How to Create a NIST CSF Profile: Current vs Target State
Quick Answer
A NIST CSF Profile describes your organization's cybersecurity posture by documenting which CSF categories and subcategories are addressed and to what extent. The Current Profile shows where you are today; the Target Profile shows where you want to be. The gap between them drives your improvement plan.
What Are NIST CSF Profiles?
NIST CSF Profiles are one of the three core components of the framework (alongside the Core and Tiers). A Profile is a customized alignment of your cybersecurity activities with the CSF Core, tailored to your organization's specific business requirements, risk tolerance, and resources.
Key Takeaways
- Current Profile: describes your current cybersecurity activities mapped to CSF subcategories
- Target Profile: describes your desired cybersecurity outcomes based on risk and business needs
- The gap between profiles drives your action plan and resource allocation
- Profiles are organization-specific — there is no universal 'correct' profile
- CSF 2.0 provides community profiles for specific sectors and use cases
Creating Your Current Profile
Current Profile Development Process
List applicable CSF subcategories
Review all 106 CSF 2.0 subcategories and identify which are relevant to your organization. Not all will apply — a small SaaS company has different needs than a hospital.
Assess current state per subcategory
For each applicable subcategory, document what controls, processes, or tools you currently have in place. Rate each as: Not Implemented, Partially Implemented, Largely Implemented, or Fully Implemented.
Document evidence and rationale
For each subcategory, note the specific controls, tools, or processes that support your assessment. This creates an audit trail and helps identify quick wins.
Validate with stakeholders
Review the Current Profile with IT, security, operations, and business leaders. Different perspectives often reveal gaps or overestimations.
Map to implementation tier
Based on your Current Profile, assess your overall implementation tier (Partial, Risk Informed, Repeatable, or Adaptive).
Creating Your Target Profile
The Target Profile represents where you want your cybersecurity program to be. It should be driven by business requirements, risk assessment results, regulatory obligations, and available resources.
- Consider your risk assessment results — prioritize subcategories that address your highest risks
- Account for regulatory requirements (HIPAA, PCI DSS, etc.) that mandate specific controls
- Factor in customer and partner expectations for security maturity
- Be realistic about available budget and staffing — an unachievable target is counterproductive
- Use industry-specific community profiles as a starting point if available
- Set a timeline — most organizations plan a 12-24 month horizon for their Target Profile
Gap Analysis: Current vs Target
The gap between your Current Profile and Target Profile is the actionable output of the profiling process. Each gap represents an area needing improvement, which can be prioritized by risk impact and implementation feasibility.
| Subcategory | Current State | Target State | Gap | Priority |
|---|---|---|---|---|
| PR.AA-01: Identity management | Partially Implemented | Fully Implemented | Formalize identity lifecycle | High |
| PR.AA-03: MFA for remote access | Not Implemented | Fully Implemented | Deploy MFA | Critical |
| PR.AT-01: Security training | Partially Implemented | Largely Implemented | Annual training + phishing sims | Medium |
| PR.DS-01: Data at rest protection | Largely Implemented | Fully Implemented | Encrypt all databases | Medium |
| PR.PS-01: Configuration management | Not Implemented | Largely Implemented | Implement baselines + monitoring | High |
Community Profiles in CSF 2.0
NIST CSF 2.0 introduces the concept of Community Profiles — pre-built profiles for specific sectors, use cases, or technologies. These provide a starting point that organizations can customize.
ℹ️ Available community profiles
NIST and industry groups are developing community profiles for sectors like manufacturing, healthcare, water utilities, and elections infrastructure. These profiles identify the most relevant subcategories and recommended implementation levels for each sector.
Profile Maintenance
Profile Update Cycle
Quarterly
Review progress toward Target Profile, update Current Profile as controls are implemented
Semi-annually
Reassess Target Profile against evolving threats and business changes
Annually
Conduct full profile refresh: new risk assessment, updated Current Profile, revised Target Profile
As needed
Update after significant incidents, organizational changes, or new regulatory requirements
How detailed should my profile be?
Profile at the subcategory level (106 items in CSF 2.0) for meaningful analysis. For each subcategory, document your current state and target state, plus a brief justification. This typically produces a document of 20-40 pages or a structured spreadsheet.
Can I use someone else's Target Profile?
Community profiles and industry examples are good starting points, but your Target Profile must be customized to your organization's specific risk environment, business requirements, and resources. A hospital's target looks very different from a SaaS startup's target.
What if my Current Profile shows we are at Tier 1?
This is a common and honest finding, especially for smaller organizations. Do not be discouraged. Use the gap analysis to identify the highest-impact, lowest-cost improvements. Moving from Tier 1 to Tier 2 typically requires 3-6 months of focused effort and provides the greatest risk reduction per dollar spent.
Should I share my profiles with customers?
Sharing your Target Profile and progress toward it demonstrates transparency and commitment to security. Many organizations share a summary-level version during customer security reviews, while keeping detailed subcategory assessments internal.
Build Your NIST CSF Profile
Find GRC tools and consultants that help create and maintain NIST CSF Current and Target Profiles.
Browse Profile Tools