NIST CSF Maturity Assessment for Regulated Organizations

What a NIST CSF Maturity Assessment Actually Measures

NIST CSF uses the concepts of Current Profile and Target Profile to frame the assessment process. A Current Profile documents the CSF outcomes — specific subcategories across the six functions — that the organization is currently achieving. A Target Profile documents the outcomes the organization needs to achieve given its risk appetite, regulatory obligations, and business context. The gap between the two is the remediation roadmap.
This framing is important because it prevents the most common failure mode in framework assessments: evaluating what policies exist rather than what controls are operational. A NIST CSF maturity assessment is not a document review. It examines whether controls are deployed, whether they are operating consistently, whether they are monitored and enforced, and whether the evidence of their operation exists in a form that satisfies auditors and regulators.
The assessment covers all six functions in CSF 2.0: GOVERN, Identify, Protect, Detect, Respond, and Recover. The GOVERN function, introduced in CSF 2.0, is often where the most significant gaps appear in mid-market organizations — specifically in risk management strategy documentation, executive and board-level oversight, and supply chain risk management. Mature Identify, Protect, and Detect capabilities frequently coexist with immature GOVERN practices, creating a profile that looks stronger than it is when governance is examined.

The Six Functions: What the Assessment Examines

GOVERN

The assessment examines whether the organization has a documented risk management strategy with defined risk appetite, whether cybersecurity roles and accountabilities are formally assigned and understood, whether policies are current and enforced organization-wide, whether leadership receives and acts on cybersecurity risk information, and whether a third-party and supply chain risk management process is operational. GOVERN gaps at the organizational context (GV.OC), oversight (GV.OV), and supply chain (GV.SC) levels are the most common blockers to advancing beyond a Tier 2 implementation posture. See NIST CSF implementation tiers for how GOVERN gaps map to tier advancement.

Identify

The assessment examines asset inventory completeness (systems, data, and applications), business environment documentation, risk assessment process rigor and cadence, and improvement planning. Common gaps include incomplete asset inventories that miss cloud workloads, SaaS applications, and operational technology, and risk assessments that are conducted annually but not used to drive resource allocation decisions throughout the year.

Protect

The assessment examines identity management and access control (including MFA deployment and access review processes), awareness and training programs, data security practices, platform security (configuration management, patch management, endpoint protection), and technology infrastructure resilience. Common gaps include MFA deployed for remote access but not for administrative access to critical systems, patch management processes with consistent exceptions for legacy or production systems, and access reviews that are conducted annually but not quarterly or more frequently for privileged accounts.

Detect

The assessment examines continuous monitoring capability, log collection scope and retention, anomaly and event detection processes, and the documented evidence that detection alerts are reviewed and acted upon. The most common gap is the distinction between monitoring in place and monitoring that is reviewed: many organizations have SIEM or logging tools collecting data that no one systematically reviews. Detection without response process is a compliance liability, not a capability.

Respond

The assessment examines whether an incident response plan exists, whether it has been tested (tabletop exercise or functional test), whether roles and communication procedures are documented, whether analysis and mitigation procedures are defined, and whether improvement processes capture lessons learned. Plans that have never been tested are treated as untested by auditors — they demonstrate intent but not operational capability.

Recover

The assessment examines recovery planning documentation, restoration process testing, and communications protocols during a recovery event. Backup and disaster recovery capabilities are examined in terms of documented recovery time objectives and recovery point objectives, whether those objectives have been tested against actual recovery performance, and whether executive and external communication procedures are established for a significant disruption event.

Assessment Methodology: How Armorstack Conducts the Evaluation

Armorstack’s VERITY team conducts NIST CSF maturity assessments through a structured process that combines document review, technical validation, and stakeholder interviews. Document review alone is insufficient — the gap between documented policy and operational reality is precisely what the assessment is designed to surface.
The process begins with a pre-assessment data collection phase in which the organization provides documentation across each function: policies, risk assessments, asset inventories, incident response plans, business continuity plans, training records, and vendor management documentation. The VERITY team reviews these against the applicable CSF subcategories and identifies areas where documentation review alone cannot validate operational effectiveness.
The technical validation phase examines the operational evidence: log collection coverage against the asset inventory, MFA deployment against the user population, patch currency against the patch management policy, and endpoint protection deployment against the endpoint inventory. This phase identifies the gaps between what policies say should be happening and what the technical evidence confirms is happening.
Stakeholder interviews with IT leadership, security operations, business unit leadership, and executive sponsors surface the governance and integration gaps that neither documents nor technical configuration can reveal: whether risk decisions are made with executive input, whether cybersecurity risk appears in board reporting, and whether security requirements flow into vendor selection and management processes.

Assessment Output: What You Receive

The output of an Armorstack NIST CSF maturity assessment is a Current Profile documenting assessed status across all applicable subcategories, a Target Profile defined based on the organization’s regulatory context and risk appetite, a gap analysis organized by function and by priority, and a remediation roadmap with specific actions, owners, and timelines.
The remediation roadmap is not a ranked list of every gap found. It is a sequenced implementation plan that addresses foundational gaps before advanced ones — GOVERN and Identify gaps before Protect and Detect enhancements, governance integration before additional monitoring tooling — because the sequencing matters as much as the content. Organizations that invest in detection capabilities before establishing the oversight function to act on detection findings are adding cost without reducing risk.
For organizations whose assessment reveals significant gaps, the 90-Day Proof delivers the highest-priority remediation within a single quarter, establishing the foundation for a continuous compliance program. For organizations that need to understand how their CSF maturity assessment maps to specific control requirements under SP 800-53, the crosswalk analysis is covered at NIST CSF vs. NIST 800-53. For defense industrial base organizations mapping CSF gaps to CMMC requirements, the relevant crosswalk is at NIST 800-171 vs. CMMC crosswalk. The full NIST CSF program context is at the NIST CSF pillar page. To schedule an assessment or discuss your organization’s current posture, contact the Armorstack VERITY team.