What is a NIST CSF 2.0 gap assessment?

A NIST CSF 2.0 gap assessment measures your organization's current cybersecurity maturity across the six framework functions (Govern, Identify, Protect, Detect, Respond, Recover) and compares it to a target state. The output is a current-state profile, target-state profile, and prioritized remediation roadmap.

Who needs a NIST CSF assessment?

Any organization that handles sensitive data, operates critical infrastructure, works with the federal government, or is subject to regulations like HIPAA, CMMC, or FedRAMP benefits from a NIST CSF assessment. It is increasingly required or expected by cyber insurance carriers, enterprise customers, and federal agencies.

How does NIST CSF 2.0 differ from version 1.1?

NIST CSF 2.0 (released February 2024) adds a sixth function, Govern, which addresses organizational context, risk management strategy, supply chain risk, and roles and responsibilities. It also expands applicability beyond critical infrastructure to all organizations, adds tiers and profiles guidance, and provides updated implementation examples aligned with current threats.

NIST CSF 2.0 · SP 800-53 · SP 800-171 · RMF · CMMC 2.0

NIST Cybersecurity Gap Assessment

Independent, evidence-based NIST assessments that quantify your real risk, satisfy auditors, and give you a clear roadmap — not a 200-page PDF that sits on a shelf. Serving federal contractors, healthcare organizations, and regulated businesses across Washington, DC.

Get a Free Consultation View Full Cybersecurity Services →

CSF 2.0

Latest NIST Framework

110+

SP 800-171 Controls Assessed

100%

First-Attempt Audit Pass Rate

2–4 wks

Typical Assessment Duration

Capabilities

NIST Assessment Services We Deliver

We start with constraints: who approves work, what you must prove to regulators or boards, and how buyers actually decide. Delivery follows from that — not from a generic checklist.

NIST CSF 2.0 Maturity Assessment

A structured evaluation of your security posture across all six CSF 2.0 functions, producing a current-state profile, target-state profile, and a prioritized gap list with effort and risk-reduction estimates for every finding.

Govern — organizational context, risk strategy, supply chain risk
Identify — asset inventory, risk assessment, improvement planning
Protect — identity management, data security, platform security
Detect — continuous monitoring, adverse event analysis
Respond — incident management, communication, analysis
Recover — incident recovery, communication
Maturity tier scoring (Partial → Adaptive) per function
Executive summary and board-ready risk heat map

NIST SP 800-53 Rev 5 Control Assessment

A deep-dive evaluation of your security and privacy controls against the NIST SP 800-53 Rev 5 catalog — required for federal systems and increasingly expected by enterprise customers and cyber insurers.

Assessment across all 20 control families (AC, AU, CA, CM, CP, IA, IR, MA, MP, PE, PL, PM, PS, PT, RA, SA, SC, SI, SR, AT)
Control-by-control determination: Satisfied, Other Than Satisfied, Not Applicable
System Security Plan (SSP) review and gap documentation
Plan of Action & Milestones (POA&M) development
Evidence collection and artifact review
Alignment with FedRAMP and FISMA requirements

NIST SP 800-171 & CMMC Readiness

Purpose-built assessment for defense contractors and organizations handling Controlled Unclassified Information (CUI) — covering all 110 SP 800-171 practices required for CMMC 2.0 Level 2 certification.

Scoping of CUI environment and system boundary
Assessment of all 110 NIST SP 800-171 Rev 2 practices
SPRS (Supplier Performance Risk System) score calculation
System Security Plan (SSP) development and review
Plan of Action & Milestones (POA&M) for gaps
C3PAO pre-assessment and audit preparation
CMMC Level 3 / NIST SP 800-172 enhanced controls assessment

NIST Risk Management Framework (RMF)

Full RMF lifecycle support for federal agencies and contractors seeking an Authority to Operate (ATO) — from categorization and control selection through assessment, authorization, and continuous monitoring.

Prepare — organization-level risk decisions and roles
Categorize — FIPS 199 / SP 800-60 impact classification
Select — tailored SP 800-53 control baseline
Implement — control implementation guidance and documentation
Assess — independent security control assessment (SCA)
Authorize — authorization package development (SSP, SAR, POA&M)
Monitor — continuous monitoring strategy and reporting

Cybersecurity Risk Assessment

Quantitative and qualitative risk assessments aligned with NIST SP 800-30 and SP 800-39 — giving leadership a defensible, prioritized view of organizational risk that informs budget and strategy decisions.

Threat identification using NIST SP 800-30 guidance
Vulnerability identification across infrastructure and applications
Likelihood and impact analysis (qualitative and semi-quantitative)
Risk determination and risk response planning
Supply chain risk management (SCRM) per NIST SP 800-161
Risk register development and ongoing maintenance

Supply Chain & Third-Party Risk Assessment

A structured evaluation of your ICT supply chain risks aligned with NIST SP 800-161 Rev 1 — the gold standard for identifying, assessing, and responding to cybersecurity risks introduced through vendors, suppliers, and technology providers.

Supplier and vendor risk identification and categorization
NIST SP 800-161 Rev 1 C-SCRM practice assessment
Third-party questionnaire design and review (SIG, CAIQ, custom)
Contractual security requirement review (FAR/DFARS clauses)
Critical supplier designation and monitoring program
Software Bill of Materials (SBOM) analysis
Supply chain incident response planning
C-SCRM policy and governance framework development

Why DC Businesses Choose Us

Built for the Washington, DC Market

Office on N Street NW. Most engagements pair DC stakeholders (legal, security, procurement) with a senior remote build team — clear owners, written decisions, and no bait-and-switch on who does the work.

1717 N St NW, Washington DC

(202) 666-9377

hello@thoriumdc.com

Framework-Native, Not Template-Driven

Our assessors are trained practitioners who work from primary NIST source documents — not commercial tools that auto-generate reports without human judgment.

Findings That Are Actually Actionable

Every gap finding includes a specific remediation recommendation, effort estimate, and a risk-reduction score. You leave with a prioritized roadmap, not just a list of problems.

Federal & Regulated Sector Experience

Deep experience with DoD contractors, civilian agencies, healthcare organizations, and financial firms — where NIST compliance is mandatory, not aspirational.

Independent & Objective

We don't sell the tools we recommend. Our assessments are vendor-neutral so findings reflect your actual risk, not a path to a product sale.

Audit-Ready Documentation

Every assessment produces evidence packages, control narratives, and artifacts formatted to satisfy C3PAO assessors, FedRAMP 3PAOs, and SOC 2 auditors — not just internal stakeholders.

Clear Communication at Every Level

We translate NIST control language into business risk. Board-level summary decks, CISO-level technical findings, and engineering-level remediation tickets — all from one engagement.

Outcomes

How engagements tend to land

Illustrative benchmarks from past work — your mileage depends on offer, traffic, and sales follow-up.

100%

First-Attempt Audit Pass Rate

Every client we've prepared for CMMC, SOC 2, ISO 27001, or FedRAMP authorization has passed on the first attempt.

2–4 wks

Assessment Turnaround

From kickoff to final report — including executive summary, technical findings, and prioritized remediation roadmap.

10K+

Security Events Neutralized

Across clients who moved to ongoing managed monitoring after their initial NIST assessment.

50+

NIST Assessments Completed

Across federal contractors, healthcare organizations, financial firms, and regulated DC businesses since 2018.

How We Work

A transparent, milestone-driven engagement from first call to launch.

Scope & Kickoff

We define the assessment boundary — which systems, data types, and organizational units are in scope. We align on the specific NIST framework(s) being assessed, collect existing documentation (SSPs, policies, network diagrams), and schedule stakeholder interviews. No surprises mid-engagement.

Evidence Collection & Testing

Our assessors conduct structured interviews with system owners, administrators, and leadership; review technical artifacts and policy documentation; and perform hands-on technical testing (configuration review, vulnerability scanning, log analysis). Every finding is tied to specific evidence.

Gap Analysis & Risk Scoring

We map findings to specific NIST controls or CSF subcategories, assign maturity scores or control determinations, and calculate risk using likelihood/impact scoring per NIST SP 800-30. Gaps are categorized by severity and sequenced for remediation based on risk reduction per dollar spent.

Report, Roadmap & Briefing

Final deliverables include an executive summary (board-ready), full technical findings report, current-state and target-state profiles, prioritized POA&M, and a remediation roadmap with timelines and effort estimates. We present findings directly to your leadership and answer every question.

FAQ

Frequently Asked Questions

Straight answers — scoped to what you sell and who has to sign off.

Next step

Know Your Real Risk. Fix What Matters.

Schedule a free 30-minute scoping call. We'll tell you exactly which NIST assessment applies to your situation, what the engagement looks like, and what it costs — before you commit to anything.

Schedule a Free Strategy Call View Full Cybersecurity Services →

Based at 1717 N Street NW, Washington, DC · hello@thoriumdc.com · (202) 666-9377