NIST SP 800-53 Gap Analysis

Example

You: We’ve completed policies, standards, and the policy-control mapping for MedVault Health Systems. Run a gap analysis to see where we stand. We need to know which families are weakest and build a remediation roadmap for our CISO.

Agent: I’ll scan the workspace for all upstream artifacts and cross-reference them against your tailored catalog. (Reads tailored-control-catalog.json with 287 controls across HIPAA/FedRAMP/PCI-DSS overlays, scans output/policies/ for 19 family policies, output/standards/ for 214 control standards, and policy-control-mapping.json with 847 mappings.) I ran check_gap_coverage — overall weighted coverage is 71%. Here’s the breakdown: AC is at 82% (strong), IA at 76%, but PE is only 34% and PS is at 41%, both flagged as below threshold. 23 controls have zero coverage across all three artifact types. I’ve organized the remediation roadmap into five waves: Wave 1 (0-3 months) targets 15 critical gaps in PE and PS families, Wave 2 (3-6 months) addresses 31 partial-coverage controls in AU and CM. The full report is saved to output/gap-analysis-report.md.

Excerpt of a generated report

Below is a condensed example from a generated gap analysis report:

# NIST SP 800-53 Gap Analysis Report — MedVault Health Systems

**Date:** 2026-03-18
**Baseline:** High | **Overlays:** HIPAA, FedRAMP, PCI-DSS
**Total Controls:** 287

## Coverage Summary

| Status  | Controls | Percentage |
|---------|----------|------------|
| Full    | 148      | 51.6%      |
| Partial | 112      | 39.0%      |
| None    | 27       | 9.4%       |

**Weighted coverage: 71%**

## Coverage by Family

| Family | Coverage | Full | Partial | None | Total | Critical |
|--------|----------|------|---------|------|-------|----------|
| AC     | 82%      | 16   | 5       | 1    | 22    | Yes      |
| AU     | 68%      | 8    | 6       | 2    | 16    | Yes      |
| IA     | 76%      | 9    | 4       | 1    | 14    | Yes      |
| PE     | 34%      | 3    | 5       | 7    | 15    | No       |
| PS     | 41%      | 2    | 4       | 3    | 9     | No       |
| SC     | 74%      | 14   | 8       | 2    | 24    | Yes      |

## Remediation Roadmap

### Wave 1 — Critical Gaps (0-3 months)
- **PE-3, PE-3(1), PE-6**: Physical access controls — no policy or standard
- **PS-3, PS-6, PS-7**: Personnel screening and transfer — no standard
- **IA-5(2)**: PKI-based authentication — no mapping coverage

### Wave 2 — Urgent Gaps (3-6 months)
- **AU-6, AU-6(1), AU-6(3)**: Audit review and reporting — partial only
- **CM-3, CM-5**: Configuration change control — Low mapping quality

Validation tools

The skill includes an extension tool that automates coverage analysis:

• check_gap_coverage — Cross-references the tailored control catalog against all workspace artifacts (policies in output/policies/, standards in output/standards/, and policy-control-mapping.json). For each control, determines whether it has a family policy, a dedicated standard, and a mapping entry, then classifies coverage as Full (all three present with High mapping quality), Partial (some artifacts present), or None. Reports overall weighted coverage percentage, per-family coverage with visual progress bars, and flags families below 50% as critical (with ERROR severity for critical families AC, IA, SC, AU and WARNING for others). Lists all zero-coverage controls grouped by family.

Getting Started

Complete the upstream skills first for a meaningful gap analysis: build your Organization Profile, select your baseline, author family policies and control standards, and run the Policy-Control Mapper. Then activate the Gap Analysis skill and ask the agent to assess your compliance program — it will scan the workspace, run the coverage check tool, and produce a prioritized remediation roadmap tied to your organization’s regulatory obligations and capacity.