Current-State Gap Analysis
We evaluate your security program against NIST CSF 2.0 and identify missing controls, weak processes, documentation gaps, and technical risks.
NIST CSF 2.0 Implementation Services
NIST Cybersecurity Framework Implementation for a Stronger, More Secure Business
OC Security Audit helps organizations build a practical NIST CSF 2.0-aligned cybersecurity program with gap analysis, risk assessment, control mapping, remediation planning, documentation, and executive-ready reporting.
25+Years of IT, security, audit, and compliance experience
CSF 2.0Govern, Identify, Protect, Detect, Respond, Recover
SoCalOrange County, Irvine, Los Angeles, and Southern California
CISSPCCISO, MCSE, MCSA Security, MCITP, CCNA, CCNP, and more
Who We Are
A certified cybersecurity audit partner for organizations that need a NIST-aligned network and security program.
OC Security Audit, with 25+ years of experience under the management of Ali Hassani, has worked on dozens of business networks throughout Southern California, Irvine, and Los Angeles. Our professionals help make your network and data more secure, your business better prepared, and your compliance readiness easier to demonstrate.
CISSPCCISOMCSEMCSA SecurityMCITPCCNACCNP
Experienced security leadershipPractical guidance for governance, technical controls, risk reduction, and documentation.
What We Build
NIST CSF implementation that becomes a working security program, not just a report.
We translate NIST Cybersecurity Framework outcomes into practical security governance, technical controls, operating procedures, and evidence your business can use for leadership decisions, client assurance, vendor reviews, cyber insurance, and audit preparation.
Target-State Roadmap
We create a prioritized remediation plan with business impact, risk level, ownership, expected evidence, and implementation sequence.
Audit-Ready Documentation
We help prepare policies, procedures, evidence lists, executive summaries, security maturity scoring, and control mapping.
NIST CSF 2.0 Functions
Govern, Identify, Protect, Detect, Respond, and Recover.
NIST CSF 2.0 helps businesses structure cybersecurity around measurable outcomes. OC Security Audit helps convert those outcomes into practical controls, policies, workflows, and reports that fit your business environment.
Govern: cybersecurity strategy, policy, accountability, oversight, and risk management.
Identify: assets, data, business processes, vulnerabilities, and third-party dependencies.
Protect: access controls, MFA, secure configurations, patching, encryption, and awareness.
Detect: logging, monitoring, alerting, anomaly detection, and threat visibility.
Respond and Recover: incident response, escalation, backup, restoration, continuity, and improvement.
Our Process
A professional implementation path from assessment to measurable risk reduction.
Our process is built for real businesses that need clear priorities, practical technical recommendations, and documentation that can support security reviews.
Discovery & Scope
We define business goals, systems, sensitive data, stakeholders, compliance drivers, deadlines, and security priorities.
Assessment
We review governance, identity, endpoints, firewalls, network architecture, Microsoft 365, Azure, logging, backups, and documentation.
CSF Mapping
We map existing controls to NIST CSF 2.0 outcomes and identify control, process, and evidence gaps.
Risk Prioritization
We rank gaps by business impact, likelihood, technical exposure, implementation effort, and compliance relevance.
Implementation Support
We help your IT team, MSP, executives, and vendors correct gaps with practical technical and administrative actions.
Validation & Improvement
We support follow-up validation, evidence readiness, leadership reporting, and continuous improvement planning.
Gap Analysis
Know your current state, target state, and the exact gaps to close.
Our NIST gap analysis gives leadership and IT teams a clear view of where the organization stands today and what must change to become more secure and better aligned with NIST CSF.
1Current posture review
2Target-state roadmap
3Evidence-ready plan
Security Coverage
A NIST-aligned network requires governance, technical depth, and operational discipline.
Identity & Access Control
MFA, privileged access, account reviews, authentication hardening, and least privilege.
Email & Microsoft 365 Security
Phishing protection, mailbox security, sharing controls, Microsoft 365 posture, and user risk.
Vulnerability Management
Discovery, prioritization, remediation, patching, exposure reduction, and validation.
Incident Response Readiness
Escalation, response playbooks, communication, containment, evidence, recovery, and lessons learned.
Deliverables
Professional deliverables for leadership, IT teams, vendors, insurance, and audit readiness.
Executive Deliverables
Cybersecurity posture summary, NIST readiness scorecard, top risks, leadership action plan, investment priorities, and compliance readiness overview.
Technical Deliverables
Technical findings, vulnerability summary, identity and access findings, firewall and network findings, Microsoft 365 and Azure security findings.
Compliance Deliverables
NIST gap analysis, control mapping, risk register, policy gap list, evidence checklist, remediation roadmap, and validation checklist.
Why It Matters
A NIST-aligned program helps prove security maturity and reduce business risk.
NIST CSF helps businesses establish a common language for security risk. OC Security Audit helps turn that structure into practical security improvements and documentation your organization can use.
Stronger protection against ransomware, phishing, data breaches, and account compromise.
Improved executive visibility into cybersecurity risk and remediation priorities.
Better documentation for client security reviews, vendor questionnaires, cyber insurance, and audits.
Clearer governance, accountability, technical ownership, and recurring review processes.
Common Gaps We Find
Most businesses have security tools, but not a complete security program.
Governance & Documentation Gaps
No current risk assessment, outdated policies, unclear ownership, no incident response plan, no vendor risk process, or no recurring evidence review.
Identity & User Risk
Weak MFA coverage, excessive admin privileges, poor access reviews, risky sign-ins, limited awareness records, and email security weaknesses.
Technical Control Gaps
Unreviewed firewall rules, limited network segmentation, incomplete patch tracking, poor logging visibility, and untested backup restoration.
Related Compliance
Use NIST CSF as a foundation for stronger compliance readiness.
NIST CSF can support readiness for related standards and business requirements. OC Security Audit provides compliance readiness, assessment, gap analysis, advisory, documentation support, control review, and preparation services.
Compliance readiness supportAssessment, gap analysis, documentation, control review, and remediation planning.
Related Services
Connected services for a complete NIST-aligned cybersecurity program.
Cybersecurity Risk AssessmentInternal Security AuditExternal Security AuditFirewall Security AuditNetwork Firewall Security AssessmentMicrosoft Office 365 AuditAzure Cloud Security AuditMicrosoft Azure SecurityEndpoint SecurityAI-Powered Threat DetectionAutomated Incident ResponseBusiness Continuity & DR
Service Areas
Serving Orange County, Irvine, Los Angeles, and Southern California.
OC Security Audit supports businesses that need practical cybersecurity audit, compliance readiness, Microsoft 365 security audit, Azure cloud security audit, firewall audit, vulnerability assessment, cybersecurity risk assessment, and vCISO advisory services.
Local cybersecurity guidanceDirect support for business owners, executives, IT teams, and compliance stakeholders.
FAQ
NIST Cybersecurity Framework Implementation Questions
What is NIST Cybersecurity Framework implementation?
NIST Cybersecurity Framework implementation is the process of aligning your cybersecurity program with NIST CSF outcomes, including governance, risk assessment, access control, network security, monitoring, incident response, recovery planning, policies, procedures, and evidence documentation.
Does NIST CSF provide a certification?
NIST CSF is a cybersecurity framework, not a certification program. Organizations use it to demonstrate cybersecurity maturity, support vendor reviews, prepare for audits, improve cyber insurance readiness, and strengthen security governance.
What deliverables do you provide?
OC Security Audit can provide a NIST CSF gap analysis, executive summary, technical findings report, risk register, control mapping, policy gap list, remediation roadmap, evidence checklist, maturity scorecard, and follow-up validation recommendations.
Can you help with Microsoft 365 and Azure security?
Yes. OC Security Audit evaluates Microsoft 365, Entra ID, Exchange Online, SharePoint, OneDrive, Teams, and Azure security controls as part of NIST-aligned implementation and cloud security readiness.
Who should consider NIST CSF implementation?
Businesses preparing for vendor reviews, customer security questionnaires, cyber insurance requirements, internal governance, compliance readiness, or security maturity improvement can benefit from NIST CSF implementation.
Start Your NIST Implementation
Build a stronger, better documented, NIST-aligned security program.
Speak with OC Security Audit about a NIST CSF 2.0 gap analysis, cybersecurity risk assessment, remediation roadmap, policy development, and audit-ready documentation for your organization.
NIST CSF 2.0 HTML Excel-Style Checklist
NIST Cybersecurity Framework Controls Checklist
A professional NIST Cybersecurity Framework checklist for cybersecurity engineers, CISOs, CTOs, IT managers, and network engineers to evaluate administrative, technical, and physical controls against NIST CSF 2.0-aligned security outcomes.
How to Use This Checklist
A NIST framework checklist for security, compliance readiness, and executive risk visibility.
This practical NIST Cybersecurity Framework checklist is designed for cybersecurity engineers, CISO and vCISO leaders, CTOs, IT managers, compliance teams, and network engineers. It can be used to review business networks, Microsoft 365 and Azure environments, identity controls, firewalls, endpoints, backups, monitoring, incident response, recovery procedures, vendor risk, governance, and physical safeguards against NIST-recommended cybersecurity outcomes.
The checklist organizes controls by NIST CSF 2.0 function and category, adds administrative, technical, and physical control types, and includes columns for evidence, owner, risk impact, likelihood, calculated risk score, priority, review frequency, and source mapping.
Important: NIST CSF 2.0 is an outcomes-based framework, not a one-size-fits-all certification checklist. This workbook converts those outcomes into practical assessment checks that organizations can tailor to their mission, risk profile, technology environment, and compliance requirements.
20Govern
14Identify
25Protect
9Detect
10Respond
6Recover
OC Security Audit NIST ReadinessPractical control review for networks, cloud, identity, endpoint, data protection, incident response, and recovery.
Checklist Coverage Summary
This checklist includes 84 baseline checks across NIST CSF 2.0 functions and control areas.
Administrative42 checks
Technical39 checks
Physical3 checks
Average Risk Score: 19.1
Critical/High Checks: 76
Impact × Likelihood = Risk Score
Header Row: Frozen / Sticky
OC Security Audit Expertise
OC Security Audit brings 25+ years of IT, cybersecurity, audit, and compliance experience under the management of Ali Hassani. Our team has worked on dozens of business networks across Southern California, Irvine, Orange County, and Los Angeles, with certifications and experience including CISSP, CCISO, MCSE, MCSA Security, MCITP, CCNA, CCNP, and related security leadership expertise.
Use this checklist as a structured starting point, then validate the environment with a professional security audit, risk assessment, Microsoft 365 audit, Azure security audit, firewall assessment, and vulnerability assessment.
| # | Control ID | CSF Function | NIST Category | Control Type | Control Domain | Recommended Control / Checklist Item | Evidence / Artifact to Review | Primary Owner | Risk Impact | Likelihood | Risk Score | Priority | Target Maturity | Assessment Status | Review Frequency | Source / Mapping |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1 | GV.OC-01 | Govern | Organizational Context | Administrative | Business Context | Document critical business objectives, mission-critical services, legal/regulatory expectations, and cybersecurity dependencies. | Business impact analysis, system inventory, compliance requirements register, executive approval. | CISO / CTO | 5 | 4 | 20 | Critical | Defined | Baseline Control | Annual / major change | NIST CSF 2.0 |
| 2 | GV.OC-02 | Govern | Organizational Context | Administrative | Stakeholders | Identify internal and external stakeholders with cybersecurity expectations, including customers, vendors, regulators, insurers, and executives. | Stakeholder register, vendor requirements, insurance questionnaire, customer security requirements. | CISO / Compliance | 4 | 4 | 16 | High | Defined | Baseline Control | Annual / as changed | NIST CSF 2.0 |
| 3 | GV.OC-03 | Govern | Organizational Context | Administrative | Risk Tolerance | Define cybersecurity risk appetite and acceptable risk thresholds for business operations and technology decisions. | Risk appetite statement, risk acceptance criteria, board/leadership approval. | Executive Leadership | 5 | 4 | 20 | Critical | Defined | Baseline Control | Annual / as changed | NIST CSF 2.0 |
| 4 | GV.OC-04 | Govern | Organizational Context | Administrative | Dependency Mapping | Map business-critical dependencies, including cloud platforms, MSPs, ISPs, SaaS vendors, facilities, and managed security services. | Dependency map, vendor list, service criticality rating. | IT Manager / Procurement | 4 | 4 | 16 | High | Defined | Baseline Control | Annual / as changed | NIST CSF 2.0 |
| 5 | GV.RM-01 | Govern | Risk Management Strategy | Administrative | Risk Management | Establish a cybersecurity risk management strategy aligned with business objectives and enterprise risk management. | Risk management plan, risk register methodology, escalation thresholds. | CISO / vCISO | 5 | 4 | 20 | Critical | Defined | Baseline Control | Annual / as changed | NIST CSF 2.0 |
| 6 | GV.RM-02 | Govern | Risk Management Strategy | Administrative | Risk Register | Maintain a cybersecurity risk register with ratings, treatment decisions, owners, due dates, and evidence of closure. | Risk register, remediation tracker, risk acceptance records. | CISO / IT Manager | 5 | 5 | 25 | Critical | Defined | Baseline Control | Annual / as changed | NIST CSF 2.0 |
| 7 | GV.RM-03 | Govern | Risk Management Strategy | Administrative | Risk Prioritization | Prioritize remediation by business impact, likelihood, exposure, exploitability, compliance relevance, and resource requirements. | Risk scoring matrix, remediation roadmap, vulnerability management dashboard. | CISO / Security Engineer | 5 | 5 | 25 | Critical | Defined | Baseline Control | Annual / as changed | NIST CSF 2.0 |
| 8 | GV.RR-01 | Govern | Roles Responsibilities & Authorities | Administrative | Accountability | Assign cybersecurity roles, responsibilities, decision rights, and escalation paths across leadership, IT, security, HR, legal, and operations. | RACI matrix, job descriptions, incident escalation chart. | Executive Leadership / HR | 4 | 4 | 16 | High | Defined | Baseline Control | Annual / as changed | NIST CSF 2.0 |
| 9 | GV.RR-02 | Govern | Roles Responsibilities & Authorities | Administrative | Segregation of Duties | Define and enforce segregation of duties for administrative access, financial systems, security administration, and change approvals. | Access review records, admin role assignments, change approval workflow. | IT Manager / Compliance | 4 | 4 | 16 | High | Defined | Baseline Control | Annual / as changed | NIST CSF 2.0 |
| 10 | GV.RR-03 | Govern | Roles Responsibilities & Authorities | Administrative | Security Leadership | Designate a CISO, vCISO, security lead, or accountable executive for cybersecurity governance and reporting. | Security leadership charter, meeting minutes, reporting cadence. | CEO / Executive Leadership | 5 | 3 | 15 | High | Defined | Baseline Control | Annual / as changed | NIST CSF 2.0 |
| 11 | GV.PO-01 | Govern | Policy | Administrative | Security Policies | Maintain approved cybersecurity policies covering acceptable use, access control, MFA, data protection, incident response, backup, vendor risk, and change management. | Policy library, approval records, annual review evidence. | CISO / Compliance | 5 | 4 | 20 | Critical | Defined | Baseline Control | Annual / as changed | NIST CSF 2.0 |
| 12 | GV.PO-02 | Govern | Policy | Administrative | Policy Exceptions | Track security policy exceptions, compensating controls, risk acceptance, expiration dates, and approval authority. | Exception register, risk acceptance form, compensating control evidence. | CISO / IT Manager | 4 | 4 | 16 | High | Defined | Baseline Control | Annual / as changed | NIST CSF 2.0 |
| 13 | GV.OV-01 | Govern | Oversight | Administrative | Security Metrics | Report cybersecurity metrics to leadership, including risk status, vulnerabilities, incidents, training completion, audit findings, and remediation progress. | Executive dashboard, board report, KPI/KRI report. | CISO / vCISO | 4 | 4 | 16 | High | Defined | Baseline Control | Annual / as changed | NIST CSF 2.0 |
| 14 | GV.OV-02 | Govern | Oversight | Administrative | Independent Review | Perform periodic independent security audits, risk assessments, penetration testing, or compliance readiness reviews. | Audit report, assessment report, corrective action plan. | Executive Leadership / CISO | 5 | 4 | 20 | Critical | Defined | Baseline Control | Annual / as changed | NIST CSF 2.0 |
| 15 | GV.OV-03 | Govern | Oversight | Administrative | Continuous Improvement | Review cybersecurity program effectiveness and update priorities based on incidents, threat intelligence, business changes, and audit results. | Lessons learned, program review minutes, updated roadmap. | CISO / IT Manager | 4 | 4 | 16 | High | Defined | Baseline Control | Annual / as changed | NIST CSF 2.0 |
| 16 | GV.SC-01 | Govern | Cybersecurity Supply Chain Risk Management | Administrative | Vendor Risk Program | Establish a vendor and third-party cybersecurity risk management program for suppliers, SaaS, MSPs, cloud providers, and critical service partners. | Vendor risk policy, questionnaires, supplier inventory. | Procurement / CISO | 5 | 4 | 20 | Critical | Defined | Baseline Control | Annual / as changed | NIST CSF 2.0 |
| 17 | GV.SC-02 | Govern | Cybersecurity Supply Chain Risk Management | Administrative | Vendor Due Diligence | Perform cybersecurity due diligence before onboarding critical vendors and renewing contracts. | Security questionnaires, SOC reports, contract security clauses. | Procurement / Legal | 4 | 4 | 16 | High | Defined | Baseline Control | Annual / as changed | NIST CSF 2.0 |
| 18 | GV.SC-03 | Govern | Cybersecurity Supply Chain Risk Management | Administrative | Vendor Access Control | Limit, monitor, and periodically review third-party access to networks, cloud systems, data, and administrative consoles. | Vendor access list, access logs, MFA evidence, review sign-off. | IT Manager / Security Engineer | 5 | 4 | 20 | Critical | Defined | Baseline Control | Annual / as changed | NIST CSF 2.0 |
| 19 | GV.SC-04 | Govern | Cybersecurity Supply Chain Risk Management | Administrative | Contractual Security | Include cybersecurity, privacy, incident notification, data handling, audit, and termination requirements in vendor contracts. | MSA/security addendum, DPA, incident notification SLA. | Legal / Procurement | 4 | 3 | 12 | Medium | Defined | Baseline Control | Annual / as changed | NIST CSF 2.0 |
| 20 | ID.AM-01 | Identify | Asset Management | Technical | Hardware Assets | Maintain a current inventory of servers, laptops, desktops, network devices, firewalls, wireless access points, mobile devices, and IoT assets. | Asset inventory, EDR/MDM export, network scan. | IT Manager | 5 | 5 | 25 | Critical | Defined | Baseline Control | Monthly | NIST CSF 2.0 |
| 21 | ID.AM-02 | Identify | Asset Management | Technical | Software Assets | Maintain a current inventory of operating systems, applications, SaaS platforms, licenses, versions, and unsupported software. | Software inventory, license report, vulnerability scan output. | IT Manager | 4 | 5 | 20 | Critical | Defined | Baseline Control | Monthly | NIST CSF 2.0 |
| 22 | ID.AM-03 | Identify | Asset Management | Administrative | Data Assets | Identify sensitive data types, data owners, storage locations, retention needs, and data flow between systems and vendors. | Data inventory, data flow diagram, data classification register. | Data Owner / Compliance | 5 | 4 | 20 | Critical | Defined | Baseline Control | Annual / as changed | NIST CSF 2.0 |
| 23 | ID.AM-04 | Identify | Asset Management | Technical | External Systems | Identify externally facing systems, public IP addresses, domains, cloud workloads, VPN portals, remote access systems, and internet-exposed applications. | External attack surface scan, DNS inventory, firewall NAT list. | Security Engineer | 5 | 5 | 25 | Critical | Defined | Baseline Control | Monthly | NIST CSF 2.0 |
| 24 | ID.AM-05 | Identify | Asset Management | Administrative | Asset Ownership | Assign business and technical owners for critical systems, applications, data repositories, and cloud services. | Asset owner register, CMDB ownership fields. | IT Manager / Business Owners | 4 | 4 | 16 | High | Defined | Baseline Control | Annual / as changed | NIST CSF 2.0 |
| 25 | ID.AM-06 | Identify | Asset Management | Physical | Facilities & Physical Assets | Inventory facilities, secure areas, wiring closets, server rooms, backup storage locations, and physical security dependencies. | Facility asset list, physical security review, access badge logs. | Facilities / IT Manager | 4 | 3 | 12 | Medium | Defined | Baseline Control | Annual / as changed | NIST CSF 2.0 |
| 26 | ID.RA-01 | Identify | Risk Assessment | Technical | Vulnerability Identification | Perform recurring vulnerability assessments across internal networks, external systems, endpoints, servers, cloud platforms, and applications. | Vulnerability scan reports, remediation tickets, validation scans. | Security Engineer | 5 | 5 | 25 | Critical | Defined | Baseline Control | Monthly / Quarterly | NIST CSF 2.0 |
| 27 | ID.RA-02 | Identify | Risk Assessment | Technical | Threat Intelligence | Use threat intelligence, vendor advisories, CISA alerts, and security bulletins to identify relevant threats and emerging risks. | Threat bulletin review, advisory tracking, change records. | Security Engineer / CISO | 4 | 4 | 16 | High | Defined | Baseline Control | Weekly | NIST CSF 2.0 |
| 28 | ID.RA-03 | Identify | Risk Assessment | Administrative | Risk Analysis | Analyze likelihood and impact of identified risks, including financial, operational, legal, reputational, and safety effects. | Risk assessment report, scoring matrix, executive risk summary. | CISO / vCISO | 5 | 4 | 20 | Critical | Defined | Baseline Control | Annual / as changed | NIST CSF 2.0 |
| 29 | ID.RA-04 | Identify | Risk Assessment | Administrative | Risk Treatment | Assign risk treatment decisions: mitigate, transfer, avoid, or accept, with documented approval for accepted risks. | Risk treatment plan, risk acceptance forms, cyber insurance records. | Executive Leadership / CISO | 5 | 4 | 20 | Critical | Defined | Baseline Control | Annual / as changed | NIST CSF 2.0 |
| 30 | ID.RA-05 | Identify | Risk Assessment | Technical | Penetration Testing | Perform penetration testing or targeted security validation for internet-facing systems, critical applications, and high-risk network zones. | Penetration test report, retest evidence, remediation plan. | CISO / Security Engineer | 5 | 4 | 20 | Critical | Defined | Baseline Control | Annual / major change | NIST CSF 2.0 |
| 31 | ID.IM-01 | Identify | Improvement | Administrative | Improvement Roadmap | Maintain a prioritized cybersecurity improvement roadmap based on assessment findings, incident lessons, audit gaps, and business priorities. | Roadmap, project plan, risk reduction milestones. | CISO / IT Manager | 4 | 4 | 16 | High | Defined | Baseline Control | Quarterly | NIST CSF 2.0 |
| 32 | ID.IM-02 | Identify | Improvement | Administrative | Lessons Learned | Update controls, procedures, training, and tooling based on incidents, tabletop exercises, audit results, and recovery tests. | Lessons learned report, updated procedures, training updates. | CISO / Incident Manager | 4 | 4 | 16 | High | Defined | Baseline Control | After event | NIST CSF 2.0 |
| 33 | PR.AA-01 | Protect | Identity Management Authentication & Access Control | Technical | Identity Inventory | Maintain an inventory of user accounts, service accounts, privileged accounts, shared accounts, and external identities. | Identity export, account review report, service account register. | IT Manager / IAM Admin | 5 | 5 | 25 | Critical | Defined | Baseline Control | Monthly | NIST CSF 2.0 |
| 34 | PR.AA-02 | Protect | Identity Management Authentication & Access Control | Technical | MFA Enforcement | Enforce multi-factor authentication for remote access, cloud services, email, VPN, privileged accounts, and administrative consoles. | MFA policy screenshots, conditional access report, VPN settings. | IAM Admin / Security Engineer | 5 | 5 | 25 | Critical | Defined | Baseline Control | Continuous | NIST CSF 2.0 |
| 35 | PR.AA-03 | Protect | Identity Management Authentication & Access Control | Technical | Least Privilege | Apply least privilege access and role-based access control to systems, files, applications, databases, cloud platforms, and security tools. | Access control matrix, role assignments, permission review. | IT Manager / Data Owners | 5 | 4 | 20 | Critical | Defined | Baseline Control | Quarterly | NIST CSF 2.0 |
| 36 | PR.AA-04 | Protect | Identity Management Authentication & Access Control | Technical | Privileged Access Management | Protect administrator accounts using separate admin identities, just-in-time access, strong MFA, logging, and approval workflows. | Admin account list, PAM logs, privileged access review. | Security Engineer / IAM Admin | 5 | 4 | 20 | Critical | Defined | Baseline Control | Monthly | NIST CSF 2.0 |
| 37 | PR.AA-05 | Protect | Identity Management Authentication & Access Control | Administrative | Joiner-Mover-Leaver | Implement onboarding, transfer, and termination procedures to grant, modify, and remove access promptly. | HR ticket workflow, termination checklist, access removal evidence. | HR / IT Manager | 5 | 4 | 20 | Critical | Defined | Baseline Control | Per employee change | NIST CSF 2.0 |
| 38 | PR.AA-06 | Protect | Identity Management Authentication & Access Control | Technical | Remote Access Security | Secure VPN, RDP, SSH, cloud admin portals, and remote management tools with MFA, conditional access, logging, and restricted source access. | VPN config, remote access logs, firewall rules, MFA evidence. | Network Engineer | 5 | 5 | 25 | Critical | Defined | Baseline Control | Monthly | NIST CSF 2.0 |
| 39 | PR.AT-01 | Protect | Awareness & Training | Administrative | Security Awareness | Deliver cybersecurity awareness training covering phishing, passwords, data handling, reporting incidents, social engineering, and acceptable use. | Training completion report, curriculum, employee attestations. | HR / CISO | 4 | 4 | 16 | High | Defined | Baseline Control | Annual / onboarding | NIST CSF 2.0 |
| 40 | PR.AT-02 | Protect | Awareness & Training | Administrative | Role-Based Training | Provide role-based security training for administrators, developers, executives, helpdesk, finance, HR, and personnel handling sensitive data. | Role-based training records, admin training evidence. | CISO / Department Heads | 4 | 3 | 12 | Medium | Defined | Baseline Control | Annual | NIST CSF 2.0 |
| 41 | PR.AT-03 | Protect | Awareness & Training | Administrative | Phishing Simulation | Conduct phishing simulations or practical exercises and remediate repeat failure patterns with targeted training. | Phishing campaign report, coaching records, trend metrics. | CISO / Security Engineer | 4 | 4 | 16 | High | Defined | Baseline Control | Quarterly | NIST CSF 2.0 |
| 42 | PR.DS-01 | Protect | Data Security | Technical | Data Classification | Classify data by sensitivity and apply handling requirements for confidential, regulated, customer, financial, and operational data. | Data classification policy, labeled repositories, data owner signoff. | Compliance / Data Owners | 5 | 4 | 20 | Critical | Defined | Baseline Control | Annual / as changed | NIST CSF 2.0 |
| 43 | PR.DS-02 | Protect | Data Security | Technical | Encryption at Rest | Encrypt sensitive data at rest on endpoints, servers, databases, backups, removable media, and cloud storage. | Encryption reports, BitLocker/FileVault status, storage encryption settings. | IT Manager / Security Engineer | 5 | 4 | 20 | Critical | Defined | Baseline Control | Monthly | NIST CSF 2.0 |
| 44 | PR.DS-03 | Protect | Data Security | Technical | Encryption in Transit | Use secure protocols and encryption for email, VPN, web applications, file transfers, APIs, and administrative sessions. | TLS configuration, VPN settings, certificate inventory, scan report. | Network Engineer / App Owner | 5 | 4 | 20 | Critical | Defined | Baseline Control | Quarterly | NIST CSF 2.0 |
| 45 | PR.DS-04 | Protect | Data Security | Technical | Data Loss Prevention | Implement controls to detect or prevent unauthorized sharing, exfiltration, or exposure of sensitive data. | DLP policy, alerts, Microsoft Purview settings, sharing reports. | Security Engineer / Compliance | 5 | 4 | 20 | Critical | Defined | Baseline Control | Continuous | NIST CSF 2.0 |
| 46 | PR.DS-05 | Protect | Data Security | Administrative | Retention & Disposal | Define data retention, secure disposal, media sanitization, and destruction requirements for physical and digital records. | Retention schedule, disposal certificates, media sanitization logs. | Compliance / Records Manager | 4 | 3 | 12 | Medium | Defined | Baseline Control | Annual / as changed | NIST CSF 2.0 |
| 47 | PR.PS-01 | Protect | Platform Security | Technical | Secure Configuration Baselines | Establish secure configuration baselines for endpoints, servers, network devices, firewalls, cloud resources, and Microsoft 365. | CIS benchmark report, configuration baseline, GPO/Intune policies. | Security Engineer / IT Manager | 5 | 5 | 25 | Critical | Defined | Baseline Control | Quarterly | NIST CSF 2.0 |
| 48 | PR.PS-02 | Protect | Platform Security | Technical | Patch Management | Patch operating systems, applications, firmware, network devices, and cloud workloads based on severity and exposure. | Patch compliance dashboard, maintenance records, vulnerability closure evidence. | IT Operations | 5 | 5 | 25 | Critical | Defined | Baseline Control | Monthly / emergency | NIST CSF 2.0 |
| 49 | PR.PS-03 | Protect | Platform Security | Technical | Endpoint Protection | Deploy and monitor endpoint protection, EDR/XDR, host firewall, tamper protection, and malware prevention on supported endpoints and servers. | EDR console report, endpoint coverage list, alert review records. | Security Engineer | 5 | 5 | 25 | Critical | Defined | Baseline Control | Continuous | NIST CSF 2.0 |
| 50 | PR.PS-04 | Protect | Platform Security | Technical | Change Management | Control security-impacting changes through documented testing, approval, implementation, rollback, and post-change validation. | Change tickets, approvals, rollback plans, post-change review. | IT Manager / Change Advisory | 4 | 4 | 16 | High | Defined | Baseline Control | Per change | NIST CSF 2.0 |
| 51 | PR.PS-05 | Protect | Platform Security | Technical | Secure Email | Protect email with SPF, DKIM, DMARC, anti-phishing policies, attachment scanning, impersonation protection, and mailbox auditing. | DNS records, email security policy, phishing protection report. | Microsoft 365 Admin | 5 | 5 | 25 | Critical | Defined | Baseline Control | Monthly | NIST CSF 2.0 |
| 52 | PR.IR-01 | Protect | Technology Infrastructure Resilience | Technical | Backups | Maintain reliable backups for critical systems, cloud data, endpoints, databases, and configurations using protected and immutable options where feasible. | Backup job reports, retention settings, immutable backup configuration. | IT Manager / Backup Admin | 5 | 5 | 25 | Critical | Defined | Baseline Control | Daily / continuous | NIST CSF 2.0 |
| 53 | PR.IR-02 | Protect | Technology Infrastructure Resilience | Technical | Backup Testing | Test backup restoration for critical systems and verify recovery time objectives and recovery point objectives. | Restore test report, RTO/RPO results, remediation tickets. | IT Manager / Business Owners | 5 | 4 | 20 | Critical | Defined | Baseline Control | Quarterly | NIST CSF 2.0 |
| 54 | PR.IR-03 | Protect | Technology Infrastructure Resilience | Technical | Network Segmentation | Segment networks to separate servers, users, guests, IoT, payment systems, sensitive data, management interfaces, and backup infrastructure. | Network diagram, VLAN/firewall rules, segmentation test results. | Network Engineer | 5 | 4 | 20 | Critical | Defined | Baseline Control | Annual / as changed | NIST CSF 2.0 |
| 55 | PR.IR-04 | Protect | Technology Infrastructure Resilience | Physical | Physical Access Controls | Restrict physical access to server rooms, network closets, backup media, wiring areas, and critical infrastructure. | Badge logs, access list, camera coverage review, lock inspection. | Facilities / IT Manager | 4 | 3 | 12 | Medium | Defined | Baseline Control | Quarterly | NIST CSF 2.0 |
| 56 | PR.IR-05 | Protect | Technology Infrastructure Resilience | Physical | Environmental Controls | Protect critical infrastructure with UPS, surge protection, cooling, fire suppression, water detection, and environmental monitoring where appropriate. | UPS test, sensor logs, maintenance records, facilities review. | Facilities / IT Manager | 4 | 3 | 12 | Medium | Defined | Baseline Control | Quarterly | NIST CSF 2.0 |
| 57 | DE.CM-01 | Detect | Continuous Monitoring | Technical | Security Logging | Collect and retain security logs from firewalls, VPN, identity providers, endpoints, servers, cloud platforms, email, and critical applications. | SIEM/log retention settings, data source list, log ingestion dashboard. | Security Engineer | 5 | 5 | 25 | Critical | Defined | Baseline Control | Continuous | NIST CSF 2.0 |
| 58 | DE.CM-02 | Detect | Continuous Monitoring | Technical | Account Monitoring | Monitor risky sign-ins, impossible travel, failed logins, privilege escalation, disabled MFA, mailbox rules, and suspicious admin activity. | Identity protection alerts, sign-in logs, investigation tickets. | Security Engineer / IAM Admin | 5 | 5 | 25 | Critical | Defined | Baseline Control | Continuous | NIST CSF 2.0 |
| 59 | DE.CM-03 | Detect | Continuous Monitoring | Technical | Network Monitoring | Monitor network traffic, firewall events, IDS/IPS alerts, VPN usage, DNS activity, and suspicious lateral movement. | Firewall logs, IDS alerts, NDR reports, weekly review evidence. | Network Engineer / SOC | 5 | 4 | 20 | Critical | Defined | Baseline Control | Continuous | NIST CSF 2.0 |
| 60 | DE.CM-04 | Detect | Continuous Monitoring | Technical | Endpoint Monitoring | Monitor endpoint events, malware alerts, behavioral detections, isolation events, and device health. | EDR alert records, investigation notes, endpoint coverage report. | Security Engineer / SOC | 5 | 5 | 25 | Critical | Defined | Baseline Control | Continuous | NIST CSF 2.0 |
| 61 | DE.CM-05 | Detect | Continuous Monitoring | Technical | Cloud Monitoring | Monitor Microsoft 365, Entra ID, Azure, SaaS platforms, and cloud resources for risky configurations, alerts, and anomalous activity. | Cloud security dashboard, M365 alerts, Azure Defender/Security Center report. | Cloud Admin / Security Engineer | 5 | 4 | 20 | Critical | Defined | Baseline Control | Continuous | NIST CSF 2.0 |
| 62 | DE.CM-06 | Detect | Continuous Monitoring | Technical | Data Monitoring | Monitor unauthorized data access, mass downloads, abnormal sharing, sensitive data movement, and storage exposure. | DLP alerts, access logs, sharing reports, investigation tickets. | Data Owner / Security Engineer | 5 | 4 | 20 | Critical | Defined | Baseline Control | Continuous | NIST CSF 2.0 |
| 63 | DE.AE-01 | Detect | Adverse Event Analysis | Technical | Alert Triage | Define alert triage procedures with severity, ownership, escalation, false positive handling, and response timelines. | Triage procedure, queue metrics, SLA report. | SOC / Security Engineer | 4 | 4 | 16 | High | Defined | Baseline Control | Annual / as changed | NIST CSF 2.0 |
| 64 | DE.AE-02 | Detect | Adverse Event Analysis | Technical | Event Correlation | Correlate events across identity, endpoint, network, cloud, and application logs to detect multi-stage attacks. | SIEM correlation rules, detection use cases, incident evidence. | Security Engineer / SOC | 5 | 4 | 20 | Critical | Defined | Baseline Control | Continuous | NIST CSF 2.0 |
| 65 | DE.AE-03 | Detect | Adverse Event Analysis | Administrative | Detection Tuning | Review detection rules and tune alerts based on false positives, new threats, business changes, and incident lessons. | Detection tuning log, use-case review, change tickets. | SOC / CISO | 4 | 4 | 16 | High | Defined | Baseline Control | Monthly | NIST CSF 2.0 |
| 66 | RS.MA-01 | Respond | Incident Management | Administrative | Incident Response Plan | Maintain a documented incident response plan covering preparation, detection, analysis, containment, eradication, recovery, and lessons learned. | Incident response plan, approval record, annual review. | CISO / Incident Manager | 5 | 4 | 20 | Critical | Defined | Baseline Control | Annual / as changed | NIST CSF 2.0 |
| 67 | RS.MA-02 | Respond | Incident Management | Administrative | Incident Roles | Assign incident commander, technical leads, communications lead, legal/privacy contact, executive sponsor, and external support contacts. | Incident RACI, call tree, contact list, retainer records. | CISO / Executive Leadership | 5 | 4 | 20 | Critical | Defined | Baseline Control | Annual / as changed | NIST CSF 2.0 |
| 68 | RS.MA-03 | Respond | Incident Management | Administrative | Tabletop Exercises | Conduct tabletop exercises for ransomware, business email compromise, data breach, cloud compromise, and outage scenarios. | Exercise agenda, attendance, after-action report, improvement plan. | CISO / IT Manager | 5 | 4 | 20 | Critical | Defined | Baseline Control | Annual / semiannual | NIST CSF 2.0 |
| 69 | RS.AN-01 | Respond | Incident Analysis | Technical | Investigation Procedures | Define investigation procedures for preserving evidence, collecting logs, determining scope, identifying root cause, and documenting timelines. | Forensic checklist, evidence handling procedure, incident analysis template. | Security Engineer / Incident Manager | 5 | 4 | 20 | Critical | Defined | Baseline Control | Annual / as changed | NIST CSF 2.0 |
| 70 | RS.AN-02 | Respond | Incident Analysis | Technical | Forensic Readiness | Ensure key systems retain sufficient logs and time synchronization to support incident investigation and legal/regulatory needs. | NTP settings, log retention policy, SIEM retention report. | Security Engineer | 4 | 4 | 16 | High | Defined | Baseline Control | Annual / as changed | NIST CSF 2.0 |
| 71 | RS.CO-01 | Respond | Incident Reporting & Communication | Administrative | Incident Communications | Prepare internal and external communication procedures for executives, employees, customers, vendors, legal counsel, insurers, and law enforcement. | Communication plan, notification templates, escalation matrix. | Communications Lead / Legal | 5 | 4 | 20 | Critical | Defined | Baseline Control | Annual / as changed | NIST CSF 2.0 |
| 72 | RS.CO-02 | Respond | Incident Reporting & Communication | Administrative | Regulatory & Contractual Notification | Identify notification requirements for contracts, cyber insurance, privacy laws, regulators, and customer agreements. | Notification matrix, legal review, contract summary. | Legal / Compliance | 5 | 3 | 15 | High | Defined | Baseline Control | Annual / as changed | NIST CSF 2.0 |
| 73 | RS.MI-01 | Respond | Incident Mitigation | Technical | Containment | Define technical containment actions for compromised accounts, endpoints, network segments, cloud resources, malicious email, and unauthorized access. | Containment playbooks, EDR isolation evidence, account disable records. | Security Engineer / IT Manager | 5 | 5 | 25 | Critical | Defined | Baseline Control | Annual / as changed | NIST CSF 2.0 |
| 74 | RS.MI-02 | Respond | Incident Mitigation | Technical | Eradication | Remove malware, unauthorized accounts, persistence mechanisms, malicious mailbox rules, exposed credentials, and vulnerable services. | Eradication checklist, remediation tickets, validation scan. | Security Engineer | 5 | 4 | 20 | Critical | Defined | Baseline Control | Annual / as changed | NIST CSF 2.0 |
| 75 | RS.MI-03 | Respond | Incident Mitigation | Administrative | Post-Incident Improvement | Document lessons learned and update controls, training, policies, detections, and recovery procedures after incidents. | After-action report, control updates, roadmap revisions. | CISO / Incident Manager | 4 | 4 | 16 | High | Defined | Baseline Control | After event | NIST CSF 2.0 |
| 76 | RC.RP-01 | Recover | Incident Recovery Plan Execution | Administrative | Recovery Plan | Maintain recovery plans for ransomware, cloud outage, identity compromise, data loss, major system failure, and business continuity disruption. | BCDR plan, recovery runbooks, RTO/RPO mapping. | IT Manager / Business Continuity Lead | 5 | 4 | 20 | Critical | Defined | Baseline Control | Annual / as changed | NIST CSF 2.0 |
| 77 | RC.RP-02 | Recover | Incident Recovery Plan Execution | Technical | System Restoration | Restore systems from known-good backups and validate integrity, security configuration, patch levels, and monitoring before production return. | Restore records, validation checklist, post-recovery scan. | IT Operations / Security Engineer | 5 | 4 | 20 | Critical | Defined | Baseline Control | Annual / as changed | NIST CSF 2.0 |
| 78 | RC.RP-03 | Recover | Incident Recovery Plan Execution | Technical | Credential Recovery | Reset and rotate compromised credentials, API keys, certificates, service account secrets, and privileged credentials during recovery. | Password reset records, key rotation logs, certificate inventory updates. | IAM Admin / Security Engineer | 5 | 4 | 20 | Critical | Defined | Baseline Control | Annual / as changed | NIST CSF 2.0 |
| 79 | RC.CO-01 | Recover | Incident Recovery Communication | Administrative | Recovery Communications | Communicate recovery status, business impact, restoration priorities, and customer/vendor updates through approved channels. | Recovery communication logs, executive updates, customer notice templates. | Communications Lead / Executive Leadership | 4 | 4 | 16 | High | Defined | Baseline Control | Annual / as changed | NIST CSF 2.0 |
| 80 | RC.CO-02 | Recover | Incident Recovery Communication | Administrative | Recovery Validation | Obtain business owner validation that recovered systems, applications, and data are operational and secure. | Business sign-off, validation testing, user acceptance record. | Business Owners / IT Manager | 4 | 3 | 12 | Medium | Defined | Baseline Control | Annual / as changed | NIST CSF 2.0 |
| 81 | RC.CO-03 | Recover | Incident Recovery Communication | Administrative | Resilience Improvement | Update recovery strategy, architecture, vendor support, backup design, and budget priorities based on recovery lessons learned. | Improvement plan, budget request, updated architecture diagram. | Executive Leadership / CISO | 4 | 4 | 16 | High | Defined | Baseline Control | Annual / as changed | NIST CSF 2.0 |
| 82 | OCSA-NIST-01 | Govern | OC Security Audit Advisory | Administrative | Executive Readiness | Schedule an executive cybersecurity review to align NIST CSF priorities with leadership goals, compliance expectations, cyber insurance, and business risk. | Consultation notes, executive summary, prioritized roadmap. | OC Security Audit / Executive Team | 4 | 3 | 12 | Medium | Managed | Consulting Recommended | As needed | OC Security Audit |
| 83 | OCSA-NIST-02 | Identify | OC Security Audit Assessment | Technical | Network Assessment | Perform an OC Security Audit network, Microsoft 365, Azure, firewall, endpoint, and vulnerability assessment to validate current posture. | Assessment report, risk scorecard, vulnerability findings, cloud findings. | OC Security Audit / IT Manager | 5 | 4 | 20 | Critical | Managed | Consulting Recommended | Annual / quarterly | OC Security Audit |
| 84 | OCSA-NIST-03 | Protect | OC Security Audit Remediation | Technical | Security Hardening | Use OC Security Audit findings to harden identity, firewalls, endpoints, Microsoft 365, Azure, backup, segmentation, logging, and security policies. | Remediation tracker, configuration evidence, validation report. | OC Security Audit / Security Engineer | 5 | 4 | 20 | Critical | Managed | Consulting Recommended | Project-based | OC Security Audit |
Sources and framework mapping: NIST Cybersecurity Framework 2.0, NIST CSF Quick Start guidance, and OC Security Audit practical cybersecurity readiness experience. Use organization-specific scoping, risk acceptance, and legal/compliance review before relying on any control checklist as evidence of compliance.
Sample NIST Compliance Report
IT Perfection NIST Cybersecurity Framework Assessment Report
This example report shows how OC Security Audit could present a professional NIST Cybersecurity Framework assessment for the hypothetical IT Perfection environment, including executive reporting, technical findings, administrative controls, physical controls, risk scoring, maturity dashboards, diagrams, and remediation planning.
Visible Executive Introduction
NIST compliance readiness report for a complex manufacturing network.
IT Perfection is presented here as a hypothetical manufacturing company with 800 employees, three locations, 50 Hyper-V virtual machines, Meraki firewalls, site-to-site VPN connectivity, Active Directory, Cisco and Aruba switching, and MDM-managed iPhone and Samsung mobile devices. This sample report demonstrates how cybersecurity engineers, CISOs, CTOs, IT managers, and network engineers can review NIST-aligned governance, administrative safeguards, technical controls, physical safeguards, risk impact, likelihood, remediation priorities, and customer-facing deliverables in a professional reporting format.
800Employees
3Business locations
50Hyper-V VMs
6NIST CSF functions
Finding Severity Mix
Dashboard42
16 Low / process improvements
11 Medium / control maturity gaps
9 High / prioritized remediation
6 Critical / immediate attention
NIST CSF Maturity Snapshot
ScorecardCSF Function Radar
DiagramRisk Heatmap
Impact × LikelihoodImpact
Rare
Unlikely
Possible
Likely
Certain
Critical
M
H
C
C
C
High
M
H
H
C
C
Medium
L
M
M
H
H
Low
L
L
M
M
H
NIST CSF Report Flow
Visual ProcessGovernStrategy, ownership, policy, risk oversight
IdentifyAssets, data, business systems, dependencies
ProtectMFA, firewalls, endpoint, backups, hardening
DetectLogs, alerts, monitoring, anomaly review
RespondPlaybooks, escalation, communications
RecoverRestoration, BCDR, lessons learned
01 Executive Summary Report Leadership and Business Risk ⌄
A concise board-level view of IT Perfection’s NIST CSF posture, priority risks, business impact, and recommended executive decisions.
- Overall NIST CSF posture: Moderate maturity with strong core infrastructure, but improvement needed in formal governance, evidence tracking, incident response testing, and third-party risk documentation.
- Business environment: Manufacturing organization with 800 employees, three locations, site-to-site VPN connectivity, Meraki firewalls, 50 Hyper-V virtual machines, Active Directory, Cisco and Aruba switching, and MDM-managed iPhone/Samsung mobile devices.
- Primary risk themes: Identity governance, privileged access, VPN and firewall rule lifecycle, vulnerability management evidence, backup restoration validation, incident response exercises, and vendor risk management.
- Recommended executive action: Approve a phased remediation roadmap that prioritizes identity controls, risk register governance, logging visibility, vulnerability closure, backup testing, and formal incident response tabletop exercises.
02 NIST CSF 2.0 Gap Analysis Report Govern, Identify, Protect, Detect, Respond, Recover ⌄
A control-by-control review of IT Perfection’s current state against NIST Cybersecurity Framework 2.0 outcomes.
- Govern: Cybersecurity responsibilities exist informally, but governance documentation, recurring risk committee review, and risk tolerance statements should be formalized.
- Identify: Asset knowledge is strong across servers and network devices, but data classification, business process dependency mapping, and vendor inventory should be improved.
- Protect: Firewalls, endpoint controls, Active Directory, MDM, and switching controls are in place, but MFA coverage, privileged access review, and configuration baselines require stronger documentation.
- Detect: Infrastructure logs are available, but centralized alert triage, SIEM correlation, and documented alert review procedures need maturity.
- Respond: Incident handling relies on technical staff knowledge; formal playbooks, communication trees, escalation procedures, and tabletop testing should be completed.
- Recover: Backups exist for key virtual systems, but restoration testing, recovery time objectives, recovery point objectives, and business continuity evidence require documentation.
03 Technical Security Assessment Report Network, Systems, Cloud, Identity ⌄
A technical report focused on the infrastructure controls supporting NIST CSF implementation.
- Meraki firewall review: Validate site-to-site VPN policies, outbound filtering, administrative access, remote management restrictions, logging, geo/IP filtering, and rule cleanup.
- Hyper-V virtual infrastructure: Assess host patching, VM segmentation, administrative delegation, backup coverage, snapshot management, and secure management access.
- Active Directory: Review privileged groups, stale accounts, service accounts, password policy, lockout controls, GPO security baselines, and administrative tiering.
- Cisco and Aruba switching: Review VLAN segmentation, management access, firmware levels, SNMP settings, trunk ports, unused ports, and network access control readiness.
- MDM mobile controls: Review enrollment, encryption, screen lock, device compliance, remote wipe, OS update requirements, app restrictions, and lost-device procedure.
04 Cybersecurity Risk Register Risk Rating and Remediation Priority ⌄
A risk register mapping each major finding to impact, likelihood, owner, target date, and recommended remediation.
- High: Incomplete privileged access review for administrators, service accounts, and emergency access.
- High: Insufficiently documented incident response procedures and limited evidence of tabletop exercises.
- Medium-High: Firewall and VPN rule lifecycle review is not consistently documented across all locations.
- Medium: Asset inventory exists but does not fully map data sensitivity, application dependencies, and business process criticality.
- Medium: Backup coverage is present, but restoration testing evidence is incomplete for critical systems.
05 Administrative Controls Report Policies, Governance, Evidence ⌄
A report focused on administrative safeguards required to operate a mature NIST-aligned cybersecurity program.
- Policy framework: Develop or update information security, access control, acceptable use, remote access, mobile device, backup, vendor risk, incident response, and vulnerability management policies.
- Risk governance: Create a recurring risk review process with ownership, tracking, executive visibility, and documented acceptance or remediation decisions.
- Security awareness: Document phishing awareness, acceptable use training, password/MFA guidance, reporting procedures, and annual employee acknowledgement.
- Vendor risk: Maintain a vendor inventory, classify vendor access, review contracts/security expectations, and track third-party risk evidence.
06 Technical Controls Report Access, Infrastructure, Monitoring ⌄
A report focused on technical safeguards implemented across IT Perfection’s network, systems, identities, endpoints, and cloud services.
- Identity and access: Expand MFA, review privileged access, reduce standing admin rights, document joiner/mover/leaver workflows, and perform recurring access recertification.
- Endpoint and server hardening: Standardize patching, endpoint protection, encryption, local admin restrictions, EDR coverage, and secure configuration baselines.
- Monitoring and detection: Centralize firewall, AD, endpoint, server, VPN, and cloud logs; define alert review procedures and escalation thresholds.
- Segmentation: Confirm VLAN design, production segmentation, guest wireless separation, management network controls, and firewall restrictions between sensitive zones.
07 Physical Controls Report Facilities, Server Rooms, Device Protection ⌄
A report focused on physical security safeguards supporting IT Perfection’s cybersecurity and operational resilience.
- Server room access: Restrict access to authorized personnel, maintain access logs, and review badge/key assignments periodically.
- Environmental controls: Validate power protection, cooling, fire detection/suppression, cable management, and hardware maintenance processes.
- Workstation protection: Require screen locking, device storage practices, visitor controls, and clean desk expectations in manufacturing and office areas.
- Mobile device handling: Use MDM controls, remote wipe, device inventory, encryption, and reporting procedures for lost or stolen devices.
08 Remediation Roadmap Report Prioritized Action Plan ⌄
A phased plan for moving IT Perfection from current state to a stronger NIST-aligned target state.
- Phase 1 — Immediate risk reduction: MFA enforcement, admin account review, firewall/VPN rule review, backup validation, and incident response contact tree.
- Phase 2 — Control maturity: Policy updates, vulnerability management evidence, centralized logging, endpoint hardening, and configuration standards.
- Phase 3 — Governance maturity: Risk committee cadence, vendor risk process, tabletop exercises, executive scorecards, and recurring NIST CSF reassessment.
09 Customer-Facing Assurance Report Client and Vendor Questionnaire Support ⌄
A simplified report that IT Perfection can use to demonstrate security maturity to customers, partners, and vendors.
- Security program overview: NIST CSF-aligned governance, risk management, network security, endpoint protection, identity controls, monitoring, response, and recovery.
- Evidence package: Policies, diagrams, risk register, remediation plan, access review evidence, vulnerability summary, backup test evidence, and training records.
- Business value: Improved customer confidence, stronger cyber insurance readiness, better vendor review responses, and clearer security accountability.
Control Family View
Administrative, technical, and physical controls reviewed in the assessment.
The report package separates NIST-aligned findings into practical control groups so leadership and technical teams can understand where risk exists, who owns remediation, and what evidence is needed to show improvement.
Administrative Controls
Examples: governance, policies, risk register, incident response plan, vendor risk, security awareness, access review process, and evidence management.
Technical Controls
Examples: MFA, Active Directory hardening, firewall rules, VPN security, endpoint protection, logging, patching, segmentation, and vulnerability management.
Physical Controls
Examples: server room access, visitor control, equipment protection, mobile device handling, environmental safeguards, and facility access review.
Sample Risk Register
Example NIST risk register excerpt for IT Perfection.
| Finding | NIST Function | Control Type | Risk Impact | Likelihood | Risk Score | Recommended Action | Evidence |
|---|---|---|---|---|---|---|---|
| Privileged access review is not formally documented | Protect / Govern | Administrative + Technical | High | Medium | 8.0 | Perform quarterly privileged access review and document approvals | Access review report, admin group export, approval records |
| Incident response plan requires tabletop testing | Respond | Administrative | High | Medium | 7.8 | Create playbooks and conduct annual tabletop exercise | IR plan, exercise agenda, after-action report |
| Firewall/VPN rule lifecycle evidence is incomplete | Protect / Detect | Technical | Medium-High | Medium | 7.2 | Review Meraki rules, remove unused access, document approvals | Firewall export, change tickets, review signoff |
| Backup restoration testing needs stronger documentation | Recover | Technical + Administrative | High | Low-Medium | 6.9 | Define RTO/RPO and validate restoration for critical VMs | Restore test logs, RTO/RPO matrix, backup reports |
| Vendor risk management process is incomplete | Govern / Identify | Administrative | Medium | Medium | 6.4 | Create vendor inventory and risk classification process | Vendor register, questionnaires, contract security terms |