NIST CSF Maturity Assessment — Ben Sady
Portfolio Project

NIST CSF Maturity Assessment

Sanitized example of a cyber maturity engagement for a mid-market regulated organization. The work included current-state scoring, executive heatmapping, prioritized recommendations, and a 90-day action roadmap tied to practical governance and control improvements.

View Sample Artifacts Discuss a Similar Project
6
NIST CSF 2.0 functions assessed
1.1
Avg. maturity gap identified
90
Day action roadmap included
4
of 6 domains at high priority

Project Overview

This example is designed to show the type of work product a client, employer, or referral partner can expect without exposing sensitive details. It mirrors a real engagement pattern: establish the current state, identify meaningful gaps, prioritize actions, and communicate the path forward in a way leadership can use.

  • Assessed maturity across Govern, Identify, Protect, Detect, Respond, and Recover.
  • Converted findings into an executive heatmap and management-ready summary.
  • Built a 90-day roadmap focused on practical wins before long-term optimization.
  • Used sanitized language and generalized organization descriptors instead of client details.

What this demonstrates

Strategic framing: Translating technical and control observations into business priorities leadership can act on.

GRC depth: Linking governance, detection, recovery, and evidence expectations across the full CSF.

Executive communication: Concise outputs that are review-friendly and decision-ready.

Sanitization discipline: Preserving realism without exposing client names, systems, or sensitive findings.

Sample Artifacts

Interactive, sanitized deliverable previews — heatmap, 90-day roadmap, and IT audit plan.

Avg. current
2.5
Developing tier
Avg. target
3.6
Managed tier
Avg. gap
1.1
Across 6 domains
High priority
4
of 6 domains
Domain Current Target Gap Inherent risk Priority Maturity bar Observation
Board message: The program is progressing, but detection and recovery validation need acceleration. Recommended horizon: 90-day stabilization followed by a 6–12 month maturity uplift.
Maturity scale reference
1.0–1.9 · Ad hoc
Little repeatability. Processes are informal and undocumented.
2.0–2.9 · Developing
Some routines exist. Inconsistently applied or evidenced.
3.0–3.9 · Managed
Defined and repeatable. Ownership is clear, evidence exists.
4.0–5.0 · Optimized
Measured and continuously improved. Proactive risk management.
In progress Not started Blocked Complete
Days 1–30 · Stabilize
Confirm governance cadence and evidence owners
Validate privileged access population
Days 31–60 · Strengthen
Tune top 10 detection alerts
Run incident response tabletop
Days 61–90 · Validate
Prioritize recovery validation testing
Publish board-level cyber scorecard
Phase Initiative Outcome Owner Target date Effort Status Dependency
Total planned hours
44
Across 7 sections
High priority items
4
of 7 sections
Risk focus
IAM
Privileged access
Section Procedure / scope Risk addressed Owner Hrs Priority Status Evidence example Next step
Priority guide
High
Meaningful control weakness or high business impact. Requires immediate remediation planning.
Medium
Needs improvement but compensating controls may exist. Prioritize in next cycle.
Low
Efficiency or documentation enhancement. Address as capacity allows.
Sanitized portfolio example · bensady.com Download engagement summary (PDF)