Service

NIST CSF Assessment

You need a security baseline. The NIST Cybersecurity Framework is the standard. We assess your current state across all 6 functions, identify gaps, and prioritize what to fix.

10 business days
All 6 functions assessed
CSF 2.0 aligned
Get Started — $1,990

This is for you if:

  • You need a security baseline but don't know where to start
  • Customers or investors are asking about your security program
  • You're planning for SOC 2 or other frameworks and want a head start
  • Cyber insurance carriers want to see your security posture
6
Functions assessed
22
Categories covered
106
Subcategories reviewed
10
Days delivery
Mount Whitney

What you get

01

Current State Profile

Comprehensive assessment across all 6 NIST CSF 2.0 functions: Govern, Identify, Protect, Detect, Respond, Recover. We document where you are today with specific evidence.

02

Implementation Tier Assessment

We determine your current tier (Partial, Risk Informed, Repeatable, or Adaptive) with supporting rationale. You'll understand exactly what it takes to move to the next level.

03

Category-Level Gap Analysis

Detailed review of all 22 categories and 106 subcategories. We identify specific gaps and map them to concrete improvements.

04

Prioritized Remediation Roadmap

Gaps ranked by risk level and implementation effort. You'll know what to fix first, what can wait, and the expected impact of each improvement.

05

Quick-Win Action List

Low-effort, high-impact improvements you can implement immediately. Get visible security improvements fast without major investment.

06

Framework Mapping

If you're heading toward SOC 2, ISO 27001, or other frameworks, we show how your CSF improvements translate to those requirements.

The process

8 steps from intake to complete NIST CSF assessment.

1

Submit intake

Online form

2

Environment review

IT landscape

3

GOVERN function

Strategy & policy

4

IDENTIFY/PROTECT

Assets & controls

5

DETECT/RESPOND

Monitoring & IR

6

RECOVER function

Resilience

7

Tier assessment

Maturity level

8

Delivery

Full report

Mount Rainier
Mount Rainier
Scope

What's included

Included
  • Full 6-function current state profile
  • Implementation tier assessment
  • Category-level gap analysis
  • Prioritized remediation roadmap
  • Quick-win action list
Also
  • Framework mapping (SOC 2, ISO)
  • Target state recommendations
  • Evidence documentation guidance
  • 30-day email support

Important

This engagement constitutes an assessment only and does not result in certification. The NIST Cybersecurity Framework is a voluntary framework with no formal certification program. This assessment evaluates your current security posture and identifies areas requiring improvement.

The 6 CSF 2.0 Functions

NIST CSF 2.0 organizes cybersecurity activities into 6 concurrent functions. Each contains categories and subcategories that describe specific outcomes. We assess your maturity across all of them.

GV

GOVERN

Cybersecurity risk management strategy, expectations, and policy. The new CSF 2.0 function covering organizational context, roles, policies, and supply chain.

Organizational ContextRisk Management StrategyRoles & ResponsibilitiesPolicy+2 more
ID

IDENTIFY

Understanding assets, business environment, governance, risk assessment, and risk management strategy.

Asset ManagementBusiness EnvironmentRisk AssessmentImprovement
PR

PROTECT

Safeguards to ensure delivery of critical services.

Identity Management & Access ControlAwareness & TrainingData SecurityPlatform Security+1 more
DE

DETECT

Activities to identify the occurrence of cybersecurity events.

Continuous MonitoringAdverse Event Analysis
RS

RESPOND

Actions regarding detected cybersecurity incidents.

Incident ManagementIncident AnalysisIncident Response Reporting & CommunicationIncident Mitigation
RC

RECOVER

Activities to restore capabilities or services impaired due to a cybersecurity incident.

Incident Recovery Plan ExecutionIncident Recovery Communication

Before vs After

Without assessment

No documented security baseline

Unknown maturity level

Gaps discovered reactively

No prioritization for improvements

Hard to demonstrate security posture

With CSF Assessment

Current state profile documented

Implementation tier determined

Gaps identified proactively

Prioritized remediation roadmap

Evidence for customers and insurers

Result

Security program you can defend

Common questions

What's the difference between NIST CSF and NIST 800-53?

CSF is a framework—principles and best practices for managing cybersecurity risk. It's flexible and applicable to any organization. 800-53 is a detailed control catalog with over 1,000 specific requirements, primarily used for federal systems and FedRAMP. CSF helps you organize your program; 800-53 tells you exactly what controls to implement. We assess against CSF, which is the right starting point for most businesses.

Is NIST CSF required for my business?

Not by law for most private companies. However, it's becoming the de facto standard for demonstrating security maturity. Customers ask about it. Cyber insurers reference it. Some regulations (like NYDFS) require a program consistent with NIST CSF. And several federal contractors need NIST alignment for CMMC. If you're going to adopt a framework, CSF is the safe choice.

We already have SOC 2. Do we need NIST CSF?

SOC 2 and NIST CSF overlap significantly in Protect and Detect functions. But CSF gives you broader coverage—particularly around governance (the new GOVERN function), supply chain risk, and continuous improvement. Many mature organizations use both: SOC 2 for customer assurance, CSF for internal program management.

What implementation tier should we target?

Tier 2 (Risk Informed) is realistic for most SMBs—you're aware of risks and managing them, but processes may not be fully documented. Tier 3 (Repeatable) suits companies with regulatory requirements or enterprise customers expecting formal programs. Tier 4 (Adaptive) is for organizations where security is existential. We'll recommend based on your business context.

What changed in CSF 2.0?

The biggest change is GOVERN—a new sixth function focused on cybersecurity governance, strategy, policy, and supply chain risk management. CSF 2.0 also expanded guidance for small businesses, improved outcome statements, and better integrates with other frameworks. All our assessments use CSF 2.0.

How does this help with cyber insurance?

Many cyber insurers now ask about NIST CSF alignment or use CSF-based questions in their applications. A documented assessment showing your current state and improvement roadmap demonstrates you're managing security risk—which can help with both coverage and premiums.

Get your security baseline documented.

We assess your current state across all 6 NIST CSF 2.0 functions, determine your implementation tier, and give you a prioritized roadmap. 10 days, $1,990, clear next steps.

Get Started