Standards & Certifications

IAM Maturity Assessment for NIST CSF 2.0

The NIST Cybersecurity Framework 2.0 is a voluntary framework for managing cybersecurity risk. Identity, authentication, and access control live primarily in the PR.AA category, governance expectations in the GV function, and identity threat detection in the DE function. Implementation Tier 2 corresponds to risk-informed, repeatable processes.

Maturity threshold
2.0 / 4.0
Mapped questions
34
IAM domains
9
Assessment scope
All scopes
Identity Expectations

What NIST CSF 2.0 Expects from Identity Programs

The identity-relevant themes below reflect the AXIS capabilities mapped to NIST CSF 2.0 citations in the question bank. They paraphrase where identity fits, not the legal text itself.

  • Identity and credential management for users, services, and devices (PR.AA)
  • Governance of identity risk: roles, policy, and executive oversight (GV)
  • Detection of anomalous identity activity and response integration (DE)
  • Coverage across all nine AXIS domains, from PAM and IGA to CIAM
Question Mapping

AXIS Questions Mapped to NIST CSF 2.0

34 of the 37 questions in the AXIS bank carry NIST CSF 2.0 citations, including 7 domino controls (foundational capabilities that cap the overall score when weak).

AXIS assessment questions mapped to NIST CSF 2.0, with domain, capability, and framework references
QuestionDomainCapabilityNIST CSF 2.0 references
IGA-01
Domino
IGALifecycle Management (Joiner / Mover / Leaver)NIST CSF 2.0 PR.AA-01; NIST CSF 2.0 PR.AA-05; NIST CSF 2.0 GV.RM-5
IGA-02IGAAccess Requests & ApprovalsNIST CSF 2.0 PR.AA-01; NIST CSF 2.0 PR.AA-05
IGA-03IGAAccess Reviews & RecertificationNIST CSF 2.0 PR.AA-05; NIST CSF 2.0 PR.AA-02
IGA-04IGARole-Based Access Control (RBAC) & Access ModelingNIST CSF 2.0 PR.AA-02; NIST CSF 2.0 PR.AA-01
IGA-05IGAEntitlement Discovery and ClassificationNIST CSF 2.0 PR.AA-02
IGA-06IGASegregation of Duties (SoD)NIST CSF 2.0 PR.AA-05
PAM-01
Domino
PAMAdmin Credential ProtectionNIST CSF 2.0 PR.AA; NIST CSF 2.0 PR.AA-05
PAM-02
Domino
PAMSecrets Management (Non-Human & Application Credentials)NIST CSF 2.0 PR.AA-01
PAM-03PAMEndpoint Privilege & Local Admin ControlNIST CSF 2.0 PR.AA-02
PAM-04PAMJust-In-Time (JIT) Cloud & Infrastructure AccessNIST CSF 2.0 PR.AA-05
PAM-05PAMSession Management and RecordingNIST CSF 2.0 DE.AE-3; NIST CSF 2.0 RS.AN-03
AUTH-01
Domino
Auth/SSOAdaptive MFANIST CSF 2.0 PR.AA + DE.CM (monitoring)
AUTH-02Auth/SSOSingle Sign-On (SSO) Coverage & EnforcementNIST CSF 2.0 PR.AA-03; NIST CSF 2.0 PR.AA-01
AUTH-03Auth/SSODevice Trust & Zero Trust EnforcementNIST CSF 2.0 PR.AA-05; NIST CSF 2.0 PR.AA-01
AUTH-04Auth/SSOPhishing-Resistant MFA & Session IntegrityNIST CSF 2.0 PR.AA-01
AUTH-05Auth/SSOAccount Recovery & Identity Verification ResistanceNIST CSF 2.0 PR.AA-01; NIST CSF 2.0 PR.AA-02; NIST CSF 2.0 PR.AA-03
CLOUD-01
Domino
CloudMulti-Cloud Permission Management (CIEM)NIST CSF 2.0 PR.AA; NIST CSF 2.0 PR.AA-05; NIST CSF 2.0 PR.AA + DE.CM
CLOUD-02CloudNon-Human Identity (NHI) GovernanceNIST CSF 2.0 PR.AA-01
CLOUD-03CloudSaaS Application Discovery & Shadow IT ControlNIST CSF 2.0 ID.AM-2; NIST CSF 2.0 GV.OC-03; NIST CSF 2.0 GV.RM-01
CLOUD-04CloudInfrastructure-as-Code (IaC) IAM Guardrails & Drift ControlNIST CSF 2.0 PR.PS-01
CLOUD-05CloudAI Agent Identity GovernanceNIST CSF 2.0 DE.AE-5; NIST CSF 2.0 PR.AA-05
SEC-01
Domino
SecurityIdentity Threat Detection & Response (ITDR)NIST CSF 2.0 DE.CM + RS; NIST CSF 2.0 DE + RS
SEC-02SecurityIdentity Resilience & Disaster RecoveryNIST CSF 2.0 RC.RP-01; NIST CSF 2.0 ID.IM-04
SEC-03SecurityUser Behavioral Analytics (UBA)NIST CSF 2.0 DE.AE-1; NIST CSF 2.0 DE.AE-2; NIST CSF 2.0 DE.AE-3; NIST CSF 2.0 DE.AE-4
SEC-04SecurityData Security Posture & Identity-to-Data Risk Mapping (DSPM)NIST CSF 2.0 PR.DS; NIST CSF 2.0 PR.DS-01
SEC-05SecurityIdentity Posture & Attack-Surface Management (ISPM)NIST CSF 2.0 ID.AM-05; NIST CSF 2.0 ID.RA-01; NIST CSF 2.0 DE.CM-09; NIST CSF 2.0 PR.PS-01
GOV-01
Domino
GovernanceIdentity Data OwnershipNIST CSF 2.0 GV.PO-1
GOV-02GovernanceIAM Metrics, Risk & Executive VisibilityNIST CSF 2.0 GV.RM-1; NIST CSF 2.0 GV.RM-2; NIST CSF 2.0 GV.RM-4; NIST CSF 2.0 GV.RM-5
GOV-03GovernanceIAM Policy Definition, Enforcement & Drift ControlNIST CSF 2.0 GV.PO-1; NIST CSF 2.0 PR.AA-01; NIST CSF 2.0 GV.RM-5
GOV-04GovernanceIAM Operating Model and SkillsNIST CSF 2.0 GV.PO-01; NIST CSF 2.0 GV.RR-02; NIST CSF 2.0 GV.RR-2; NIST CSF 2.0 GV.OC-1; NIST CSF 2.0 GV.RM-7
CIAM-04CIAMB2B Delegated Administration & Partner IdentityNIST CSF 2.0 PR.AA-01
CIAM-05CIAMCustomer Onboarding, Identity Proofing & KYCNIST CSF 2.0 PR.AA
CIAM-DATA-01CIAM × DataCustomer Access-to-Data Visibility & Impact ControlNIST CSF 2.0 PR.DS; NIST CSF 2.0 PR.AA-01
CIAM-PAM-01CIAM × PAMCustomer-Admin Privilege GovernanceNIST CSF 2.0 PR.AA-05; NIST CSF 2.0 DE.CM
Scoring Model

How AXIS Scores NIST CSF 2.0 Alignment

A threshold model: each mapped control either meets the NIST CSF 2.0 maturity bar or it does not, and the alignment percentage is the share that does.

Threshold: 2.0 of 4.0

Each framework in AXIS carries a research-derived maturity threshold (Methodology Section 7.2). For NIST CSF 2.0, a mapped control counts as passing when its answered maturity level reaches 2.0: documented and repeatable. The alignment percentage is the share of mapped controls at or above that bar.

Citations live on individual answer options, so the exact set of controls counted for NIST CSF 2.0 in a given assessment reflects the answers selected. The table above lists every question whose answer options carry NIST CSF 2.0 citations.

80%+

Aligned

60-79%

At Risk

<60%

Non-Compliant

Scope and Industry Awareness

NIST CSF 2.0 appears in every assessment scope: workforce, customer identity (CIAM), and full.

It is shown for all assessed industries, so it appears in every compliance matrix where enough of its controls are answered.

Indicative Alignment, Not Certification

This page describes how the AXIS assessment maps its question bank to NIST Cybersecurity Framework 2.0. Alignment scores are indicative: they are not a certification, an audit opinion, or legal advice. Whether and how NIST CSF 2.0 applies depends on your organization, sector, and jurisdiction; consult qualified counsel or auditors for formal compliance determinations.

See Where You Stand Against NIST CSF 2.0

Run the AXIS assessment and get your maturity score, NIST CSF 2.0 alignment, and a prioritized roadmap in one pass. No signup required to start.