ai · security · skills

Self-assessed · sample · NIST CSF v2.0

Initech: NIST CSF 2.0 from one AICM run

Board-level cybersecurity outcomes on the same foundational bridge as 800-53. Often Partial Gap where the catalog is No Gap — outcomes framing grades the same dock differently.

Assessed on CSA AICM via the function diagnostic, then rolled through CSA’s CCM-bridged AICM→NIST CSF 2.0 crosswalk. Readiness for conversation and planning, not a NIST attestation, audit opinion, or measured result.

Executive summary

Initech: 16 controls map to NIST CSF 2.0 but are absent in the function attestation. Close those first for this lens. Self-assessed, not a NIST attestation.

Cybersecurity outcomes (Govern, Identify, Protect, Detect, Respond, Recover) — board framing for the foundational program.

Controls in this slice

26

Priority (mapped, absent)

16

Attested implemented

1

Matrix mapped / aligned

188

Slice gaps: 6 no · 18 partial · 2 unmapped. Matrix AI-only remainder 59.

Control register

AICMTitleGapRefsPostureBoard line
GRC-01Governance Program Policy and ProceduresPartial GapGV.PO-01 GV.PO-02 ID.IM-03ImplementedSelf-attested in place; CSA maps with a partial gap to NIST CSF 2.0. Confirm subcategory coverage with evidence.
GRC-02Risk Management ProgramPartial GapGV.RM-01 GV.RM-02 GV.RM-03 GV.RM-04 GV.RM-05 GV.RM-06 GV.RM-07PartialPartially attested; close the practice gap before treating the NIST CSF 2.0 mapping as ready.
GRC-03PriorityOrganizational Policy ReviewsPartial GapGV.PO-02AbsentCSA maps to NIST CSF 2.0, but practice is not attested. Priority for this lens.
HRS-15AI Acceptable UseUnmappedn/aPartialNo CSA AICM→NIST CSF 2.0 mapping on this control id (AI-only or outside the CCM bridge).
GRC-15Human supervisionUnmappedn/aAbsentNo CSA AICM→NIST CSF 2.0 mapping on this control id (AI-only or outside the CCM bridge).
AIS-01Application and Interface Security Policy and ProceduresPartial GapGV.PO-01 GV.PO-02 ID.IM-03PartialPartially attested; close the practice gap before treating the NIST CSF 2.0 mapping as ready.
AIS-04PrioritySecure Application Development LifecycleNo GapID.AM-08 PR.IR-01 PR.PS-01 PR.PS-02 PR.PS-06AbsentCSA maps to NIST CSF 2.0, but practice is not attested. Priority for this lens.
AIS-07PriorityApplication Vulnerability RemediationNo GapID.AM-08 ID.RA-01 ID.RA-06 ID.RA-08 PR.PS-02 PR.PS-06AbsentCSA maps to NIST CSF 2.0, but practice is not attested. Priority for this lens.
TVM-01Threat and Vulnerability Management Policy and ProceduresPartial GapGV.PO-01 GV.PO-02 ID.IM-03 ID.RA-01 ID.RA-05 ID.RA-06PartialPartially attested; close the practice gap before treating the NIST CSF 2.0 mapping as ready.
TVM-03PriorityVulnerability IdentificationPartial GapID.RA-01 ID.RA-06 ID.RA-08 PR.PS-02 PR.PS-03AbsentCSA maps to NIST CSF 2.0, but practice is not attested. Priority for this lens.
TVM-08PriorityVulnerability Remediation ScheduleNo GapID.RA-01 ID.RA-05 ID.RA-06 PR.PS-02 PR.PS-03 GV.RM-06AbsentCSA maps to NIST CSF 2.0, but practice is not attested. Priority for this lens.
A&A-01Audit and Assurance Policy and ProceduresPartial GapGV.PO-01 GV.PO-02PartialPartially attested; close the practice gap before treating the NIST CSF 2.0 mapping as ready.
A&A-02PriorityIndependent AssessmentsPartial GapID.IM-01AbsentCSA maps to NIST CSF 2.0, but practice is not attested. Priority for this lens.
A&A-05PriorityAudit Management ProcessPartial GapID.IM-01 ID.RA-03 ID.RA-04 ID.RA-05 ID.RA-06 ID.RA-07AbsentCSA maps to NIST CSF 2.0, but practice is not attested. Priority for this lens.
A&A-06PriorityRemediationPartial GapID.RA-6AbsentCSA maps to NIST CSF 2.0, but practice is not attested. Priority for this lens.
STA-01Supply Chain Risk Management Policies and ProceduresPartial GapGV.PO-01 GV.PO-02 ID.IM-03 GV.SC-01 GV.SC-02 GV.SC-03 GV.SC-06 GV.SC-07 GV.OC-05 GV.RM-04 GV.RM-05PartialPartially attested; close the practice gap before treating the NIST CSF 2.0 mapping as ready.
STA-08Supply Chain InventoryNo GapGV.SC-01 GV.SC-03 GV.SC-05 GV.SC-06 GV.SC-07 GV.OC-02 GV.RM-05 ID.RA-10PartialPartially attested; close the practice gap before treating the NIST CSF 2.0 mapping as ready.
STA-10PrioritySupply Chain Risk ManagementPartial GapGV.SC-07AbsentCSA maps to NIST CSF 2.0, but practice is not attested. Priority for this lens.
STA-13PrioritySupply Chain Compliance AssessmentNo GapGV.SC-05 GV.SC-07 GV.OC-02 GV.OC-03 ID.IM-01AbsentCSA maps to NIST CSF 2.0, but practice is not attested. Priority for this lens.
BCR-01PriorityBusiness Continuity Management Policy and ProceduresPartial GapGV.PO-01 GV.PO-02 GV.OC-01 GV.OC-04 RC.RP-01 ID.IM-03 ID.IM-04AbsentCSA maps to NIST CSF 2.0, but practice is not attested. Priority for this lens.
BCR-02PriorityRisk Assessment and Impact AnalysisPartial GapID.RA-04 ID.RA-05 GV.OC-04AbsentCSA maps to NIST CSF 2.0, but practice is not attested. Priority for this lens.
BCR-08BackupNo GapPR.DS-01 PR.DS-11 RC.RP-03PartialPartially attested; close the practice gap before treating the NIST CSF 2.0 mapping as ready.
BCR-06PriorityBusiness Continuity ExercisesPartial GapID.IM-02 GV.SC-08AbsentCSA maps to NIST CSF 2.0, but practice is not attested. Priority for this lens.
IPY-01PriorityInteroperability and Portability Policy and ProceduresPartial GapGV.PO-01 GV.PO-02 ID.IM-03 ID.AM-03AbsentCSA maps to NIST CSF 2.0, but practice is not attested. Priority for this lens.
IPY-03PrioritySecure Interoperability and Portability ManagementPartial GapPR.DS-02AbsentCSA maps to NIST CSF 2.0, but practice is not attested. Priority for this lens.
IPY-04PriorityData Portability Contractual ObligationsPartial GapGV.SC-05 GV.SC-10AbsentCSA maps to NIST CSF 2.0, but practice is not attested. Priority for this lens.