# NIST SP 800-53 Gap Analysis

> Conduct a gap analysis across the NIST SP 800-53 compliance program. Cross-references tailored control catalog against policies, standards, and mappings to identify coverage gaps. Prioritizes remediation by baseline level, regulatory requirement, and family criticality. Produces a gap analysis report with per-family breakdown and phased remediation roadmap.



Tags: NIST, NIST 800-53, Compliance, GRC, Gap Analysis, USA


## Example Prompts

- Analyze our 800-53 compliance program for coverage gaps
- Which control families have the lowest coverage?
- Build a prioritized remediation roadmap for our compliance gaps
- Check regulatory compliance status across HIPAA and FedRAMP overlays

URL: https://rakenne.app/skills/nist-800-53-gap-analysis/index.md

Try this skill: https://rakenne.app/a/?skill=nist-800-53-gap-analysis



## Overview

Conduct a gap analysis across the NIST SP 800-53 compliance program. The agent cross-references the tailored control catalog against all produced artifacts — family policies, control standards, and policy-control mappings — to determine per-control and per-family coverage status (Full, Partial, or None). Critical families (AC, IA, SC, AU) are weighted higher in prioritization. The output is a gap analysis report with a phased remediation roadmap organized into five waves spanning 0 to 18+ months, prioritized by baseline level, regulatory requirement count, and family criticality tier.

This skill is part of the [NIST SP 800-53 Compliance Program](/learn/tutorials/nist-800-53-compliance-workspace-guide/) workspace — see the full walkthrough for how all 7 skills work together.

## Example

> **You:** We've completed policies, standards, and the policy-control mapping for MedVault Health Systems. Run a gap analysis to see where we stand. We need to know which families are weakest and build a remediation roadmap for our CISO.
>
> **Agent:** I'll scan the workspace for all upstream artifacts and cross-reference them against your tailored catalog. *(Reads tailored-control-catalog.json with 287 controls across HIPAA/FedRAMP/PCI-DSS overlays, scans output/policies/ for 19 family policies, output/standards/ for 214 control standards, and policy-control-mapping.json with 847 mappings.)* I ran `check_gap_coverage` — overall weighted coverage is 71%. Here's the breakdown: AC is at 82% (strong), IA at 76%, but PE is only 34% and PS is at 41%, both flagged as below threshold. 23 controls have zero coverage across all three artifact types. I've organized the remediation roadmap into five waves: Wave 1 (0-3 months) targets 15 critical gaps in PE and PS families, Wave 2 (3-6 months) addresses 31 partial-coverage controls in AU and CM. The full report is saved to `output/gap-analysis-report.md`.

## Excerpt of a generated report

Below is a condensed example from a generated gap analysis report:

---

```markdown
# NIST SP 800-53 Gap Analysis Report — MedVault Health Systems

**Date:** 2026-03-18
**Baseline:** High | **Overlays:** HIPAA, FedRAMP, PCI-DSS
**Total Controls:** 287

## Coverage Summary

| Status  | Controls | Percentage |
|---------|----------|------------|
| Full    | 148      | 51.6%      |
| Partial | 112      | 39.0%      |
| None    | 27       | 9.4%       |

**Weighted coverage: 71%**

## Coverage by Family

| Family | Coverage | Full | Partial | None | Total | Critical |
|--------|----------|------|---------|------|-------|----------|
| AC     | 82%      | 16   | 5       | 1    | 22    | Yes      |
| AU     | 68%      | 8    | 6       | 2    | 16    | Yes      |
| IA     | 76%      | 9    | 4       | 1    | 14    | Yes      |
| PE     | 34%      | 3    | 5       | 7    | 15    | No       |
| PS     | 41%      | 2    | 4       | 3    | 9     | No       |
| SC     | 74%      | 14   | 8       | 2    | 24    | Yes      |

## Remediation Roadmap

### Wave 1 — Critical Gaps (0-3 months)
- **PE-3, PE-3(1), PE-6**: Physical access controls — no policy or standard
- **PS-3, PS-6, PS-7**: Personnel screening and transfer — no standard
- **IA-5(2)**: PKI-based authentication — no mapping coverage

### Wave 2 — Urgent Gaps (3-6 months)
- **AU-6, AU-6(1), AU-6(3)**: Audit review and reporting — partial only
- **CM-3, CM-5**: Configuration change control — Low mapping quality
```

<!-- /excerpt -->

## Validation tools

The skill includes an extension tool that automates coverage analysis:

- **check_gap_coverage** — Cross-references the tailored control catalog against all workspace artifacts (policies in `output/policies/`, standards in `output/standards/`, and `policy-control-mapping.json`). For each control, determines whether it has a family policy, a dedicated standard, and a mapping entry, then classifies coverage as Full (all three present with High mapping quality), Partial (some artifacts present), or None. Reports overall weighted coverage percentage, per-family coverage with visual progress bars, and flags families below 50% as critical (with ERROR severity for critical families AC, IA, SC, AU and WARNING for others). Lists all zero-coverage controls grouped by family.

## Getting Started

Complete the upstream skills first for a meaningful gap analysis: build your Organization Profile, select your baseline, author family policies and control standards, and run the Policy-Control Mapper. Then activate the Gap Analysis skill and ask the agent to assess your compliance program — it will scan the workspace, run the coverage check tool, and produce a prioritized remediation roadmap tied to your organization's regulatory obligations and capacity.



---

Back to [Skill Library](https://rakenne.app/skills/index.md)