Stats
Actions
Tags
From cybersecurity-skills
Assesses security posture against NIST CSF 2.0, producing gap analysis, tier assessment, and governance-ready roadmap for CISOs, boards, and auditors.
How this skill is triggered — by the user, by Claude, or both
Slash command
/cybersecurity-skills:csf-mappingThis skill is limited to the following tools:
The summary Claude sees in its skill listing — used to decide when to auto-load this skill
Translate your security posture into the language every CISO, board, auditor, and insurer already speaks. Distinct from the audit skills (which find specific issues); this skill assesses your *program* against a recognized framework and produces governance-ready output.
Translate your security posture into the language every CISO, board, auditor, and insurer already speaks. Distinct from the audit skills (which find specific issues); this skill assesses your program against a recognized framework and produces governance-ready output.
NIST CSF 2.0 is the framework that, as of 2024, replaced CSF 1.1. It added a sixth function — Govern — recognizing that the others can't work without governance backing.
The six functions:
| Function | What it covers |
|---|---|
| Govern (GV) | Cybersecurity strategy, roles, policies, oversight, supply chain risk |
| Identify (ID) | Asset inventory, business environment, risk assessment, supply chain |
| Protect (PR) | Access control, awareness, data security, baseline configurations, maintenance, protective tech |
| Detect (DE) | Continuous monitoring, anomaly detection, adverse event analysis |
| Respond (RS) | Incident management, analysis, mitigation, reporting, comms |
| Recover (RC) | Recovery planning, improvements, communications |
Each function contains Categories (e.g., PR.AA — Identity Management, Authentication, and Access Control), and each category contains Subcategories (e.g., PR.AA-01 — Identities and credentials for authorized users, services, and hardware are managed).
This skill maps your reality to those Subcategories.
Cross-references: every audit skill in this repo (they produce evidence that becomes the "current state" entries here), iam-audit (most of PR.AA), siem-detection (most of DE), incident-triage (most of RS), threat-modeling (informs ID.RA risk assessment), breach-patterns (informs ID.IM improvements from lessons learned).
CSF assessments are scope-bounded. Decide which of these you're assessing:
Write down what's in and what's out. Most CSF assessments fail at scope drift.
CSF 2.0 introduced Organizational Profiles — instead of "score every Subcategory equally," you tailor based on what matters.
For a first-pass assessment, start with a Community Profile if one exists for your sector, then tailor.
For each Subcategory in scope:
| Field | What to record |
|---|---|
| ID | e.g., PR.AA-05 |
| Subcategory text | Verbatim from NIST or paraphrased |
| Current state | What you actually do today (evidence, not aspiration) |
| Evidence | Document / system / process that proves the current state |
| Tier | Partial / Risk-Informed / Repeatable / Adaptive (1-4) |
| Target tier | What you're aiming for |
| Gap | The delta |
| Plan | What closes the gap |
| Owner | Who's accountable |
| Timeline | When |
| Tier | Name | Characteristic |
|---|---|---|
| 1 | Partial | Ad-hoc, reactive, undocumented; awareness is informal |
| 2 | Risk-Informed | Risk management is approved but not org-wide; processes are repeatable for some teams |
| 3 | Repeatable | Documented org-wide policies; consistent processes; risk-informed budgeting |
| 4 | Adaptive | Continuous improvement; quantitative risk; learning from incidents (yours and peers'); cybersecurity culture |
Tier 4 is rare and expensive. Most mature SaaS orgs target Tier 3 across most subcategories. Set targets based on what the business actually needs, not what looks good.
For each gap, ask:
Prioritize by Risk × Cost-to-close — not just by risk. Some critical-risk items take a year and three vendors; some quick wins reduce real risk in a sprint.
CSF roadmaps usually run in quarters with annual targets. A useful structure:
Each item on the roadmap names: the Subcategory it closes, the owner, the budget, the success metric, the review date.
A useful shortcut — these are the audit skills that produce evidence for which CSF Subcategories.
| CSF Subcategory | Audit skill | Type of evidence |
|---|---|---|
GV.SC (Supply Chain Risk) | dependency-audit | CVE inventory, vendor list, supply chain risk register |
ID.AM (Asset Management) | cloud-audit, container-audit, recon | Asset inventory output |
ID.RA (Risk Assessment) | threat-modeling, breach-patterns | Threat models, breach-pattern coverage doc |
ID.IM (Improvement from past incidents) | incident-triage post-mortems, breach-patterns | Post-incident reviews, lessons-learned applied |
PR.AA (Identity & Access Control) | iam-audit | IAM audit reports, role inventory |
PR.DS (Data Security) | crypto-audit, secrets-audit | Crypto posture, secrets management posture |
PR.PS (Platform Security) | container-audit, cloud-audit | K8s hardening, cloud posture |
PR.IR (Infrastructure Resilience) | container-audit, cloud-audit | Network policy, segmentation, backup posture |
DE.CM (Continuous Monitoring) | siem-detection, soc-operations | SIEM coverage, ATT&CK Navigator export |
DE.AE (Anomaly & Event Analysis) | siem-detection, threat-hunting | Detection rule inventory, hunt findings |
RS.MA (Incident Management) | incident-triage, soc-operations | IR plan, runbooks, recent incident reports |
RS.AN (Analysis) | disk-forensics, incident-triage | Forensic analysis outputs |
RS.MI (Mitigation) | finding-triage, incident-triage | Triage decisions, mitigation tracking |
RC.RP (Recovery Plan) | (not directly covered — separate BCP/DR work) | BCP / DR plans, tested recovery |
For Subcategories without direct skill coverage, the gap is usually "we have technical depth but not the program-level artifact." E.g., RC.RP-01 (Recovery plan is executed during or after an incident) needs an actual documented and tested BCP/DR plan — running incident-triage doesn't automatically produce one.
Patterns I see repeatedly in CSF assessments. Not universal, but starting points:
# NIST CSF 2.0 Posture Assessment
## Organization: [name]
## Scope: [what's in / out]
## Date: [date]
## Assessor: [name]
## Executive summary
[2-3 paragraphs in plain English — overall posture, top 3 risks, top 3 wins, recommended 90-day priorities]
## Profile
### Tier summary across functions
| Function | Current tier | Target tier |
|----------|--------------|-------------|
| GV | 2 | 3 |
| ID | 2 | 3 |
| PR | 3 | 3 |
| DE | 2 | 3 |
| RS | 3 | 3 |
| RC | 1 | 2 |
### Per-Subcategory detail
| Subcategory | Current state | Evidence | Tier | Target | Gap | Owner | Timeline |
|-------------|---------------|----------|------|--------|-----|-------|----------|
## Prioritized roadmap
### Next 30 days
- [Item, owner, success metric]
### Next 90 days
- [Item, owner, success metric]
### Next 12 months
- [Item, owner, success metric]
## Cross-references
[Links to evidence — audit reports, IR plans, IAM reports, etc.]
Boards don't want Subcategory IDs. They want answers to three questions:
Use the CSF assessment as the backing detail. The board view is a one-page heatmap and three slides of priorities. The assessment goes in the appendix.
incident-triage or the relevant audit skillnist.gov/cyberframework)npx claudepluginhub briiirussell/cybersecurity-skills --plugin cybersecurity-skillsAdvises on NIST CSF 2.0/1.1 for cybersecurity risk management, gap assessments, profiles, tiers, roadmaps, mappings to NIST 800-53/ISO 27001/CIS/COBIT.
Conducts NIST CSF 2.0 maturity assessments using Implementation Tiers to measure cybersecurity posture and create improvement roadmaps.
Conducts NIST CSF 2.0 maturity assessments using Implementation Tiers to measure cybersecurity posture and create improvement roadmaps.