The first time you read the NIST Cybersecurity Framework, it can feel like it isn’t telling you anything. Six functions — Govern, Identify, Protect, Detect, Respond, Recover — organized into categories and subcategories, each one a short outcome statement. “Physical devices and systems within the organization are inventoried.” “Identities and credentials are managed for authorized devices and users.” True statements, but not instructions.
The CSF is deliberately not a how-to. It’s a common vocabulary and outcomes catalog — a way of describing what a mature security program looks like, regardless of industry, size, or which specific frameworks an organization uses underneath. For the “how,” CSF points outward to other frameworks — SP 800-53, ISO 27001, CIS Controls — each subcategory maps to specific controls in those catalogs that provide the implementation detail.
What CSF is genuinely good at is something different: it’s a structure for finding out where an organization actually stands, and for organizing a roadmap to where it needs to be. That’s the assessment use case, and it’s the most common way CSF actually gets used in practice.
RMF vs. CSF — Different Tools for Different Jobs
It’s worth being clear about how this differs from the NIST Risk Management Framework (SP 800-37), because the two get confused. RMF is a federal-specific, sequential process — Categorize, Select, Implement, Assess, Authorize, Monitor — built to get a specific system an Authorization to Operate using SP 800-53 controls. It’s prescriptive and system-focused.
CSF is voluntary, applies to any organization, and operates at the program level rather than the system level. It doesn’t produce an authorization — it produces a picture of organizational posture across six functions, which can then be compared against a target state to identify gaps. RMF answers “has this system been formally assessed and authorized.” CSF answers “where does this organization stand, function by function, and what should it prioritize.”
The Assessment Workflow
In practice, a CSF-based assessment follows a consistent shape regardless of the size or type of organization.
Scope
Define the boundary — the whole organization, a business unit, or a specific system. Everything downstream depends on this being clear before the questions start.
Build the Current Profile
For each subcategory across all six functions, determine whether the outcome exists today — through interviews, document review, and light technical verification — and record Pass, Fail, or Partial with supporting evidence.
Build the Target Profile
Not every subcategory needs to be fully implemented everywhere. The target depends on the organization’s risk tolerance, size, and criticality of what’s at stake — defined as part of the Govern function.
Gap Analysis
Current Profile vs. Target Profile, subcategory by subcategory. The Fails and Partials are the findings. Patterns often emerge — a gap showing up in both Identify and Detect is usually one root cause, not two separate problems.
Prioritize and Roadmap
Sequence the gaps based on criticality — what’s affected, how exposed it is, and what other gaps it blocks. Governance and visibility gaps typically come first because they’re prerequisites for everything else to function.
The assessment — the filled-in Current Profile with Pass/Fail/Partial across every subcategory — is the evidence. The roadmap is the deliverable. A spreadsheet of findings without a sequenced plan isn’t an assessment result; it’s a to-do list with no order to it.
Sample Questions by Function
Below is a sample of the kind of question each CSF function translates into during an interview. These are written in plain language deliberately — the goal during an assessment interview is to get a stakeholder talking about what actually happens, not to test whether they know framework terminology.
Risk Management Strategy & Oversight
Govern is where risk tolerance, accountability, and oversight live — the questions that determine whether everything else has executive backing and a defined owner.
“Has leadership ever discussed or documented what level of cyber risk is ‘acceptable’ for this organization? When a risk is identified, who decides whether to fix it now, fix it later, or accept it?”
Asset Management & Risk Assessment
Identify covers whether the organization knows what it has and what could go wrong with it — the foundation everything else is built on.
“Do you have a list of all company-owned devices — laptops, servers, switches, etc.? How is it kept current when devices are added, replaced, or retired?”
Access Control & Data Security
Protect is the largest function and the one most people think of as “security” — identity, access, encryption, and system hardening.
“Is MFA required for logging into email, VPN, and any admin-level accounts? Is it required for everyone, or optional?”
Continuous Monitoring
Detect asks whether the organization would actually notice if something went wrong — and how quickly.
“Is network traffic monitored for unusual activity? Do you have a SIEM or similar log aggregation and alerting tool, and if so, which logs feed into it?”
Incident Management
Respond covers what happens after detection — whether there’s a plan, whether it’s been tested, and whether people know their roles.
“Do you have a written incident response plan? Has it ever been used during a real incident, or tested through a tabletop exercise?”
Recovery Planning
Recover is about getting back to normal operations — and whether the plan to do so has ever actually been exercised.
“How often are backups taken, where are they stored, and when was the last time you actually restored something from a backup to confirm it works?”
None of the example questions above mention CSF, subcategory IDs, or control numbers. That’s intentional. The person answering — often someone in IT or operations rather than GRC — doesn’t need to know the framework to give a useful answer. The framework is the structure the assessor uses to organize and score the conversation afterward, not the language used during it.
Why This Connects to Everything Else
If this workflow sounds familiar, it’s because it’s the same shape as the third-party risk process covered earlier in this series — discovery, classification, assessment against a framework, findings, and a decision — applied at the organizational level instead of the vendor level. It’s also the same logic as risk-based vulnerability prioritization: severity (or in this case, gap severity) means little without context about what it affects and how critical that asset is.
That’s the throughline across this whole series. Asset management tells you what exists and what matters. Risk assessment methodology tells you how to think about likelihood and impact. CSF gives the six-function structure to organize an assessment of the whole program. And the output — a Current Profile, a gap list, and a prioritized roadmap — is the same shape whether the subject is one vendor, one vulnerability, or an entire organization’s security posture.
