NIST CSF Assessment SOP¶

Standard Operating Procedure for NIST Cybersecurity Framework assessments

Service Pillar: Protect Service Category: Security Assessment Target Duration: 3-4 weeks Related Pricing: See Pricing & Positioning

Service Overview¶

Purpose¶

Conduct comprehensive assessments against the NIST Cybersecurity Framework (CSF) 2.0 to evaluate security maturity, identify gaps, and develop prioritized improvement roadmaps.

Target Personas¶

Persona	Primary Pain Point	Value Case
Solo IT Director	Need a structured security approach	Industry-standard security framework
CFO/Controller	Security investment prioritization	Risk-based security spending
CTO/VP Engineering	Security maturity demonstration	Provable security posture for customers

Business Justification¶

Metric	Value	Source
Organizations using NIST CSF	50%+ of US organizations	NIST CSF Adoption Study 2024
Cost savings with risk-based security	20-40% efficiency	NIST CSF Implementation Studies
Average breach cost without framework	$5.36 million	IBM 2024
Average breach cost with framework	$4.10 million	IBM 2024
Organizations reporting improved risk management	78%	ISACA CSF Survey

Pricing Reference¶

Tier	Scope	Price Range	Duration
Essential	<50 employees, basic assessment	$12,000-$18,000	2-3 weeks
Standard	50-200 employees, full assessment	$18,000-$25,000	3-4 weeks
Comprehensive	200+ employees, detailed maturity	$25,000-$40,000	4-5 weeks

See Pricing & Positioning for complete pricing structure.

Pre-Engagement¶

Qualification Checklist¶

Security leadership sponsor identified
Assessment scope defined
Prior assessments available
Key stakeholders available for interviews
Current security documentation accessible
Organizational risk appetite understood

Required Information Gathering¶

Category	Documents Needed
Organizational	Org chart, business units, locations
Security	Existing policies, procedures, architecture
Technology	Asset inventory, network diagrams, tools
Compliance	Regulatory requirements, existing frameworks
Risk	Previous risk assessments, incident history

NIST CSF 2.0 Framework¶

Core Functions¶

Function	Focus	Key Outcomes
GOVERN (GV)	Organizational context, strategy, supply chain	Cybersecurity strategy, roles, policy
IDENTIFY (ID)	Asset management, risk assessment, improvement	Known assets, understood risks
PROTECT (PR)	Access control, awareness, data security	Safeguards in place
DETECT (DE)	Continuous monitoring, anomaly detection	Timely detection capability
RESPOND (RS)	Response planning, communications, analysis	Effective incident response
RECOVER (RC)	Recovery planning, improvements	Business continuity

CSF 2.0 Category Structure¶

GOVERN (New in CSF 2.0)¶

Category	ID	Focus
Organizational Context	GV.OC	Mission, stakeholders, legal/regulatory
Risk Management Strategy	GV.RM	Risk appetite, strategy, priorities
Roles, Responsibilities, Authorities	GV.RR	Accountability, governance
Policy	GV.PO	Policy establishment and communication
Oversight	GV.OV	Review and adjustment of strategy
Cybersecurity Supply Chain Risk Management	GV.SC	Supplier and third-party risk

IDENTIFY¶

Category	ID	Focus
Asset Management	ID.AM	Physical, software, data assets
Risk Assessment	ID.RA	Threat, vulnerability, risk analysis
Improvement	ID.IM	Lessons learned, improvements

PROTECT¶

Category	ID	Focus
Identity Management, Authentication, Access Control	PR.AA	Access management, MFA
Awareness and Training	PR.AT	Security awareness
Data Security	PR.DS	Data protection, encryption
Platform Security	PR.PS	Configuration, patching
Technology Infrastructure Resilience	PR.IR	Redundancy, resilience

DETECT¶

Category	ID	Focus
Continuous Monitoring	DE.CM	Monitoring activities
Adverse Event Analysis	DE.AE	Event analysis, alerting

RESPOND¶

Category	ID	Focus
Incident Management	RS.MA	Response procedures
Incident Analysis	RS.AN	Investigation, root cause
Incident Response Reporting and Communication	RS.CO	Stakeholder communication
Incident Mitigation	RS.MI	Containment and eradication

RECOVER¶

Category	ID	Focus
Incident Recovery Plan Execution	RC.RP	Recovery procedures
Incident Recovery Communication	RC.CO	Recovery communication

Assessment Process¶

Phase 1: Scoping and Planning (Days 1-3)¶

Objective: Establish assessment scope and approach

Activity	Deliverable	Duration
Kickoff meeting	Aligned expectations	0.5 day
Scope definition	Assessment scope document	0.5 day
Stakeholder identification	Interview schedule	0.5 day
Document request	Information request list	0.5 day
Current profile draft	Preliminary profile	0.5 day

Phase 2: Current State Assessment (Days 4-12)¶

Objective: Evaluate current cybersecurity posture

Activity	Deliverable	Duration
GOVERN function assessment	Governance findings	1.5 days
IDENTIFY function assessment	Asset/risk findings	1.5 days
PROTECT function assessment	Safeguard findings	2 days
DETECT function assessment	Monitoring findings	1 day
RESPOND function assessment	Response findings	1 day
RECOVER function assessment	Recovery findings	0.5 day
Technical validation	Technical verification	1 day

Assessment Approach by Function¶

GOVERN Assessment: - Interview senior leadership on risk appetite - Review organizational security strategy - Evaluate policy framework completeness - Assess supply chain risk management

IDENTIFY Assessment: - Review asset management processes - Evaluate risk assessment methodology - Assess improvement/lessons learned process

PROTECT Assessment: - Evaluate access control implementation - Review security awareness program - Assess data protection controls - Review platform security configurations

DETECT Assessment: - Review monitoring capabilities - Evaluate alerting and triage processes - Assess detection coverage

RESPOND Assessment: - Review incident response plan - Evaluate response procedures - Assess communication protocols

RECOVER Assessment: - Review business continuity plans - Evaluate recovery procedures - Assess recovery testing

Phase 3: Gap Analysis (Days 12-16)¶

Objective: Identify gaps between current and target state

Activity	Deliverable	Duration
Target profile development	Target maturity profile	1 day
Gap identification	Gap matrix	1 day
Prioritization	Priority assessment	1 day
Remediation planning	Action plan draft	1 day

Phase 4: Reporting (Days 16-22)¶

Objective: Document findings and recommendations

Activity	Deliverable	Duration
Report drafting	Draft assessment report	2 days
Internal QA	Quality review	1 day
Client review	Feedback incorporation	2 days
Final delivery	Complete CSF assessment	1 day

Maturity Rating Methodology¶

Implementation Tiers¶

Tier	Name	Characteristics
Tier 1	Partial	Ad-hoc, reactive, limited awareness
Tier 2	Risk Informed	Risk-aware but not organization-wide
Tier 3	Repeatable	Documented policies, regular review
Tier 4	Adaptive	Continuous improvement, metrics-driven

Category Maturity Scoring¶

Score	Definition	Characteristics
0	Not Implemented	No capability exists
1	Initial	Ad-hoc, undocumented
2	Developing	Partially documented, inconsistent
3	Defined	Documented, consistently applied
4	Managed	Measured, performance tracked
5	Optimizing	Continuously improved

Deliverables¶

NIST CSF Assessment Report¶

Structure:

Executive Summary
Assessment scope and approach
Overall maturity score
Key findings summary
Priority recommendations
Current Profile
Function-by-function assessment
Category maturity ratings
Implementation tier assessment
Target Profile
Recommended target maturity
Business justification
Risk-based prioritization
Gap Analysis
Current vs target comparison
Gap severity ratings
Remediation complexity
Improvement Roadmap
Prioritized action items
Quick wins (0-90 days)
Short-term (90-180 days)
Long-term (180+ days)
Resource estimates
Implementation Guidance
Function-specific recommendations
Tool and technology suggestions
Process improvements

CSF Profile Visualization¶

                    Current Profile vs Target Profile

GOVERN      ████████████░░░░░░░░  60% → 80%
IDENTIFY    ██████████░░░░░░░░░░  50% → 75%
PROTECT     ████████████████░░░░  80% → 90%
DETECT      ██████░░░░░░░░░░░░░░  30% → 70%
RESPOND     ████████░░░░░░░░░░░░  40% → 75%
RECOVER     ████░░░░░░░░░░░░░░░░  20% → 60%

Quality Assurance¶

Internal Review Checklist¶

Client Review Process¶

Draft report delivery
5 business day review period
Profile review workshop
Final report delivery
Roadmap planning session

Post-Delivery¶

Implementation Support Options¶

Option	Scope	Investment
Self-Implementation	Report + templates only	Included
Quarterly Reviews	Progress tracking, priority updates	$3,000-$5,000/quarter
vCISO Integration	Full program management	vCISO pricing

Ongoing CSF Management¶

Activity	Frequency	Purpose
Profile review	Annual	Reassess maturity
Gap status update	Quarterly	Track remediation
Risk landscape review	Semi-annual	Update threat context
Target profile review	Annual	Adjust objectives

Service	Connection	SOP Reference
Risk Assessment	Aligns with ID.RA	risk-assessment-sop.md
Penetration Testing	Validates controls	pentest-sop.md
Incident Response	RS function support	incident-response-sop.md
vCISO	Ongoing CSF management	vcto-vciso-engagement-sop.md

Evidence Base¶

Why This Approach Works¶

Principle	Evidence	Source
CSF provides common language	Industry-standard framework adopted globally	NIST
Risk-based approach effective	24% lower breach cost with framework	IBM 2024
Maturity model drives improvement	Measurable progress tracking	ISACA
Profile-based approach	Tailored to organizational needs	NIST CSF 2.0

SBK Success Metrics¶

Metric	Target	Measurement
Maturity improvement	1+ tier in 12 months	Follow-up assessment
Client satisfaction	4.5+/5.0	Post-engagement survey
Roadmap adoption rate	80%+	12-month follow-up
Repeat engagement rate	60%+	Annual return

Regulatory References¶

Last Updated: February 2026 Version: 1.0