NIST CSF

NIST CSF Framework Profiles

How to use NIST CSF framework profiles to assess your current cybersecurity posture, define target states, perform gap analysis, and customize the framework.
Browse NIST CSF topics
Mapping NIST CSF to Other FrameworksNIST CSF 2.0 ChangesNIST CSF Five FunctionsNIST CSF Framework ProfilesNIST CSF Implementation Tiers

What is a NIST CSF framework profile?

A framework profile is a customized alignment of the NIST Cybersecurity Framework's functions, categories, and subcategories with your organization's specific business requirements, risk tolerance, and available resources. Profiles provide a mechanism for organizations to tailor the NIST CSF to their unique circumstances rather than treating the framework as a one-size-fits-all checklist.

The NIST CSF defines two types of profiles:

  • Current profile - Describes the cybersecurity outcomes your organization is currently achieving
  • Target profile - Describes the cybersecurity outcomes your organization wants to achieve

The gap between these two profiles drives your prioritization, investment, and improvement roadmap. This makes profiles one of the most practical and actionable components of the NIST CSF.

Building a current profile

A current profile captures an honest assessment of where your cybersecurity program stands today. It requires input from across the organization, not just the security team.

Step 1 - Select relevant subcategories

The NIST CSF contains 108 subcategories across the five core functions (Identify, Protect, Detect, Respond, Recover). Not all subcategories are equally relevant to every organization. Start by reviewing each subcategory and determining whether it applies to your business context.

Consider:

  • Your industry and regulatory requirements (healthcare organizations will prioritize different subcategories than financial services firms)
  • Your technology environment (cloud-native organizations face different risks than those with primarily on-premises infrastructure)
  • Your threat landscape (organizations handling sensitive data face different threats than those primarily concerned with availability)
  • Your supply chain complexity

Step 2 - Assess current state for each subcategory

For each relevant subcategory, assess your current implementation level. Many organizations use a simple rating scale:

  • Not implemented - No activity or controls are in place for this subcategory
  • Partially implemented - Some controls exist but are inconsistent, undocumented, or incomplete
  • Largely implemented - Controls are in place and documented but may have gaps or are not regularly reviewed
  • Fully implemented - Controls are documented, consistently applied, regularly tested, and subject to continuous improvement

Document the evidence supporting each assessment. This evidence will be valuable for gap analysis and for demonstrating progress over time.

Step 3 - Document findings

Compile the assessment into a structured document or tool that maps each subcategory to its current state, supporting evidence, and any known gaps. The current profile should be reviewed and endorsed by senior leadership to ensure organizational alignment.

Example assessment

For the Identify function, Asset Management category:

SubcategoryDescriptionCurrent state
ID.AM-1Physical devices and systems are inventoriedLargely implemented
ID.AM-2Software platforms and applications are inventoriedPartially implemented
ID.AM-3Organizational communication and data flows are mappedNot implemented
ID.AM-4External information systems are cataloguedPartially implemented
ID.AM-5Resources are prioritized based on classification and business valuePartially implemented

This granular view reveals specific areas needing attention rather than painting the entire function with a single broad assessment.

Building a target profile

The target profile defines where your organization needs to be. It should be driven by business objectives, regulatory requirements, and risk tolerance rather than by the aspiration to achieve the highest possible maturity in every subcategory.

Inputs for target profile development

Business objectives - What are the organization's strategic priorities? A company planning rapid growth in e-commerce will have different cybersecurity priorities than one focused on operational efficiency in manufacturing.

Regulatory requirements - What compliance frameworks must you meet? If you need PCI DSS compliance, your target profile should ensure that subcategories relevant to PCI DSS requirements are rated at full implementation. If you operate in healthcare, HIPAA requirements will shape your targets.

Risk tolerance - How much cybersecurity risk is the organization willing to accept? This is a business decision, not a technical one. Risk-averse organizations (financial institutions, defense contractors) will set higher targets than organizations with lower risk profiles.

Resource constraints - What budget, personnel, and technology resources are available? Target profiles must be realistic. Setting targets that far exceed available resources creates an unachievable plan that will be ignored.

Threat intelligence - What threats are most relevant to your industry and organization? Prioritize subcategories that address the threats most likely to materialize and cause the greatest impact.

Setting target levels

For each relevant subcategory, define the desired implementation level. Not every subcategory needs to reach "fully implemented." Some subcategories may appropriately remain at "partially implemented" if the risk is low and the cost of full implementation is high.

Target profiles should include timelines. A three-year target profile might set interim milestones at six months, one year, and two years, allowing the organization to track progress and adjust priorities as conditions change.

Conducting gap analysis

The gap between your current profile and target profile is your cybersecurity improvement roadmap. Effective gap analysis translates abstract assessments into actionable work.

Prioritizing gaps

Not all gaps are equal. Prioritize based on:

  1. Risk impact - Gaps in subcategories that address your most significant risks should receive the highest priority. A gap in incident response planning for an organization that has already experienced a breach is more urgent than a gap in physical security awareness training.
  2. Regulatory urgency - Gaps that create compliance violations carry immediate consequences. If you are pursuing SOC 2 and your current profile shows gaps in monitoring and logging subcategories, those gaps need prompt attention.
  3. Implementation effort - Some gaps can be closed quickly with modest investment (enabling MFA, updating policies), while others require significant time and resources (deploying a SIEM, building a security operations center). Quick wins build momentum and demonstrate progress.
  4. Dependency chains - Some improvements depend on others. You cannot implement effective monitoring (Detect function) without first having an accurate asset inventory (Identify function). Map dependencies and sequence your improvements accordingly.

Creating an action plan

For each prioritized gap, document:

  • The specific subcategory and the gap between current and target states
  • The actions required to close the gap (technical implementations, process changes, training programs)
  • The resources required (budget, personnel, tools)
  • The responsible owner
  • The target completion date
  • How success will be measured

Tracking progress

Gap analysis is not a one-time activity. Reassess your current profile at regular intervals (quarterly or semi-annually) to track progress, identify new gaps introduced by changes in your environment, and adjust priorities based on evolving threats and business needs.

Customizing profiles for your organization

The NIST CSF is deliberately flexible, and profiles are the primary mechanism for customization. Several strategies can help you build profiles that are practical and valuable.

Industry-specific profiles

The NIST CSF encourages the creation of sector-specific profiles that reflect the unique risks and requirements of particular industries. Several sector-specific profiles already exist, including profiles for manufacturing, maritime, and energy sectors. These can serve as starting points for your organization's profile development.

Regulatory mapping

Map your profile subcategories to your specific regulatory requirements. If you must comply with multiple frameworks, your target profile should incorporate the most stringent requirement for each subcategory. The mapping to other frameworks topic covers how NIST CSF aligns with SOC 2, ISO 27001, HIPAA, and PCI DSS.

Organizational context

Customize profiles based on your organizational structure. Large enterprises may create multiple profiles for different business units, each reflecting the unit's specific risk environment and regulatory requirements. A retail division handling payment data will have a different profile than a corporate shared services division.

Stakeholder communication

Profiles are powerful communication tools. Executive-level summaries should highlight the overall gap position and the business risk associated with the most critical gaps. Technical teams need detailed subcategory-level assessments and action plans. Board reporting should focus on trends over time and the alignment between cybersecurity investments and risk reduction.

Profiles and implementation tiers

Framework profiles and implementation tiers work together but serve different purposes. Tiers describe how your organization approaches cybersecurity risk management (from ad hoc to adaptive), while profiles describe what cybersecurity outcomes you achieve.

An organization at Tier 2 (Risk Informed) might have a current profile that shows strong implementation in some subcategories and weak implementation in others. The tier reflects the overall maturity of the risk management process, while the profile provides the granular detail about specific capabilities.

Your target tier and target profile should be aligned. If you are progressing from Tier 2 to Tier 3, your target profile should reflect the systematic, policy-driven approach to cybersecurity that characterizes Tier 3 organizations. Conversely, if your target profile calls for advanced capabilities in detection and response, you likely need to be operating at Tier 3 or higher to sustain those capabilities.

Maintaining profiles over time

Profiles are living documents that should evolve with your organization. Review and update profiles when:

  • Significant business changes occur - mergers, acquisitions, new product lines, or market entry
  • The threat landscape shifts - new attack techniques, emerging vulnerabilities, or intelligence indicating heightened risk
  • Regulatory requirements change - new laws, updated standards, or audit findings
  • Technology changes - cloud migration, new platforms, or decommissioning of legacy systems
  • After security incidents - lessons learned should feed directly into updated current and target profiles

By treating profiles as dynamic tools rather than static documents, organizations can maintain an accurate view of their cybersecurity posture and ensure that improvement efforts remain aligned with current business needs and risks.

Related topics

five-functionsimplementation-tiersmapping-to-other-frameworks

Related terms

What is GRC?

Continue exploring

What is Access Control?

Glossary definition

episki vs Drata

See how we compare

What Makes a CISO Metric Actually Useful?

From the blog

See how episki handles this

Start a free trial and explore controls, evidence, and automation firsthand.
Start free trialBook a walkthrough