Review target
skills/compliance/nist-csf-assessment
Gap
The NIST CSF assessment skill develops current and target organizational profiles, but it does not require target profile entries to be measurable, owned, time-bounded, and tied to evidence sources. A target profile can therefore state a desired Tier or score without giving the organization a way to execute or track progress between assessments.
Why this matters
NIST CSF profiles are meant to drive risk-informed improvement, not just produce a static maturity table. Without measurability gates:
- target scores are not connected to KPIs/KRIs or outcome metrics;
- owners are not accountable for closing priority gaps;
- due dates and milestones are missing;
- evidence sources are undefined, making progress hard to verify;
- dependencies such as budget, third-party actions, CMDB quality, SIEM coverage, or governance decisions are hidden;
- the same gap can repeat in the next assessment because no execution plan exists.
Proposed evidence gates
Add a profile measurability step requiring each high-priority target gap to document:
- outcome metric;
- baseline value and evidence date;
- target value or threshold;
- accountable owner;
- due date or milestone cadence;
- evidence source/system of record;
- dependencies needed to close the gap.
Also add a Target Profile Execution Plan table to the output and classify missing owner/metric/evidence as a Profile Planning Gap.
Bounty request
Reviewer tier ($25) if this review is accepted. I can provide payment details if accepted.
Review target
skills/compliance/nist-csf-assessmentGap
The NIST CSF assessment skill develops current and target organizational profiles, but it does not require target profile entries to be measurable, owned, time-bounded, and tied to evidence sources. A target profile can therefore state a desired Tier or score without giving the organization a way to execute or track progress between assessments.
Why this matters
NIST CSF profiles are meant to drive risk-informed improvement, not just produce a static maturity table. Without measurability gates:
Proposed evidence gates
Add a profile measurability step requiring each high-priority target gap to document:
Also add a Target Profile Execution Plan table to the output and classify missing owner/metric/evidence as a Profile Planning Gap.
Bounty request
Reviewer tier ($25) if this review is accepted. I can provide payment details if accepted.