Nist Csf Specialist

# Create a "Nist Csf Specialist" AI Skill

I want you to help me set up a reusable AI skill that I can use in future conversations. Read the complete skill definition below, then help me install it.

## Complete Skill Definition

# NIST CSF 2.0 Specialist

Implement, assess, and manage cybersecurity programs aligned with the NIST Cybersecurity Framework 2.0 — the definitive standard for organizational cybersecurity risk management.

---

## Table of Contents

- [Trigger Phrases](#trigger-phrases)
- [Quick Start](#quick-start)
- [Tools](#tools)
- [NIST CSF 2.0 Overview](#nist-csf-20-overview)
- [Six Core Functions](#six-core-functions)
- [CSF Profiles](#csf-profiles)
- [CSF Tiers](#csf-tiers)
- [Cross-Framework Mapping](#cross-framework-mapping)
- [Infrastructure Security Assessment](#infrastructure-security-assessment)
- [Maturity Assessment Workflow](#maturity-assessment-workflow)
- [Implementation Roadmap](#implementation-roadmap)
- [Reference Guides](#reference-guides)
- [Validation Checkpoints](#validation-checkpoints)

---

## Trigger Phrases

Use this skill when you hear:
- "NIST cybersecurity framework"
- "CSF 2.0"
- "NIST compliance"
- "cybersecurity risk management"
- "NIST controls"
- "NIST assessment"
- "cybersecurity maturity"
- "NIST CSF profile"
- "cybersecurity governance"
- "cybersecurity program assessment"
- "CSF gap analysis"
- "cross-framework compliance mapping"

---

## Quick Start

### Assess Cybersecurity Maturity

```bash
python scripts/csf_maturity_assessor.py --input assessment.json --target-tier 3 --output maturity_report.json
```

### Map Controls Across Frameworks

```bash
python scripts/csf_control_mapper.py --source-framework nist-csf --target-framework iso27001 --output mapping.json
```

### Generate Gap Analysis

```bash
python scripts/csf_maturity_assessor.py --input assessment.json --target-tier 4 --format markdown --output gap_analysis.md
```

### Multi-Framework Unified Matrix

```bash
python scripts/csf_control_mapper.py --source-framework nist-csf --target-framework all --output unified_matrix.json
```

---

## Tools

### csf_maturity_assessor.py

Comprehensive maturity assessment engine for NIST CSF 2.0.

**Capabilities:**
- Scores each function and category on a 1–4 tier scale
- Compares current profile against target profile
- Generates prioritized gap analysis with remediation actions
- Maps gaps to specific CSF subcategories
- Produces JSON or Markdown output

**Usage:**

```bash
# Full maturity assessment with gap analysis
python scripts/csf_maturity_assessor.py \
  --input current_state.json \
  --target-tier 3 \
  --output report.json

# Markdown report for executive presentation
python scripts/csf_maturity_assessor.py \
  --input current_state.json \
  --target-tier 4 \
  --format markdown \
  --output executive_report.md

# Assess specific functions only
python scripts/csf_maturity_assessor.py \
  --input current_state.json \
  --functions GOVERN,IDENTIFY,PROTECT \
  --target-tier 3 \
  --output partial_report.json
```

**Input Format (current_state.json):**

```json
{
  "organization": "Acme Corp",
  "assessment_date": "2026-03-09",
  "assessor": "Security Team",
  "functions": {
    "GOVERN": {
      "GV.OC": {
        "score": 2,
        "evidence": "Mission documented, partial stakeholder mapping",
        "notes": "Legal requirements catalog incomplete"
      },
      "GV.RM": {
        "score": 1,
        "evidence": "No formal risk management strategy",
        "notes": "Risk appetite not defined"
      }
    },
    "IDENTIFY": {
      "ID.AM": {
        "score": 3,
        "evidence": "CMDB maintained, automated discovery",
        "notes": "Shadow IT gap exists"
      }
    }
  }
}
```

### csf_control_mapper.py

Cross-framework control mapping engine.

**Capabilities:**
- Maps NIST CSF 2.0 categories to ISO 27001, SOC 2, HIPAA, PCI-DSS
- Identifies overlapping controls for multi-framework programs
- Generates unified control matrices
- Highlights gaps unique to each framework

**Usage:**

```bash
# Map CSF to ISO 27001
python scripts/csf_control_mapper.py \
  --source-framework nist-csf \
  --target-framework iso27001 \
  --output iso_mapping.json

# Map CSF to all supported frameworks
python scripts/csf_control_mapper.py \
  --source-framework nist-csf \
  --target-framework all \
  --output unified_matrix.json

# Map specific functions only
python scripts/csf_control_mapper.py \
  --source-framework nist-csf \
  --target-framework soc2 \
  --functions GOVERN,PROTECT \
  --output soc2_mapping.json

# Markdown output for documentation
python scripts/csf_control_mapper.py \
  --source-framework nist-csf \
  --target-framework iso27001 \
  --format markdown \
  --output mapping_report.md
```

---

## NIST CSF 2.0 Overview

### What Changed in CSF 2.0

Released in February 2024, NIST CSF 2.0 represents a major evolution from the original 2014 framework and 2018 v1.1 update:

**Expanded Scope:** CSF 2.0 applies to ALL organizations — not just critical infrastructure. Small businesses, government agencies, higher education, and nonprofits are now explicitly in scope.

**New GOVERN Function:** The most significant change. GOVERN elevates cybersecurity governance to a top-level function, recognizing that executive leadership, policy, and oversight are prerequisites for effective cybersecurity.

**Enhanced Supply Chain Focus:** Cybersecurity Supply Chain Risk Management (C-SCRM) is now a category under GOVERN, reflecting the reality that supply chain attacks are a primary threat vector.

**Improved Guidance:** CSF 2.0 includes implementation examples and quick-start guides that were absent in earlier versions. The framework is more actionable and prescriptive while maintaining its flexible, risk-based approach.

**Profile Updates:** Profiles are now more clearly defined as organizational profiles (describing current/target states) and community profiles (sector-specific templates).

### Framework Architecture

```
┌─────────────────────────────────────────────────────┐
│                    CSF CORE                          │
│                                                     │
│  ┌─────────┐                                        │
│  │ GOVERN  │ ← NEW: Overarching governance          │
│  └────┬────┘                                        │
│       │                                             │
│  ┌────▼────┐  ┌─────────┐  ┌────────┐  ┌─────────┐│
│  │IDENTIFY │→ │ PROTECT  │→ │ DETECT │→ │ RESPOND ││
│  └─────────┘  └─────────┘  └────────┘  └────┬────┘│
│                                              │      │
│                                         ┌────▼────┐ │
│                                         │ RECOVER │ │
│                                         └─────────┘ │
├─────────────────────────────────────────────────────┤
│                   PROFILES                           │
│          Current State ↔ Target State                │
├─────────────────────────────────────────────────────┤
│                    TIERS                             │
│    Partial → Risk Informed → Repeatable → Adaptive  │
└─────────────────────────────────────────────────────┘
```

---

## Six Core Functions

### 1. GOVERN (GV) — NEW in CSF 2.0

The GOVERN function establishes and monitors the organization's cybersecurity risk management strategy, expectations, and policy. It is the connective tissue across all other functions.

#### GV.OC — Organizational Context

Understanding the organization's mission, stakeholder expectations, and dependencies is the foundation for all cybersecurity decisions.

**Key Activities:**
- Document organizational mission, objectives, and stakeholder expectations
- Catalog legal, regulatory, and contractual cybersecurity obligations
- Map critical business processes and their technology dependencies
- Define risk appetite and risk tolerance statements
- Identify internal and external stakeholders with cybersecurity interests

**Implementation Guidance:**
- Maintain a regulatory obligations register updated quarterly
- Conduct annual stakeholder mapping exercises
- Align cybersecurity objectives with enterprise risk management (ERM)
- Document dependencies between business processes and IT assets

**Maturity Indicators:**
| Tier | Indicator |
|------|-----------|
| Tier 1 | Ad hoc understanding of mission and obligations |
| Tier 2 | Documented mission alignment, partial regulatory catalog |
| Tier 3 | Formal stakeholder mapping, complete regulatory register, defined risk appetite |
| Tier 4 | Dynamic risk appetite adjustment, continuous stakeholder engagement, real-time regulatory tracking |

#### GV.RM — Risk Management Strategy

**Key Activities:**
- Establish cybersecurity risk management strategy aligned to enterprise risk
- Define organizational risk tolerance levels (quantitative where possible)
- Create formal risk statements approved by leadership
- Integrate cybersecurity risk into strategic planning and investment decisions
- Review and update risk strategy based on threat landscape changes

**Implementation Guidance:**
- Use quantitative risk analysis methods (FAIR, Monte Carlo) for critical assets
- Maintain risk tolerance thresholds per business unit and asset class
- Present risk posture to the board at least quarterly
- Establish risk acceptance criteria and approval workflows
- Link risk management outcomes to budget allocation

#### GV.RR — Roles, Responsibilities, and Authorities

**Key Activities:**
- Define CISO role, reporting structure, and authority
- Establish cybersecurity responsibilities across all organizational levels
- Ensure board-level cybersecurity oversight
- Define authority for cybersecurity decisions (incident response, risk acceptance)
- Integrate cybersecurity responsibilities into HR processes (job descriptions, performance reviews)

**Implementation Guidance:**
- CISO should report to CEO or board (not buried under IT)
- Create a RACI matrix for cybersecurity functions
- Include cybersecurity objectives in executive performance metrics
- Establish a cybersecurity steering committee with cross-functional representation
- Document delegation of authority for emergency cybersecurity decisions

#### GV.PO — Policy

**Key Activities:**
- Develop comprehensive cybersecurity policy framework
- Ensure policies are informed by organizational context and risk strategy
- Establish policy review and update cadence (annual minimum)
- Communicate policies to all stakeholders including third parties
- Enforce policy compliance through technical and administrative controls

**Implementation Guidance:**
- Structure policies in a hierarchy: Policy → Standards → Procedures → Guidelines
- Tag policies with applicable regulatory requirements
- Use exception management processes for policy deviations
- Measure policy awareness and compliance rates
- Automate policy distribution and acknowledgment tracking

#### GV.OV — Oversight

**Key Activities:**
- Review cybersecurity strategy execution and outcomes
- Report cybersecurity risk posture to governance bodies (board, committees)
- Establish KPIs and KRIs for cybersecurity performance
- Conduct management reviews of the cybersecurity program
- Adjust strategy based on performance metrics and changing risk landscape

**Key Metrics:**
- Mean Time to Detect (MTTD) and Mean Time to Respond (MTTR)
- Percentage of critical assets with current risk assessments
- Policy compliance rate across business units
- Vulnerability remediation timelines (critical/high/medium/low)
- Security awareness training completion and phishing simulation results
- Third-party risk assessment coverage

#### GV.SC — Cybersecurity Supply Chain Risk Management

**Key Activities:**
- Establish C-SCRM policies and procedures
- Assess cybersecurity risk of suppliers, vendors, and partners
- Include cybersecurity requirements in procurement and contracts
- Monitor supply chain cybersecurity posture continuously
- Plan for supply chain disruption and compromise scenarios

**Implementation Guidance:**
- Tier suppliers by criticality and data access level
- Require SOC 2 Type II or equivalent from critical suppliers
- Include right-to-audit clauses in contracts
- Monitor supplier breach disclosures and vulnerability announcements
- Maintain a software bill of materials (SBOM) for critical applications
- Validate supplier incident response capabilities

---

### 2. IDENTIFY (ID)

The IDENTIFY function develops organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities.

#### ID.AM — Asset Management

**Key Activities:**
- Maintain comprehensive hardware and software asset inventories
- Classify assets by criticality and sensitivity
- Map data flows between systems, networks, and external parties
- Identify and catalog all data repositories (structured and unstructured)
- Track software licensing and end-of-life/end-of-support status
- Discover and manage shadow IT

**Implementation Guidance:**
- Deploy automated asset discovery tools (agent-based and network-based)
- Maintain a Configuration Management Database (CMDB)
- Tag assets with owner, criticality, data classification, and regulatory scope
- Conduct quarterly asset reconciliation
- Integrate asset inventory with vulnerability management and patch systems

#### ID.RA — Risk Assessment

**Key Activities:**
- Identify and document vulnerabilities across all asset types
- Integrate threat intelligence feeds into risk assessment processes
- Conduct risk analysis combining likelihood and impact
- Prioritize risks based on organizational risk tolerance
- Document risk assessment results and risk treatment decisions

**Implementation Guidance:**
- Use standardized risk assessment methodologies (NIST SP 800-30, FAIR, OCTAVE)
- Maintain a risk register with assigned owners and treatment plans
- Conduct risk assessments for new systems, major changes, and annually
- Incorporate threat intelligence from ISACs, CISA advisories, and vendor bulletins
- Use vulnerability scanning results as input to risk assessment

#### ID.IM — Improvement

**Key Activities:**
- Conduct post-incident lessons learned reviews
- Track improvement actions to completion
- Benchmark cybersecurity program against peers and standards
- Integrate improvement insights into program planning and budgeting
- Share lessons learned across the organization

**Implementation Guidance:**
- Schedule blameless post-mortems within 2 weeks of significant incidents
- Maintain an improvement action tracker with deadlines and owners
- Conduct annual program maturity assessments
- Participate in industry information sharing organizations

---

### 3. PROTECT (PR)

The PROTECT function implements appropriate safeguards to ensure delivery of critical services.

#### PR.AA — Identity Management, Authentication, and Access Control

**Key Activities:**
- Implement identity governance and administration (IGA)
- Enforce multi-factor authentication (MFA) for all users — prioritize FIDO2/WebAuthn and hardware keys (YubiKey)
- Deploy single sign-on (SSO) with SAML/OIDC integration
- Implement privileged access management (PAM) for administrative accounts
- Adopt zero trust architecture principles (never trust, always verify)
- Enforce least privilege and just-in-time (JIT) access models
- Conduct regular access reviews and certification campaigns

**Implementation Guidance:**
- Require phishing-resistant MFA (FIDO2) for administrative and high-risk access
- Deploy PAM solutions with session recording and credential vaulting
- Implement network micro-segmentation aligned with zero trust
- Automate user provisioning/deprovisioning tied to HR systems
- Review privileged access monthly, standard access quarterly
- Maintain identity federation with partners using SAML/OIDC

#### PR.AT — Awareness and Training

**Key Activities:**
- Deliver role-based cybersecurity training (developer, executive, general staff)
- Conduct regular phishing simulation campaigns
- Provide specialized training for privileged users and administrators
- Measure training effectiveness through testing and behavioral metrics
- Update training content based on current threats

**Implementation Guidance:**
- Require annual security awareness training for all personnel
- Quarterly phishing simulations with progressive difficulty
- Track and remediate repeat phishing test failures
- Provide secure coding training for developers (OWASP Top 10)
- Executive training should focus on risk governance and incident decisions

#### PR.DS — Data Security

**Key Activities:**
- Encrypt data at rest using AES-256 or equivalent
- Encrypt data in transit using TLS 1.2+ (prefer TLS 1.3)
- Implement data loss prevention (DLP) controls
- Classify data per organizational taxonomy (Public, Internal, Confidential, Restricted)
- Manage encryption keys using HSMs or KMS
- Apply data retention and disposal policies

**Implementation Guidance:**
- Deploy endpoint DLP, network DLP, and cloud DLP
- Automate data classification using content inspection and ML
- Implement database activity monitoring for sensitive data stores
- Use tokenization for sensitive data in non-production environments
- Rotate encryption keys per policy (annually minimum)
- Secure backup data with same encryption standards as production

#### PR.PS — Platform Security

**Key Activities:**
- Implement system hardening baselines (CIS Benchmarks, DISA STIGs)
- Maintain patch management program with defined SLAs
- Enforce configuration management and drift detection
- Secure operating systems, applications, firmware, and containers
- Remove or disable unnecessary services, ports, and protocols

**Implementation Guidance:**
- Apply CIS Level 1 (minimum) or Level 2 benchmarks across all systems
- Patch critical vulnerabilities within 72 hours, high within 30 days
- Deploy configuration management tools (Ansible, Chef, Puppet, Terraform)
- Use immutable infrastructure patterns where possible
- Conduct regular hardening compliance scans
- Maintain golden images for standard deployments

#### PR.IR — Technology Infrastructure Resilience

**Key Activities:**
- Design redundancy into critical infrastructure components
- Implement failover mechanisms (active-active, active-passive)
- Conduct capacity planning aligned with business growth
- Test disaster recovery procedures regularly
- Maintain geographically distributed backups

**Implementation Guidance:**
- Define RPO/RTO for each critical system
- Test failover monthly for Tier 1 systems
- Conduct annual disaster recovery exercises
- Maintain 3-2-1 backup strategy (3 copies, 2 media types, 1 offsite)
- Monitor infrastructure capacity and alert at 80% utilization

---

### 4. DETECT (DE)

The DETECT function defines activities to identify the occurrence of a cybersecurity event.

#### DE.CM — Continuous Monitoring

**Key Activities:**
- Deploy and tune SIEM for centralized log collection and correlation
- Implement IDS/IPS for network threat detection
- Deploy EDR/XDR on all endpoints
- Monitor network traffic for anomalies (NetFlow, full packet capture for critical segments)
- Monitor cloud workloads and SaaS applications
- Establish security operations center (SOC) — internal or managed

**Implementation Guidance:**
- Centralize logs from all systems, applications, network devices, and cloud services
- Retain logs per regulatory requirements (minimum 1 year, 90 days hot)
- Tune SIEM rules quarterly to reduce false positives
- Implement user and entity behavior analytics (UEBA)
- Monitor DNS queries for indicators of compromise
- Deploy honeypots/honeytokens in critical network segments

#### DE.AE — Adverse Event Analysis

**Key Activities:**
- Correlate events from multiple sources to identify incidents
- Implement anomaly detection for baseline deviations
- Conduct proactive threat hunting campaigns
- Analyze alerts for true positives and escalate confirmed events
- Maintain detection playbooks for known attack patterns

**Implementation Guidance:**
- Develop threat hunting hypotheses based on threat intelligence
- Conduct weekly or monthly threat hunting exercises
- Map detection rules to MITRE ATT&CK techniques
- Maintain detection coverage matrix against ATT&CK
- Automate alert triage using SOAR playbooks
- Track detection efficacy metrics (true positive rate, MTTD)

---

### 5. RESPOND (RS)

The RESPOND function includes activities to take action regarding a detected cybersecurity incident.

#### RS.MA — Incident Management

**Key Activities:**
- Maintain an incident response plan (IRP) tested annually
- Define incident classification and severity levels
- Establish escalation procedures and communication chains
- Activate incident response team based on severity
- Coordinate response activities across technical and business teams

**Implementation Guidance:**
- Classify incidents: P1 (Critical), P2 (High), P3 (Medium), P4 (Low)
- P1 response initiation within 15 minutes, P2 within 1 hour
- Maintain on-call rotation for incident response team
- Conduct tabletop exercises quarterly and full simulations annually
- Integrate IRP with business continuity and crisis management plans

#### RS.AN — Incident Analysis

**Key Activities:**
- Conduct forensic analysis of compromised systems
- Determine root cause, attack vector, and scope of compromise
- Assess business impact (data loss, operational disruption, financial)
- Document analysis findings in incident report
- Preserve evidence chain of custody for potential legal proceedings

**Implementation Guidance:**
- Maintain forensic toolkit and trained forensic analysts
- Use write-blockers and forensic images for evidence preservation
- Document all analysis steps and findings in real-time
- Engage external forensic support for major incidents
- Maintain relationships with law enforcement contacts

#### RS.CO — Incident Response Reporting and Communication

**Key Activities:**
- Notify internal stakeholders per communication plan
- Report to regulatory authorities per legal requirements
- Communicate with affected individuals when required
- Coordinate with law enforcement when appropriate
- Manage media communications through designated spokesperson

**Implementation Guidance:**
- Pre-draft notification templates for common incident types
- Know regulatory notification timelines: GDPR (72 hours), HIPAA (60 days), state breach laws (varies)
- Maintain external communication templates reviewed by legal counsel
- Designate a single point of communication for each incident
- Document all communications as part of incident record

#### RS.MI — Incident Mitigation

**Key Activities:**
- Execute containment actions to limit incident scope
- Eradicate threat actor presence from the environment
- Initiate recovery procedures for affected systems
- Validate containment effectiveness before declaring contained
- Monitor for threat actor re-entry during and after mitigation

**Implementation Guidance:**
- Pre-define containment strategies: network isolation, account disable, endpoint quarantine
- Maintain containment playbooks for ransomware, data breach, insider threat, DDoS
- Validate removal of all persistence mechanisms before recovery
- Monitor compromised accounts and systems for 90 days post-incident
- Apply lessons learned to prevent recurrence

---

### 6. RECOVER (RC)

The RECOVER function identifies activities to maintain resilience and restore capabilities after an incident.

#### RC.RP — Incident Recovery Plan Execution

**Key Activities:**
- Execute recovery procedures per documented plans
- Prioritize system restoration based on business criticality
- Validate system integrity before returning to production
- Restore from known-good backups after verifying backup integrity
- Conduct post-recovery validation testing

**Implementation Guidance:**
- Restore Tier 1 (critical) systems first, then Tier 2, Tier 3
- Verify backup integrity and absence of compromise before restore
- Rebuild from golden images rather than cleaning compromised systems
- Validate application functionality and data integrity post-recovery
- Obtain business owner sign-off before declaring recovery complete

#### RC.CO — Incident Recovery Communication

**Key Activities:**
- Communicate recovery status to internal and external stakeholders
- Manage public communications and reputation
- Provide updates to regulators on recovery progress
- Document recovery activities and timeline
- Communicate improvements made to prevent recurrence

**Implementation Guidance:**
- Provide regular status updates during recovery (hourly for P1, daily for P2)
- Coordinate public messaging with legal, PR, and executive leadership
- Prepare customer-facing FAQs for significant incidents
- Issue post-incident summary to all stakeholders within 30 days
- Demonstrate corrective actions taken to rebuild trust

---

## CSF Profiles

Profiles enable organizations to describe their current cybersecurity posture and their target state.

### Current Profile

A snapshot of how the organization currently manages cybersecurity risk, assessed against CSF categories and subcategories.

**Creating a Current Profile:**
1. For each CSF category, assess the current implementation level
2. Document evidence supporting the assessment
3. Identify which tier best describes current practices
4. Note dependencies and constraints

### Target Profile

The desired cybersecurity state, informed by business objectives, regulatory requirements, and risk appetite.

**Creating a Target Profile:**
1. Review organizational context (GV.OC) — mission, obligations, risk appetite
2. Determine target tier for each category based on risk tolerance
3. Prioritize categories based on business criticality
4. Align target profile with available resources and timeline

### Gap Analysis

The difference between current and target profiles drives the implementation roadmap.

**Gap Analysis Process:**
1. Compare current tier to target tier for each category
2. Identify categories with the largest gaps
3. Assess effort required to close each gap (people, process, technology)
4. Prioritize based on risk reduction impact and implementation feasibility
5. Create phased remediation plan with milestones

---

## CSF Tiers

Tiers describe the degree to which an organization's cybersecurity risk management practices exhibit the characteristics defined in the framework.

### Tier 1 — Partial

- **Risk Management Process:** Ad hoc, not formalized
- **Integrated Risk Management:** Limited awareness of cybersecurity risk at organizational level
- **External Participation:** No formal collaboration or information sharing
- **Example:** Small business with antivirus and firewall but no formal security program, no documented policies, reactive approach to incidents

### Tier 2 — Risk Informed

- **Risk Management Process:** Risk-aware but not organization-wide policy
- **Integrated Risk Management:** Awareness of risk at management level, some cybersecurity investment
- **External Participation:** Informal information sharing
- **Example:** Mid-size company with documented security policies, basic vulnerability scanning, security awareness training, but inconsistent implementation across departments

### Tier 3 — Repeatable

- **Risk Management Process:** Formal, expressed as policy, regularly updated
- **Integrated Risk Management:** Organization-wide risk-informed approach
- **External Participation:** Active participation in information sharing
- **Example:** Enterprise with comprehensive security program, SIEM/SOC, regular assessments, defined risk appetite, consistent policy enforcement, mature incident response

### Tier 4 — Adaptive

- **Risk Management Process:** Continuously improved based on lessons learned and predictive indicators
- **Integrated Risk Management:** Cybersecurity risk management is part of organizational culture
- **External Participation:** Active contribution to broader cybersecurity ecosystem
- **Example:** Organization using threat intelligence-driven defense, continuous control validation, automated response, adaptive risk management that adjusts in real-time to changing threat landscape

---

## Cross-Framework Mapping

NIST CSF 2.0 maps to multiple compliance frameworks, enabling organizations to satisfy multiple requirements simultaneously.

### NIST CSF → ISO 27001:2022

| CSF Function | CSF Category | ISO 27001 Annex A Controls |
|---|---|---|
| GOVERN | GV.OC | A.5.1, A.5.2 (Policies, Roles) |
| GOVERN | GV.RM | A.5.3 (Segregation of Duties) |
| GOVERN | GV.PO | A.5.1 (Information Security Policy) |
| GOVERN | GV.SC | A.5.19-5.23 (Supplier Relations) |
| IDENTIFY | ID.AM | A.5.9, A.5.10, A.8.1 (Asset Management) |
| IDENTIFY | ID.RA | A.5.7 (Threat Intelligence), A.8.8 (Vulnerability Management) |
| PROTECT | PR.AA | A.5.15-5.18, A.8.2-8.5 (Access Control) |
| PROTECT | PR.DS | A.8.10-8.12, A.8.24 (Cryptography, Data) |
| PROTECT | PR.PS | A.8.9 (Configuration), A.8.19 (Software Installation) |
| DETECT | DE.CM | A.8.15, A.8.16 (Logging, Monitoring) |
| RESPOND | RS.MA | A.5.24-5.28 (Incident Management) |
| RECOVER | RC.RP | A.5.29, A.5.30 (ICT Continuity) |

### NIST CSF → SOC 2 Trust Service Criteria

| CSF Function | SOC 2 TSC |
|---|---|
| GOVERN | CC1 (Control Environment), CC2 (Communication) |
| IDENTIFY | CC3 (Risk Assessment) |
| PROTECT | CC5 (Control Activities), CC6 (Logical & Physical Access) |
| DETECT | CC7 (System Operations) |
| RESPOND | CC7 (System Operations), CC8 (Change Management) |
| RECOVER | CC9 (Risk Mitigation), A1 (Availability) |

### NIST CSF → HIPAA Security Rule

| CSF Function | HIPAA Safeguard |
|---|---|
| GOVERN | Administrative Safeguards (§164.308) |
| IDENTIFY | Risk Analysis (§164.308(a)(1)) |
| PROTECT | Access Control (§164.312(a)), Transmission Security (§164.312(e)) |
| DETECT | Audit Controls (§164.312(b)), Integrity Controls (§164.312(c)) |
| RESPOND | Security Incident Procedures (§164.308(a)(6)) |
| RECOVER | Contingency Plan (§164.308(a)(7)) |

### NIST CSF → PCI-DSS v4.0

| CSF Function | PCI-DSS Requirements |
|---|---|
| GOVERN | Req 12 (Organizational Policies) |
| IDENTIFY | Req 2 (Secure Configurations), Req 12.4 (Risk Assessment) |
| PROTECT | Req 3-4 (Data Protection), Req 7-8 (Access Control), Req 9 (Physical) |
| DETECT | Req 10-11 (Logging, Testing) |
| RESPOND | Req 12.10 (Incident Response) |
| RECOVER | Req 12.10.2 (Recovery Procedures) |

---

## Infrastructure Security Assessment

### Assessment Across All Functions

**GOVERN Assessment:**
- Review governance documentation completeness
- Validate board reporting cadence and content
- Assess supply chain risk management program maturity
- Evaluate policy framework coverage and currency

**IDENTIFY Assessment:**
- Audit asset inventory accuracy (sample validation)
- Review risk assessment methodology and outputs
- Evaluate threat intelligence integration
- Assess improvement tracking and closure rates

**PROTECT Assessment:**
- Test authentication controls (MFA enforcement, password policy)
- Review access control configurations (least privilege validation)
- Assess encryption implementation (at rest, in transit, key management)
- Validate hardening baselines against benchmarks
- Test backup and recovery capabilities

**DETECT Assessment:**
- Validate SIEM log coverage (are all critical systems sending logs?)
- Test detection rules against MITRE ATT&CK scenarios
- Assess SOC operational maturity
- Review threat hunting program effectiveness

**RESPOND Assessment:**
- Review incident response plan currency and completeness
- Evaluate IR team capabilities and training
- Assess forensic readiness
- Test communication plans and notification workflows

**RECOVER Assessment:**
- Test disaster recovery procedures and measure RPO/RTO achievement
- Validate backup integrity through restore testing
- Assess recovery communication effectiveness
- Review post-incident improvement tracking

---

## Maturity Assessment Workflow

### Phase 1: Preparation (Week 1)

1. **Define Scope** — Identify organizational units, systems, and processes in scope
2. **Gather Documentation** — Collect policies, procedures, architecture diagrams, audit reports
3. **Schedule Interviews** — Book time with CISO, IT leadership, security team, business stakeholders
4. **Review Prior Assessments** — Analyze previous CSF assessments, audit findings, penetration test results

### Phase 2: Assessment (Weeks 2-3)

1. **Function-by-Function Evaluation** — Assess each category using the csf_maturity_assessor tool
2. **Evidence Collection** — Gather artifacts supporting each score (screenshots, configs, reports)
3. **Stakeholder Interviews** — Validate documented state against operational reality
4. **Technical Validation** — Verify technical controls through testing (not just documentation)

### Phase 3: Analysis (Week 4)

1. **Score Compilation** — Aggregate scores across all functions and categories
2. **Gap Analysis** — Compare current profile to target profile
3. **Risk Prioritization** — Rank gaps by risk exposure and remediation effort
4. **Cross-Reference** — Map findings to applicable regulatory requirements

### Phase 4: Reporting and Roadmap (Week 5)

1. **Executive Summary** — High-level maturity scores with trend analysis
2. **Detailed Findings** — Category-level findings with evidence and recommendations
3. **Remediation Roadmap** — Phased plan with milestones, owners, and resource requirements
4. **Board Presentation** — Strategic summary suitable for governance bodies

---

## Implementation Roadmap

### Phase 1: Foundation (Months 1-3)

**Focus: GOVERN + IDENTIFY**

- Establish cybersecurity governance structure (GV.RR)
- Define organizational context and risk appetite (GV.OC, GV.RM)
- Develop or update cybersecurity policy framework (GV.PO)
- Conduct comprehensive asset inventory (ID.AM)
- Perform baseline risk assessment (ID.RA)

**Deliverables:**
- Cybersecurity charter and governance structure
- Risk appetite statement
- Policy framework
- Asset inventory
- Baseline risk register

### Phase 2: Core Protections (Months 4-6)

**Focus: PROTECT**

- Implement identity and access management improvements (PR.AA)
- Deploy MFA organization-wide (PR.AA)
- Enhance data protection controls (PR.DS)
- Apply hardening baselines to all systems (PR.PS)
- Establish security awareness program (PR.AT)

**Deliverables:**
- MFA deployment complete
- PAM solution operational
- Data classification applied to critical data
- Hardened system baselines deployed
- Training program launched

### Phase 3: Visibility and Response (Months 7-9)

**Focus: DETECT + RESPOND**

- Deploy or enhance SIEM/SOC capabilities (DE.CM)
- Develop detection rules mapped to MITRE ATT&CK (DE.AE)
- Update incident response plan and test via tabletop (RS.MA)
- Establish forensic readiness (RS.AN)
- Develop communication templates and procedures (RS.CO)

**Deliverables:**
- SIEM operational with critical log sources
- Detection coverage for top ATT&CK techniques
- Tested incident response plan
- Forensic toolkit and procedures
- Communication templates approved

### Phase 4: Resilience and Maturity (Months 10-12)

**Focus: RECOVER + Continuous Improvement**

- Test and validate disaster recovery procedures (RC.RP)
- Establish recovery communication procedures (RC.CO)
- Launch supply chain risk management program (GV.SC)
- Implement continuous improvement processes (ID.IM)
- Conduct year-one maturity reassessment

**Deliverables:**
- DR procedures tested and validated
- C-SCRM program operational
- Improvement tracking system active
- Year-one maturity assessment complete
- Year-two roadmap drafted

---

## Reference Guides

| Guide | Description |
|-------|-------------|
| [CSF Functions Guide](references/csf-functions-guide.md) | Complete reference for all 6 functions, categories, subcategories, evidence requirements |
| [CSF Implementation Playbook](references/csf-implementation-playbook.md) | Step-by-step implementation guide with templates, prioritization, and budgeting |

---

## Validation Checkpoints

### Before Starting Assessment
- [ ] Scope defined and approved by stakeholders
- [ ] Assessment team identified with appropriate expertise
- [ ] Prior assessment results and audit reports collected
- [ ] Target tier defined for each function

### During Assessment
- [ ] Each category scored with supporting evidence
- [ ] Stakeholder interviews conducted and documented
- [ ] Technical controls validated (not just documented)
- [ ] Cross-framework obligations identified

### After Assessment
- [ ] Gap analysis completed with prioritized recommendations
- [ ] Remediation roadmap with milestones and owners
- [ ] Executive summary prepared for governance bodies
- [ ] Reassessment timeline established

### Implementation Validation
- [ ] Phase milestones achieved on schedule
- [ ] Controls tested and validated post-implementation
- [ ] Metrics established and baseline measurements taken
- [ ] Continuous monitoring operational

---

## Troubleshooting

| Problem | Likely Cause | Resolution |
|---------|-------------|------------|
| Maturity assessor output shows all categories at Tier 1 | Input JSON missing score entries or all scores set to default | Verify the input JSON has a `score` field (1-4) for each assessed category. Run with `--functions` to test a subset first. |
| Control mapper produces empty mappings for a target framework | Framework identifier misspelled or unsupported | Use exact identifiers: `iso27001`, `soc2`, `hipaa`, `pci-dss`, or `all`. Check `--source-framework` is set to `nist-csf`. |
| Gap analysis shows no gaps despite immature program | Target tier set too low (e.g., Tier 1) | Increase `--target-tier` to 3 or 4 to reflect a meaningful target state. Tier 1 is "Partial" and almost any control satisfies it. |
| Markdown output formatting broken | Special characters in evidence or notes fields | Ensure evidence text in input JSON does not contain unescaped pipe characters or markdown syntax. Use plain text descriptions. |
| Assessment does not include GOVERN function | Input JSON uses CSF 1.1 structure without GOVERN | GOVERN is new in CSF 2.0. Update the input JSON to include `GOVERN` with categories GV.OC, GV.RM, GV.RR, GV.PO, GV.OV, and GV.SC. |
| Cross-framework mapping missing subcategory detail | Mapper operates at category level, not subcategory | The mapper provides category-to-control mappings. For subcategory-level detail, consult the NIST CSF 2.0 Informative References online catalog. |
| Report file not created | Output path directory does not exist | Create the output directory before running. The tool does not create intermediate directories automatically. |

---

## Success Criteria

- Current profile documented with evidence-backed scores for all 22 CSF 2.0 categories across all 6 functions
- Target profile defined with stakeholder-approved tier targets aligned to organizational risk appetite and regulatory obligations
- Gap analysis completed with each gap scored by risk exposure, remediation effort, and business impact, producing a prioritized roadmap
- GOVERN function fully implemented: cybersecurity governance charter, board reporting cadence established, CISO role defined, risk appetite documented
- Cross-framework control mapping completed for all applicable compliance obligations (ISO 27001, SOC 2, HIPAA, PCI-DSS) reducing audit duplication by 30%+
- Maturity reassessment conducted within 12 months showing measurable tier improvement in at least 75% of assessed categories
- Supply chain risk management program (GV.SC) operational with tiered supplier assessments and SBOM tracking for critical applications

---

## Scope & Limitations

**In Scope:**
- NIST CSF 2.0 maturity assessment across all 6 functions and 22 categories
- Current and target profile creation with gap analysis
- Cross-framework control mapping to ISO 27001:2022, SOC 2 TSC, HIPAA Security Rule, and PCI-DSS v4.0
- Implementation roadmap generation with phased milestones
- Tier-based scoring (Partial, Risk Informed, Repeatable, Adaptive)

**Out of Scope:**
- NIST SP 800-53 control-level implementation (CSF is a framework, not a control catalog; use SP 800-53 for prescriptive controls)
- Technical security testing, vulnerability scanning, or penetration testing (use infrastructure-compliance-auditor)
- Sector-specific Community Profiles (the tool provides organizational profiles; community profiles require sector-specific customization)
- Real-time security monitoring or SIEM configuration
- Compliance certification (NIST CSF is voluntary and does not offer formal certification)
- Legal or regulatory advice on specific compliance obligations

---

## Integration Points

| Skill | Integration |
|-------|------------|
| [soc2-compliance-expert](../soc2-compliance-expert/) | SOC 2 TSC maps directly to CSF functions; use the control mapper to generate a unified control matrix reducing dual-audit burden |
| [information-security-manager-iso27001](../information-security-manager-iso27001/) | ISO 27001 Annex A controls are the implementation backbone for CSF categories; CSF maturity scores inform ISMS continual improvement |
| [infrastructure-compliance-auditor](../infrastructure-compliance-auditor/) | Validates technical controls (access, encryption, monitoring, endpoints) that underpin PROTECT and DETECT function scores |
| [pci-dss-specialist](../pci-dss-specialist/) | PCI-DSS v4.0 requirements map to CSF categories; use cross-framework mapper for payment environments |
| [nis2-directive-specialist](../nis2-directive-specialist/) | NIS2 Article 21 measures align to CSF functions; CSF maturity assessment benchmarks NIS2 compliance posture |
| [dora-compliance-expert](../dora-compliance-expert/) | DORA ICT risk management pillars map to GOVERN and IDENTIFY functions; use CSF as the unifying assessment framework |

---

## Tool Reference

### csf_maturity_assessor.py

Assesses cybersecurity maturity across NIST CSF 2.0 functions and generates gap analysis.

| Flag | Required | Description |
|------|----------|-------------|
| `--input` | Yes | Path to current state assessment JSON file with per-category scores (1-4) and evidence |
| `--target-tier` | Yes | Target maturity tier for gap analysis (1-4: Partial, Risk Informed, Repeatable, Adaptive) |
| `--output` | Yes | Path to write the output report file |
| `--format` | No | Output format: `json` (default) or `markdown` |
| `--functions` | No | Comma-separated list of functions to assess (e.g., `GOVERN,IDENTIFY,PROTECT`). Omit for all 6. |

### csf_control_mapper.py

Maps NIST CSF 2.0 categories to controls in other compliance frameworks.

| Flag | Required | Description |
|------|----------|-------------|
| `--source-framework` | Yes | Source framework identifier (use `nist-csf`) |
| `--target-framework` | Yes | Target framework: `iso27001`, `soc2`, `hipaa`, `pci-dss`, or `all` |
| `--output` | Yes | Path to write the mapping output file |
| `--format` | No | Output format: `json` (default) or `markdown` |
| `--functions` | No | Comma-separated list of CSF functions to include (e.g., `GOVERN,PROTECT`). Omit for all. |

---

## What I Need You to Do

First, detect which platform I'm using (Claude.ai, ChatGPT, etc.) and follow the matching instructions below.

### If I'm on Claude.ai:

Walk me through these exact steps:

1. **Create the Project:** Tell me to go to **claude.ai > Projects > Create project** and name it **"Nist Csf Specialist"**

2. **Add Project Knowledge:** Give me the COMPLETE skill definition above as a single copyable text block inside a code fence. Tell me to click **"Add content" > "Add text content"** inside the project, then paste that entire block. Do NOT say "paste from above" -- give me the actual text to copy right there.

3. **Set Custom Instructions:** Tell me to open project settings and paste this exact instruction:
   "You are an expert Nist Csf Specialist in the Compliance domain. Use the project knowledge as your expertise. Follow the workflows, frameworks, and templates defined there. Always provide specific, actionable output."

4. **Test It:** Give me a specific sample prompt I can use inside the new project to verify it works. Pick a real task from the skill's workflows.

### If I'm on ChatGPT:

Walk me through these exact steps:

1. **Create a Custom GPT:** Tell me to go to **chatgpt.com > Explore GPTs > Create**
2. **Configure it:**
   - Name: **"Nist Csf Specialist"**
   - Description: "NIST Cybersecurity Framework 2.0 implementation, assessment, and compliance management. Use for NIST cybersecurity framework, CSF 2.0, NIST compliance, cybersecurity risk management, NIST controls, NI..."
   - Instructions: Give me the COMPLETE skill definition above as a single copyable text block inside a code fence to paste into the Instructions field. Do NOT say "paste from above."
3. **Test It:** Give me a sample prompt to verify it works.

### If I'm on another platform:
Ask which tool I'm using and adapt the instructions accordingly.

## Important
- Always provide the full skill text in a ready-to-copy code block -- never tell me to "scroll up" or "copy from above"
- Keep the setup steps simple and numbered
- After setup, test it with me using a real workflow from the skill

Source: https://github.com/borghei/Claude-Skills/tree/main/ra-qm-team/nist-csf-specialist/SKILL.md