Skip to main content
SharePoint Forge
SharePoint Forge
Compliance

SharePoint Forge NIST CSF Tracker

A continuous NIST CSF 2.0 tracker — live Microsoft 365 tenant signals where licensing and availability allow, plus a built-in control tracker for the subcategories no telemetry can answer.

£3,495/year

How it works

The business problem

Why this package exists.

A NIST CSF audit answers a simple question — how well are we protecting the organisation? — but assembling the answer is anything but simple. The signals are scattered across Secure Score, Conditional Access, MFA reports, Intune, Defender, Identity Protection and the governance evidence that lives in policies and spreadsheets. Most teams react by either paying £15k–£50k for a one-off consultancy gap assessment, buying a £8k–£30k/year multi-framework GRC platform, or doing nothing until the auditor knocks. The NIST CSF Tracker gives you a fourth option — continuous, in-tenant, owned by you, driven by your live tenant signals wherever your Microsoft 365 licensing exposes them.

Included with NIST CSF Tracker

  • SPFx web part with overall posture ring gauge and six NIST CSF 2.0 Function tiles (Govern, Identify, Protect, Detect, Respond, Recover)
  • Drill-down panel showing every Category, its score and the underlying controls with deep links into the Microsoft admin centres
  • SharePoint Control Tracker list seeded with all 47 official NIST CSF 2.0 Subcategories that Microsoft 365 has no direct telemetry for
  • In-web-part editor for ticking off manual controls — status, notes and audit history persisted to the list
  • Print-to-PDF and CSV exports for the auditor evidence pack
  • Per-source graceful degradation — where a tenant signal isn't available (licence not held, service not configured) the control shows an amber 'not assessable' banner and is excluded from scoring, rather than breaking the tracker
  • Deployment guide, admin checklist and release notes

In your tenant

What it looks like.

Every pixel renders inside the customer's SharePoint Online — no SaaS backend, no data leaves the tenant.

NIST Cybersecurity Report dashboard showing an overall posture score of 14/100 with six NIST CSF 2.0 Function tiles — Govern, Identify, Protect, Detect, Respond, Recover — each with its score and a count of items needing attention.
The main dashboard — overall posture score plus the six NIST CSF 2.0 Functions at a glance.
The PR (Protect) Function drill-down panel open on the right of the dashboard, listing every Protect category and the underlying Microsoft Secure Score controls with their status and remediation links.
Drill into any Function to see every Category, control, and a one-click remediation link into the Microsoft admin centre.
Modal dialog titled 'Update GV.OC-02' over the dashboard, with fields for implementation status (Not implemented selected), notes, and Save / Cancel buttons — the in-web-part editor for the SharePoint Control Tracker list.
Tick off manual NIST CSF 2.0 Subcategories that Microsoft 365 has no telemetry for — status, notes, and audit history persist straight to a SharePoint list.

What you get

A package designed to be deployed, not consulted on.

Deployment model

Designed to be deployed by a Microsoft 365 or SharePoint administrator using the included guide. Typical deployment is a single working session, not a project.

Licence & support

Licensed annually to one verified business domain. Active licence includes downloads, documentation, supported updates and authenticated support tickets.

Technical requirements

Requires SharePoint Online with a tenant-level App Catalog. The web part requests Microsoft Graph read permissions covering Secure Score, Conditional Access, MFA reporting, Intune compliance, Defender alerts and Identity Protection — a tenant admin approves them once via SharePoint Admin → API access. Viewers need a directory role that can read tenant security data (Global Reader or Security Reader). Signals only populate where your Microsoft 365 licensing and service availability expose them; each Graph source can also be disabled in the property pane if the tenant isn't licensed for it.

FAQ

Common questions.

Will this make us 'NIST CSF certified'?

No. NIST CSF 2.0 is a voluntary cybersecurity framework, not a certification scheme — there is no official body that issues a NIST CSF badge. This package gives you continuous, evidence-based visibility of your posture against the framework so you can demonstrate maturity to auditors, customers and regulators, and satisfy 'aligns with NIST CSF' procurement requirements. It is not a substitute for assessments tied to certifications that reference NIST CSF (e.g. CMMC, ISO 27001 mapping, FedRAMP).

Does any data leave my tenant?

No. The web part reads from Microsoft Graph and a SharePoint list directly in the customer's tenant. There is no SaaS backend, no telemetry endpoint, no third-party server — the only outbound call is the standard SharePoint Forge licence heartbeat to verify your subscription.

How does it score Govern when Microsoft 365 has no Govern telemetry?

Govern is populated from two sources: a configuration-maturity proxy derived from the other signals (enforced Conditional Access, defined compliance policies, active Secure Score oversight) which is explicitly labelled as configuration-derived in the UI, and the Control Tracker list where admins attest implementation status with notes and audit history for GV.OC, GV.RM and GV.SC subcategories.

How is this different from Microsoft Purview Compliance Manager?

Purview is excellent but requires Microsoft 365 E5 licensing across the organisation and there's no in-page web part view. NIST CSF Report works on any commercial Microsoft 365 SKU with SharePoint Online, drops into any SharePoint communication site, and is purpose-built for NIST CSF 2.0 rather than the multi-framework approach Purview takes.

What's the difference vs Vanta / Drata / Secureframe?

Those are great if you need multi-framework coverage (SOC 2, ISO 27001, HIPAA, NIST), vendor risk management, evidence collection workflows and an external auditor portal. If your primary framework is NIST CSF and you want continuous in-tenant visibility without monthly SaaS fees or your data leaving Microsoft 365, this is the lighter, focused option.

Can I export evidence for an auditor?

Yes. Two exports ship: a print-styled PDF report opened in a new tab containing the full assessment, and a CSV with one row per assessment plus a per-Function summary. Both pull from the same data the dashboard shows.

Ready to deploy NIST CSF Tracker?

Buy securely through Stripe, then access your package and documentation through the SharePoint Forge customer portal.

Related

Other SharePoint Forge packages.

A continuous UK Cyber Essentials and CE Plus control tracker driven by live Microsoft 365 tenant signals, where licensing and availability allow.

£2,495/year
  • Live Cyber Essentials tenant signals, where available
  • Seeded CE+ control tracker
  • Assessor-ready evidence pack

An executive licence-efficiency dashboard that surfaces wasted Microsoft 365 spend from idle and inactive licences, where signal availability allows.

£995/year
  • Monthly licence-waste figure in GBP, where signals allow
  • Per-SKU utilisation + inactive users
  • Branded PDF + PowerPoint export

An adoption-and-usage dashboard showing how actively your people use Microsoft 365 across Teams, Exchange, SharePoint, OneDrive and Copilot, where signal availability allows.

£995/year
  • Weighted M365 adoption score, where signals allow
  • Per-service active users + 90-day trend
  • Branded PDF + PowerPoint export