# NIST CSF Profile Author > Guided elaboration of a NIST Cybersecurity Framework (CSF) assessment: current profile (Identify, Protect, Detect, Respond, Recover, Govern), target profile, gap analysis, and prioritized implementation plan with outcomes and metrics. Tags: NIST CSF, Cybersecurity, Risk Management, Compliance, USA ## Example Prompts - Create a current and target CSF profile for our organization - Document gaps for each CSF subcategory we selected - Build an implementation roadmap for high-priority gaps - Check that every subcategory has current, target, and gap URL: https://rakenne.app/skills/nist-csf-profile-author/index.md Try this skill: https://rakenne.app/a/?skill=nist-csf-profile-author ## Overview Guided elaboration of a NIST Cybersecurity Framework (CSF) assessment: current profile (Identify, Protect, Detect, Respond, Recover, Govern), target profile, gap analysis, and prioritized implementation plan with outcomes and metrics. ## Getting Started Add your source materials to the project workspace, then activate the *NIST CSF Profile Author* skill. The agent will guide you through the process step by step. ## Example Conversation Below is an example of how a typical NIST CSF profile session unfolds. The agent builds current/target profiles, gap analysis, and an implementation roadmap. > **You:** We need a NIST CSF 2.0 current and target profile for our IT and OT environments. Focus on Identify, Protect, and Detect. Then a roadmap for the top gaps. > > **Agent:** I'll create a profile document with selected subcategories from ID, PR, and DE. For each I'll document current state, target state, and gap. Which subcategories do you want in scope, or shall I propose a core set (e.g. ID.AM-1, ID.RA-1, PR.AC-1, PR.DS-1, DE.CM-1)? > > **You:** Propose a core set and we'll add more later. > > **Agent:** I've created `nist-csf-profile.md` with current/target/gap for ID.AM-1, ID.RA-1, PR.AC-1, PR.DS-1, DE.CM-1. High-priority gaps: PR.AC-1 (no MFA on admin access) and DE.CM-1 (no centralized log monitoring). I've added an implementation roadmap with actions, owners, and 90-day targets. Run the validation tool? > > **You:** Yes. > > **Agent:** I ran `check_csf_subcategory_coverage`. All five subcategories have current, target, and gap. Implementation actions are present for high-priority gaps. No warnings. ## Sample Output Excerpt Below is a representative excerpt from a CSF profile document showing one subcategory with current, target, and gap. --- ### PR.AC-1 — Identity management, authentication and access control | Element | Content | |---------|---------| | **Current** | Local AD; SSO for SaaS; MFA for cloud apps only. No MFA for VPN or admin access. | | **Target** | MFA for all remote and privileged access; SSO + conditional access; identity lifecycle automated. | | **Gap** | VPN and admin accounts lack MFA; no conditional access; manual deprovisioning. **High priority.** | | **Implementation action** | Deploy MFA for VPN (Q2); enforce MFA for all privileged accounts (Q2); implement conditional access policy (Q3). Owner: Infrastructure. Metric: % of privileged sessions with MFA. | --- ## Built-in Validation Tools The skill includes an extension tool that checks CSF profile and roadmap documents for subcategory coverage and implementation actions. ### What the tool checks | Check | Description | |-------|-------------| | **Subcategory references** | Detects CSF subcategory codes (e.g. ID.AM-1, PR.AC-1, DE.CM-1) in the document | | **Current/target/gap** | For each referenced subcategory, checks that current state, target state, and gap are documented | | **Implementation actions** | If high-priority gaps are mentioned, ensures the roadmap includes actions, owners, or timelines | Run **check_csf_subcategory_coverage** on the profile or roadmap document after drafting or updating. --- Back to [Skill Library](https://rakenne.app/skills/index.md)