Security from First Principles

Using the NIST Cybersecurity Framework as a Gap Assessment Tool

← All guides

Using the NIST Cybersecurity Framework as a Gap Assessment Tool

The NIST Cybersecurity Framework is not a how-to. It is a common vocabulary and outcomes catalog describing what a mature security program looks like, regardless of industry, size, or which specific frameworks an organization uses underneath. For the implementation detail, CSF points outward to SP 800-53, ISO 27001, and CIS Controls. Each subcategory maps to specific controls in those catalogs.

What CSF is genuinely useful for is something different: it is a structure for finding out where an organization actually stands, and for organizing a prioritized roadmap to where it needs to be. That is the assessment use case, and it is the most common way CSF gets applied in practice.

CSF vs. RMF

The NIST Risk Management Framework (SP 800-37) and the NIST Cybersecurity Framework are different tools built for different purposes. RMF is a federal-specific, sequential process built to get a specific system an Authorization to Operate using SP 800-53 controls. It is prescriptive and system-focused.

CSF is voluntary, applies to any organization, and operates at the program level rather than the system level. It does not produce an authorization. It produces a picture of organizational posture across six functions that can be compared against a target state to identify gaps. RMF answers whether a specific system has been formally assessed and authorized. CSF answers where the organization stands, function by function, and what it should prioritize.

The Six Functions

CSF 2.0 organizes security outcomes into six functions. The addition of Govern in version 2.0 was significant: it placed risk management strategy, roles, and oversight at the top of the framework where they belong, rather than treating them as implementation details.

Govern sets the organizational context and risk tolerance. Identify covers asset management and risk assessment. Protect covers access control, data security, and system hardening. Detect covers monitoring and anomaly detection. Respond covers incident management and communication. Recover covers restoration planning and improvement.

The Assessment Workflow

01

Scope

Define the boundary: the whole organization, a business unit, or a specific system. Everything downstream depends on this being clear before the questions start.

+
02

Build the Current Profile

For each subcategory across all six functions, determine whether the outcome exists today through interviews, document review, and light technical verification. Record Pass, Fail, or Partial with supporting evidence.

+
03

Build the Target Profile

Not every subcategory needs to be fully implemented. The target depends on the organization’s risk tolerance, size, and criticality of what is at stake, defined as part of the Govern function.

+
04

Gap Analysis

Current Profile vs. Target Profile, subcategory by subcategory. The Fails and Partials are the findings. Patterns often emerge: a gap showing up in both Identify and Detect is usually one root cause, not two separate problems.

+
05

Prioritize and Roadmap

Sequence the gaps based on criticality: what is affected, how exposed it is, and what other gaps it blocks. Governance and visibility gaps typically come first because they are prerequisites for everything else to function.

The deliverable

The assessment is the filled-in Current Profile with Pass, Fail, or Partial across every subcategory. The roadmap is the client deliverable. A list of findings without a sequenced plan is a to-do list with no order to it. Prioritization is what converts an assessment into a program.

Sample Questions by Function

Below is a sample of the questions each CSF function translates into during an assessment interview. The goal is to get a stakeholder talking about what actually happens, not to test whether they know framework terminology.

Govern

Risk Management Strategy and Oversight

Govern is where risk tolerance, accountability, and oversight live. The questions determine whether everything else has executive backing and a defined owner.

“Has leadership ever discussed or documented what level of cyber risk is acceptable for this organization? When a risk is identified, who decides whether to fix it now, fix it later, or accept it?”
Identify

Asset Management and Risk Assessment

Identify covers whether the organization knows what it has and what could go wrong with it. It is the foundation everything else is built on.

“Do you have a list of all company-owned devices? How is it kept current when devices are added, replaced, or retired?”
Protect

Access Control and Data Security

Protect is the largest function and covers identity, access, encryption, and system hardening.

“Is MFA required for logging into email, VPN, and any admin-level accounts? Is it required for everyone, or optional?”
Detect

Continuous Monitoring

Detect asks whether the organization would notice if something went wrong, and how quickly.

“Is network traffic monitored for unusual activity? Do you have a SIEM or log aggregation tool, and if so, which logs feed into it?”
Respond

Incident Management

Respond covers what happens after detection: whether there is a plan, whether it has been tested, and whether people know their roles.

“Do you have a written incident response plan? Has it ever been used during a real incident, or tested through a tabletop exercise?”
Recover

Recovery Planning

Recover is about returning to normal operations and whether the plan to do so has ever been exercised.

“How often are backups taken, where are they stored, and when was the last time you restored something from a backup to confirm it works?”

The Point

CSF is not the how. It is the shared language for describing where a program stands and where it needs to go. That is precisely why it works as the backbone of a gap assessment, regardless of which frameworks do the implementation work underneath it.

Darnell Keith

Not sure where you stand on this?

A Gap Assessment or IAM Governance Assessment tells you exactly where the gaps are — and what to do about them, in order of what matters most.

Get in Touch
NAXS Labs
Logo