Skill Being Reviewed
Skill name: nist-csf-assessment
Skill path: skills/compliance/nist-csf-assessment/
False Positive Analysis
Benign evidence that can be over-scored as mature:
Subcategory: GV.RM-02
Claimed current score: 3
Evidence: risk appetite mentioned in a board slide
Missing: approved risk appetite statement, review date, owner, communication record, exception handling, and evidence that the statement is used in ERM decisions
Why this is a false positive risk:
The skill already warns that CSF tiers apply at the organizational level, but Step 4 maps subcategory scores directly to tier labels and the output profile only has a free-form Evidence column. A roadmap slide, vendor dashboard, or policy draft can be treated as enough evidence for a high score unless the report captures artifact type, owner, scope, freshness, implementation coverage, and runtime/decision evidence.
Coverage Gaps
Missed variant 1: Tier labels used as subcategory maturity proof
ID.AM-01 current score: 3 / Tier 3
Evidence: asset inventory spreadsheet
Missing: update cadence, coverage percentage, authoritative source, lifecycle ownership, reconciliation signal
Why it should be caught:
CSF tiers describe organization-wide risk management integration, not individual subcategory compliance. Subcategory scores can be useful, but they should not be presented as literal tier determinations without separate organizational-tier evidence.
Missed variant 2: Current/target profiles lack evidence confidence
PR.AA-05 current score: 4
Evidence: IAM dashboard screenshot
Missing: apps/resources in scope, entitlement review sample, exception list, enforcement logs, last-tested date
Why it should be caught:
The primary CSF output is the Current and Target Organizational Profiles. Those profiles should include evidence confidence and Not Evaluable reason codes so unsupported claims do not silently become mature scores.
Missed variant 3: Govern and supply-chain outcomes lack decision evidence
GV.SC-07 score: 3
Evidence: vendor risk questionnaire completed
Missing: supplier criticality tier, contract requirement mapping, risk treatment decision, monitoring cadence, issue follow-up
Why it should be caught:
CSF 2.0 elevated GOVERN and supply-chain risk management. A questionnaire alone does not prove that supplier risk is recorded, prioritized, responded to, and monitored through the relationship.
Edge Cases
- An organization can have Tier 3 governance but low maturity in a specific function, or strong technical controls with Tier 1 governance.
- A target profile can intentionally stay below score 4 for low-risk areas; not every gap is a defect.
- Vendor dashboards can support evidence, but they need scope, coverage, freshness, exception, and owner fields.
- Community Profiles can be useful baselines but should not override the organization-specific mission, risk appetite, and regulatory context.
Remediation Quality
Comparison to Other Tools
| Tool / Framework |
Catches this? |
Notes |
| NIST CSF 2.0 |
Partial |
Defines outcomes, Profiles, and Tiers, but assessment reports must preserve evidence quality. |
| NIST CSF 2.0 Reference Tool |
Partial |
Helps with taxonomy and examples, but does not validate organization evidence. |
| NIST SP 800-53 / CIS mappings |
Partial |
Helpful implementation references, but mappings alone do not prove CSF profile maturity. |
Overall Assessment
Strengths:
- Strong coverage of CSF 2.0 functions, categories, and subcategories.
- Good explanation of GOVERN and profile development.
- Useful roadmap output for current/target profile gaps.
Needs improvement:
- Separate organizational-tier evidence from subcategory scoring.
- Add profile evidence confidence and Not Evaluable reason codes.
- Require owner, scope, freshness, implementation coverage, runtime/decision evidence, and exception tracking for profile entries.
- Add pitfalls for vendor-dashboard evidence, roadmap-only maturity, and treating every target below 4 as a defect.
Sources Checked
Bounty Info
Skill Being Reviewed
Skill name:
nist-csf-assessmentSkill path:
skills/compliance/nist-csf-assessment/False Positive Analysis
Benign evidence that can be over-scored as mature:
Why this is a false positive risk:
The skill already warns that CSF tiers apply at the organizational level, but Step 4 maps subcategory scores directly to tier labels and the output profile only has a free-form Evidence column. A roadmap slide, vendor dashboard, or policy draft can be treated as enough evidence for a high score unless the report captures artifact type, owner, scope, freshness, implementation coverage, and runtime/decision evidence.
Coverage Gaps
Missed variant 1: Tier labels used as subcategory maturity proof
Why it should be caught:
CSF tiers describe organization-wide risk management integration, not individual subcategory compliance. Subcategory scores can be useful, but they should not be presented as literal tier determinations without separate organizational-tier evidence.
Missed variant 2: Current/target profiles lack evidence confidence
Why it should be caught:
The primary CSF output is the Current and Target Organizational Profiles. Those profiles should include evidence confidence and Not Evaluable reason codes so unsupported claims do not silently become mature scores.
Missed variant 3: Govern and supply-chain outcomes lack decision evidence
Why it should be caught:
CSF 2.0 elevated GOVERN and supply-chain risk management. A questionnaire alone does not prove that supplier risk is recorded, prioritized, responded to, and monitored through the relationship.
Edge Cases
Remediation Quality
Comparison to Other Tools
Overall Assessment
Strengths:
Needs improvement:
Sources Checked
Bounty Info