SOC 2
Type II
Achieved
6
CSF 2.0 core functions
Govern
New function in CSF 2.0
Voluntary
But required by many insurers
All sectors
Framework applies everywhere
NIST CSF Current State Assessment
Most organizations have a vague sense of their security posture, strong in some areas, unknown in others. That uncertainty is itself a risk. We assess your current state across all six CSF functions (Govern, Identify, Protect, Detect, Respond, Recover) and all 23 categories within them. Every subcategory is evaluated against your actual controls and practices, not assumptions, with a tier rating that is honest rather than optimistic. You finish knowing precisely where you stand.
Target Profile Development
A target profile without leadership input is just a wish list. A target profile that demands Tier 4 across every category regardless of your actual risk tolerance is a program your organization will never fund. We work with your leadership to define a target profile that is calibrated to your business objectives, sector risk environment, and what your board and insurance underwriters actually require, then map the gap between where you are and where you need to be with precision.
Prioritized Implementation Roadmap
The gap between your current and target profile is rarely closeable in one budget cycle. How you sequence improvements determines whether limited security spend goes where it matters most or gets absorbed by low-impact work. We build a phased roadmap that sequences each remediation initiative by risk reduction value, implementation effort, and dependencies, so your next two or three years of security investment is grounded in the assessment findings, not arbitrary priorities.
CSF to Regulatory Framework Mapping
If your organization is subject to multiple frameworks, HIPAA and SOC 2, or CMMC and ISO 27001, rebuilding separate control sets for each one is redundant and expensive. NIST CSF maps directly to all major frameworks. We document those cross-framework mappings so a single CSF assessment identifies gaps relevant to all your compliance obligations simultaneously, and remediation work closes gaps across multiple frameworks at once rather than addressing each in isolation.
Board-Ready Security Reporting
Technical assessment findings presented to a board in their raw form produce confusion, not decisions. Boards and executives need to understand risk in business terms, what is exposed, what it costs if something goes wrong, and what investment closes the gap. We translate your CSF assessment findings into board-ready reporting that frames cybersecurity posture as business risk, gives leadership a clear view of where the program stands, and supports the security investment decisions that actually need to happen.
NIST CSF 2.0 Governance Function
NIST CSF 2.0 added Govern as the sixth function, covering organizational context, risk management strategy, supply chain risk, roles, and oversight. Organizations still operating against CSF 1.1 are missing the governance dimension that regulators, insurers, and enterprise customers increasingly scrutinize. We assess and implement the Govern function to anchor your security program in organizational strategy and board-level accountability, not just technical controls.
Understanding NIST CSF
What organizations need to know about the framework before starting an assessment
What is the NIST CSF?
The NIST Cybersecurity Framework is a voluntary framework developed by the National Institute of Standards and Technology to help organizations manage cybersecurity risk. Version 2.0 (2024) organizes cybersecurity activities across six functions: Govern, Identify, Protect, Detect, Respond, and Recover. It is the most widely adopted cybersecurity reference framework in the US and maps directly to HIPAA, PCI DSS, SOC 2, ISO 27001, and CMMC.
Who uses it?
NIST CSF is used by organizations of every size and sector, from critical infrastructure operators to mid-market technology companies. Cyber insurance carriers, enterprise procurement teams, and regulators increasingly reference CSF tiers as a measure of security maturity. It is also used by organizations managing multiple compliance frameworks, as CSF alignment simultaneously satisfies components of other regulatory requirements.
Why does it matter?
Without a structured framework, security investments are driven by vendor pitches, recent incidents, or leadership intuition rather than actual risk. The result is organizations that are overprotected in some areas and completely exposed in others. NIST CSF provides a common language for measuring risk and prioritizing investment, one that boards, insurers, and enterprise customers increasingly expect you to speak.
How does an assessment work?
A CSF assessment produces a Current Profile (where you are across all functions and categories) and is compared against a Target Profile (where your risk tolerance and business objectives say you need to be). The gap between the two drives a prioritized roadmap. CSF uses four implementation tiers, Partial, Risk Informed, Repeatable, and Adaptive, to rate maturity at each level.
What Makes Us Different From Others
- CSF 2.0 Updated Expertise NIST released CSF 2.0 in 2024 with the new Govern function and significant subcategory updates. We assess against CSF 2.0, not the outdated 1.1 version.
- Multi-Framework Mapping Built In We map CSF findings to your relevant regulatory frameworks so the assessment serves multiple compliance purposes.
- Roadmap Tied to Budget Reality We sequence the roadmap to what is achievable within your security budget: not a wish list that sits unused.
- Executive Communication Focus CSF is designed to bridge technical security and business leadership. We build the board-ready reporting that enables that conversation.
- Implementation Support Available We do not just assess: we can implement the roadmap we build. Assessment and implementation in a single engagement avoids translation loss.
garrisonOne walked us through our first security assessment and built a remediation roadmap that mapped directly to our compliance goals. We hit our SOC 2 Type II milestone on schedule and the auditor said it was one of the cleaner first-time audits they had seen.
Client results
See how we have helped
Manufacturing
Distributor — Network Security Assessment
Full network penetration test and security assessment for a regional distributor ahead of cyber insurance renewal. Coverage secured at preferred rates.
Network
Fully assessed
Insurance
Coverage secured
CMMC
Readiness achieved
Technology / SaaS
SaaS Startup — AWS Security Hardening
A seed-stage SaaS startup had customer data in a public S3 bucket. garrisonOne conducted a full AWS security assessment against CIS benchmarks and hardened the environment in 4 weeks.
3
Public S3 buckets closed
19
Overprivileged IAM roles fixed
100%
Security review passed
Industry focus
Industries we serve
Related Services: All Compliance | CMMC Compliance | ISO 27001 | Security Assessment
Frequently asked questions
What is the NIST Cybersecurity Framework?
The NIST Cybersecurity Framework (CSF) is a voluntary framework published by the National Institute of Standards and Technology that provides a common language and structure for managing cybersecurity risk. CSF 2.0, released in 2024, organizes cybersecurity activities into six functions: Govern, Identify, Protect, Detect, Respond, and Recover.
Is NIST CSF required or voluntary?
NIST CSF is voluntary for most organizations but has become effectively mandatory in many contexts. Federal agencies are required to use the NIST Risk Management Framework which aligns to CSF. Many regulated industries and procurement processes reference CSF compliance. Cyber insurance underwriters increasingly use CSF assessments to evaluate risk.
What is the difference between NIST CSF and NIST SP 800-171?
NIST CSF is a high-level risk management framework applicable to any organization. NIST SP 800-171 is a specific set of 110 security requirements for protecting Controlled Unclassified Information in non-federal systems. CMMC Level 2 is based on SP 800-171. An organization can use CSF to manage overall cybersecurity risk while separately pursuing CMMC/800-171 compliance for DoD contracts.
What are the NIST CSF implementation tiers?
NIST CSF defines four implementation tiers describing the rigor and sophistication of cybersecurity risk management practices: Tier 1 (Partial), ad hoc and reactive; Tier 2 (Risk Informed), risk-aware but inconsistent; Tier 3 (Repeatable), formal policies and consistent implementation; Tier 4 (Adaptive), continuously improving, threat-informed practices.
How long does a NIST CSF assessment take?
A thorough NIST CSF current state assessment for a mid-size organization typically takes two to four weeks. Organizations with complex environments or multiple business units may require four to six weeks. The resulting roadmap development typically adds one to two weeks.
How does NIST CSF relate to ISO 27001?
NIST CSF and ISO 27001 are complementary frameworks with significant overlap. ISO 27001 is a certification standard with specific Annex A controls. NIST CSF is a risk-based framework without a formal certification. Organizations pursuing ISO 27001 certification benefit from a CSF assessment as preparation because the frameworks map closely.
Resources
Company
Contact
- US: 4752 Euclid Rd Suite 11,
Virginia Beach, VA 23462 - India: Orchard Street, Sector 61,
Gurgaon, Haryana - Phone: (301) 825-5518
- info@garrisonone.com
