Compliance Services

NIST Cybersecurity Framework Gap Assessment

Know where you stand. Know where you need to be. Get a clear path between the two.

NIST CSF gap assessment and maturity scoring from a CISSP, CISM, and GRCP practitioner who has published an 8-part NIST CSF series — and applied it at enterprise scale.

Schedule a Free Consultation

The NIST CSF Challenge

NIST CSF is comprehensive — 108 subcategories across five functions. That's also the problem. Organizations don't know where to start, can't define a realistic target maturity, and lack a structured way to measure progress. The framework is voluntary, which means there's no external deadline forcing prioritization.

Government contractors face a different problem: NIST alignment is increasingly a contract requirement, but the assessment methodology isn't standardized. We give you a defensible maturity score with documented evidence — useful for both internal planning and external stakeholders.

What We Deliver

A current-state assessment and prioritized roadmap you can present to leadership, a board, or a federal contracting officer.

  • Current state assessment across all 5 CSF Functions (Identify, Protect, Detect, Respond, Recover)
  • Maturity tier scoring (Tiers 1–4) per category and subcategory
  • Gap analysis with business risk context and likelihood weighting
  • Prioritized remediation roadmap (quick wins → strategic initiatives)
  • Control mapping to your existing tools, policies, and processes

CSF Functions Covered

IdentifyAsset management, risk assessment, governance
ProtectAccess control, awareness training, data security
DetectAnomaly detection, continuous monitoring
RespondIncident response planning, communications
RecoverRecovery planning, improvements, communications

Our Assessment Process

A structured methodology that produces a defensible maturity score and actionable roadmap.

1

Current State Assessment

Structured interviews and documentation review across all five CSF Functions.

2

Maturity Scoring

Tier scoring (1–4) per subcategory with supporting rationale.

3

Gap Analysis

Current vs. target maturity with risk weighting and business impact context.

4

Prioritized Roadmap

30/60/90-day quick wins plus strategic initiatives, sequenced by risk reduction per dollar.

Who This Is For

  • Companies building their first formal security program
  • Organizations seeking a security maturity baseline before an audit
  • Businesses preparing for government contract requirements (NIST alignment common in federal supplier requirements)
  • Teams that want a structured framework before committing to SOC 2 or ISO 27001
  • CISOs and security managers presenting risk posture to a board

Published NIST CSF Expertise

Jonathan Carpenter has published an 8-part NIST Cybersecurity Framework series on this site — one of the most thorough practitioner-written breakdowns of the framework available for SMBs. He's applied NIST CSF assessments at enterprise scale across multiple organizations.

CISSP, CISM, and GRCP certified. 25+ years enterprise security experience. Based in Biddeford, Maine.

CISSP
Certified Information Systems Security Professional
CISM
Certified Information Security Manager
GRCP
Governance, Risk and Compliance Professional

NIST CSF Published Series

8-part practitioner series covering every NIST CSF function — the same methodology applied in client engagements.

Read the NIST CSF series →

Related Services

Security Assessments

Risk assessments, vulnerability analysis, and security program gap analysis.

GRC & Compliance Advisory

Compliance program management for SOC 2, ISO 27001, HIPAA, and more.

vCISO Services

Ongoing security leadership to implement your NIST CSF roadmap.

Ready to assess your security maturity?

Schedule a free consultation. We'll discuss your current program, your goals, and what a NIST CSF assessment would produce for your organization.

Schedule a Free Consultation