NIST CSF 2.0 Alignment
Gap assessment, strategy and roadmap, and ongoing vCISO support to build and maintain a security program structured around the NIST Cybersecurity Framework.
Overview
The NIST Cybersecurity Framework 2.0 is the most widely adopted structure for organizing and communicating about cybersecurity programs. Version 2.0, released in February 2024, added a sixth function (Govern) that places risk management strategy, accountability, and organizational context at the center of the framework rather than treating it as peripheral. The result is a framework that works equally well for a 30-person company trying to answer a customer security questionnaire and a 5,000-person organization preparing a board-level cybersecurity report.
We assess your current security posture across all six CSF 2.0 functions, identify gaps against your target profile, and deliver findings in a format that is useful to your organization: a focused gap report for smaller businesses, or a full multi-year strategy and roadmap for organizations that need to drive investment decisions and track program maturity. Ongoing vCISO support keeps the program maintained and evolving without the cost of a full-time security executive.
A 200-person financial services firm came to us after their cyber liability carrier required evidence of a formal security program at renewal. They had strong technical controls but no documented program structure, no policy library, and nothing they could show an underwriter. A CSF alignment engagement produced the documentation, identified three meaningful control gaps, and gave the CISO a framework to report against going forward. The renewal went through without a coverage reduction.
CSF 2.0 Gap Assessment
We assess your current security posture across all six functions: Govern, Identify, Protect, Detect, Respond, and Recover. Each category is evaluated against your organization's target profile, with findings documented by function, category, and subcategory. The assessment uses interviews, documentation review, and configuration examination (not a self-reported questionnaire).
Gap Report
For smaller organizations, the gap report is the primary deliverable. It documents your current profile across the six functions, identifies gaps against your target profile, and prioritizes findings by risk and business impact. It is written to be understood by both technical and non-technical readers, and is suitable for sharing with cyber liability underwriters, board members, and enterprise customers conducting vendor risk reviews.
Full Strategy & Roadmap
For mid-market and enterprise organizations, the gap report is the starting point. The full strategy and roadmap translates findings into a sequenced, multi-year program plan with initiatives, resource estimates, ownership assignments, and measurable outcomes. It gives security leadership a defensible plan to take to the CFO, the board, or a regulator.
vCISO Maintenance
Security programs decay without ongoing attention. Policies go stale, new risks emerge, and controls drift. The monthly vCISO engagement provides fractional CISO support to keep your program current: policy maintenance, vendor risk reviews, incident response plan updates, tabletop exercise facilitation, and executive and board reporting. Scaled to your organization's size and program maturity.
NIST CSF 2.0 added the Govern function specifically to address the gap between security teams doing technical work and executives being accountable for security outcomes. If your board cannot answer basic questions about your security program, a CSF alignment is the most direct path to fixing that.
What You Can Expect
- Current profile assessment across all six CSF 2.0 functions (Govern, Identify, Protect, Detect, Respond, Recover)
- Gap analysis against your target profile with findings prioritized by risk and business impact
- Gap report with executive summary suitable for board, insurer, and customer reporting
- Full strategy and roadmap with sequenced initiatives, resource estimates, and ownership (mid-market and enterprise)
- GRC platform integration and board deck preparation (enterprise)
- Ongoing vCISO support including policy maintenance, vendor risk, tabletop facilitation, and executive reporting
CSF alignment is often the fastest path to compliance readiness. Organizations with a documented CSF program typically complete follow-on HIPAA, SOC 2, PCI DSS, or CMMC engagements faster because the governance and policy infrastructure already exists. See our Compliance Services for framework-specific engagements.
Engagement Fees
Fees are based on organization size, environment complexity, and current state of documentation. The alignment engagement is a one-time fee. vCISO maintenance is a monthly retainer following the initial engagement.
| Small Business <100 employees |
Mid-Market 100–1,000 employees |
Enterprise 1,000+ employees |
|
|---|---|---|---|
| Full CSF 2.0 Alignment One-time engagement |
$15,999*
Gap Report
|
$39,999*
Full Strategy & Roadmap
|
$79,999*
GRC Integration & Board Deck
|
| vCISO Maintenance Monthly retainer |
$2,999*/mo
|
$5,999*/mo
|
$12,999*/mo
|
* Alignment engagement fees are flat fee upon agreement and deposit. vCISO maintenance is month-to-month following initial engagement completion.
Who This Is For
- Organizations that need to demonstrate a formal cybersecurity program to cyber liability insurers, enterprise customers, or regulators and currently have no documented framework alignment
- Small businesses that have invested in technical security tools but have never organized them into a coherent, documented program
- Mid-market organizations with a security team but no multi-year roadmap, no consistent executive reporting, and no way to prioritize security investment decisions
- Enterprise organizations that need GRC platform integration, board-level cybersecurity reporting, and a program structure that can withstand regulator or auditor scrutiny
- Organizations that have completed a CSF 1.1 alignment and need to update their program and documentation for CSF 2.0, including the new Govern function
Common Questions
What is the NIST Cybersecurity Framework 2.0?
The NIST CSF 2.0, released in February 2024, is a voluntary framework for managing cybersecurity risk. Version 2.0 added a sixth function (Govern) that places risk management strategy, accountability, and organizational context at the center of the framework. The six functions are Govern, Identify, Protect, Detect, Respond, and Recover. The CSF does not prescribe specific controls. It provides outcomes that organizations use to assess their posture, identify gaps, and prioritize investments. It is widely used for board-level reporting, vendor risk programs, and insurance documentation.
What is the difference between a gap report and a full strategy and roadmap?
A gap report documents your current posture across the six CSF 2.0 functions, identifies gaps against your target profile, and prioritizes findings by risk and business impact. It answers: where are we now and what is missing? A full strategy and roadmap translates those findings into a multi-year program plan with sequenced initiatives, resource estimates, ownership assignments, and success metrics. It answers: what do we do about it, in what order, and how do we measure progress? Small businesses typically need the gap report. Mid-market and enterprise organizations need the full strategy and roadmap to drive investment decisions and board communication.
What does the vCISO maintenance engagement include?
The monthly vCISO engagement provides ongoing fractional CISO support: policy and procedure maintenance, vendor and third-party risk review, incident response plan updates, tabletop exercise facilitation, board and executive reporting support, and alignment monitoring as your environment evolves. For small businesses it focuses on baseline control maintenance and executive guidance. For mid-market organizations it includes structured program management and metrics tracking. For enterprise organizations it includes GRC platform integration, board deck preparation, and coordination with internal security teams.
Does CSF alignment satisfy regulatory compliance requirements?
CSF alignment is not a regulatory requirement in most industries, but it is recognized by regulators, auditors, and insurers as evidence of a mature security program. It does not automatically satisfy HIPAA, PCI DSS, SOC 2, or CMMC, but it creates a foundation that significantly accelerates follow-on compliance work. Organizations that have completed a CSF alignment typically find that subsequent compliance engagements are faster and less expensive because the governance, policy, and program infrastructure already exists.