 ID.RA-01; NIST CSF 2.0 DE.CM-09; NIST CSF 2.0 PR.PS-01 |
| GOV-01 Domino | Governance | Identity Data Ownership | NIST CSF 2.0 GV.PO-1 |
| GOV-02 | Governance | IAM Metrics, Risk & Executive Visibility | NIST CSF 2.0 GV.RM-1; NIST CSF 2.0 GV.RM-2; NIST CSF 2.0 GV.RM-4; NIST CSF 2.0 GV.RM-5 |
| GOV-03 | Governance | IAM Policy Definition, Enforcement & Drift Control | NIST CSF 2.0 GV.PO-1; NIST CSF 2.0 PR.AA-01; NIST CSF 2.0 GV.RM-5 |
| GOV-04 | Governance | IAM Operating Model and Skills | NIST CSF 2.0 GV.PO-01; NIST CSF 2.0 GV.RR-02; NIST CSF 2.0 GV.RR-2; NIST CSF 2.0 GV.OC-1; NIST CSF 2.0 GV.RM-7 |
| CIAM-04 | CIAM | B2B Delegated Administration & Partner Identity | NIST CSF 2.0 PR.AA-01 |
| CIAM-05 | CIAM | Customer Onboarding, Identity Proofing & KYC | NIST CSF 2.0 PR.AA |
| CIAM-DATA-01 | CIAM × Data | Customer Access-to-Data Visibility & Impact Control | NIST CSF 2.0 PR.DS; NIST CSF 2.0 PR.AA-01 |
| CIAM-PAM-01 | CIAM × PAM | Customer-Admin Privilege Governance | NIST CSF 2.0 PR.AA-05; NIST CSF 2.0 DE.CM |
How AXIS Scores NIST CSF 2.0 Alignment
A threshold model: each mapped control either meets the NIST CSF 2.0 maturity bar or it does not, and the alignment percentage is the share that does.
Threshold: 2.0 of 4.0
Each framework in AXIS carries a research-derived maturity threshold (Methodology Section 7.2). For NIST CSF 2.0, a mapped control counts as passing when its answered maturity level reaches 2.0: documented and repeatable. The alignment percentage is the share of mapped controls at or above that bar.
Citations live on individual answer options, so the exact set of controls counted for NIST CSF 2.0 in a given assessment reflects the answers selected. The table above lists every question whose answer options carry NIST CSF 2.0 citations.
80%+
Aligned
60-79%
At Risk
<60%
Non-Compliant
Scope and Industry Awareness
NIST CSF 2.0 appears in every assessment scope: workforce, customer identity (CIAM), and full.
It is shown for all assessed industries, so it appears in every compliance matrix where enough of its controls are answered.
Indicative Alignment, Not Certification
This page describes how the AXIS assessment maps its question bank to NIST Cybersecurity Framework 2.0. Alignment scores are indicative: they are not a certification, an audit opinion, or legal advice. Whether and how NIST CSF 2.0 applies depends on your organization, sector, and jurisdiction; consult qualified counsel or auditors for formal compliance determinations.
See Where You Stand Against NIST CSF 2.0
Run the AXIS assessment and get your maturity score, NIST CSF 2.0 alignment, and a prioritized roadmap in one pass. No signup required to start.