Self-assessed · sample · NIST CSF v2.0
Initech: NIST CSF 2.0 from one AICM run
Board-level cybersecurity outcomes on the same foundational bridge as 800-53. Often Partial Gap where the catalog is No Gap — outcomes framing grades the same dock differently.
Assessed on CSA AICM via the function diagnostic, then rolled through CSA’s CCM-bridged AICM→NIST CSF 2.0 crosswalk. Readiness for conversation and planning, not a NIST attestation, audit opinion, or measured result.
Executive summary
Initech: 16 controls map to NIST CSF 2.0 but are absent in the function attestation. Close those first for this lens. Self-assessed, not a NIST attestation.
Cybersecurity outcomes (Govern, Identify, Protect, Detect, Respond, Recover) — board framing for the foundational program.
Controls in this slice
26
Priority (mapped, absent)
16
Attested implemented
1
Matrix mapped / aligned
188
Slice gaps: 6 no · 18 partial · 2 unmapped. Matrix AI-only remainder 59.
Control register
| AICM | Title | Gap | Refs | Posture | Board line |
|---|---|---|---|---|---|
| GRC-01 | Governance Program Policy and Procedures | Partial Gap | GV.PO-01 GV.PO-02 ID.IM-03 | Implemented | Self-attested in place; CSA maps with a partial gap to NIST CSF 2.0. Confirm subcategory coverage with evidence. |
| GRC-02 | Risk Management Program | Partial Gap | GV.RM-01 GV.RM-02 GV.RM-03 GV.RM-04 GV.RM-05 GV.RM-06 GV.RM-07 | Partial | Partially attested; close the practice gap before treating the NIST CSF 2.0 mapping as ready. |
| GRC-03Priority | Organizational Policy Reviews | Partial Gap | GV.PO-02 | Absent | CSA maps to NIST CSF 2.0, but practice is not attested. Priority for this lens. |
| HRS-15 | AI Acceptable Use | Unmapped | n/a | Partial | No CSA AICM→NIST CSF 2.0 mapping on this control id (AI-only or outside the CCM bridge). |
| GRC-15 | Human supervision | Unmapped | n/a | Absent | No CSA AICM→NIST CSF 2.0 mapping on this control id (AI-only or outside the CCM bridge). |
| AIS-01 | Application and Interface Security Policy and Procedures | Partial Gap | GV.PO-01 GV.PO-02 ID.IM-03 | Partial | Partially attested; close the practice gap before treating the NIST CSF 2.0 mapping as ready. |
| AIS-04Priority | Secure Application Development Lifecycle | No Gap | ID.AM-08 PR.IR-01 PR.PS-01 PR.PS-02 PR.PS-06 | Absent | CSA maps to NIST CSF 2.0, but practice is not attested. Priority for this lens. |
| AIS-07Priority | Application Vulnerability Remediation | No Gap | ID.AM-08 ID.RA-01 ID.RA-06 ID.RA-08 PR.PS-02 PR.PS-06 | Absent | CSA maps to NIST CSF 2.0, but practice is not attested. Priority for this lens. |
| TVM-01 | Threat and Vulnerability Management Policy and Procedures | Partial Gap | GV.PO-01 GV.PO-02 ID.IM-03 ID.RA-01 ID.RA-05 ID.RA-06 | Partial | Partially attested; close the practice gap before treating the NIST CSF 2.0 mapping as ready. |
| TVM-03Priority | Vulnerability Identification | Partial Gap | ID.RA-01 ID.RA-06 ID.RA-08 PR.PS-02 PR.PS-03 | Absent | CSA maps to NIST CSF 2.0, but practice is not attested. Priority for this lens. |
| TVM-08Priority | Vulnerability Remediation Schedule | No Gap | ID.RA-01 ID.RA-05 ID.RA-06 PR.PS-02 PR.PS-03 GV.RM-06 | Absent | CSA maps to NIST CSF 2.0, but practice is not attested. Priority for this lens. |
| A&A-01 | Audit and Assurance Policy and Procedures | Partial Gap | GV.PO-01 GV.PO-02 | Partial | Partially attested; close the practice gap before treating the NIST CSF 2.0 mapping as ready. |
| A&A-02Priority | Independent Assessments | Partial Gap | ID.IM-01 | Absent | CSA maps to NIST CSF 2.0, but practice is not attested. Priority for this lens. |
| A&A-05Priority | Audit Management Process | Partial Gap | ID.IM-01 ID.RA-03 ID.RA-04 ID.RA-05 ID.RA-06 ID.RA-07 | Absent | CSA maps to NIST CSF 2.0, but practice is not attested. Priority for this lens. |
| A&A-06Priority | Remediation | Partial Gap | ID.RA-6 | Absent | CSA maps to NIST CSF 2.0, but practice is not attested. Priority for this lens. |
| STA-01 | Supply Chain Risk Management Policies and Procedures | Partial Gap | GV.PO-01 GV.PO-02 ID.IM-03 GV.SC-01 GV.SC-02 GV.SC-03 GV.SC-06 GV.SC-07 GV.OC-05 GV.RM-04 GV.RM-05 | Partial | Partially attested; close the practice gap before treating the NIST CSF 2.0 mapping as ready. |
| STA-08 | Supply Chain Inventory | No Gap | GV.SC-01 GV.SC-03 GV.SC-05 GV.SC-06 GV.SC-07 GV.OC-02 GV.RM-05 ID.RA-10 | Partial | Partially attested; close the practice gap before treating the NIST CSF 2.0 mapping as ready. |
| STA-10Priority | Supply Chain Risk Management | Partial Gap | GV.SC-07 | Absent | CSA maps to NIST CSF 2.0, but practice is not attested. Priority for this lens. |
| STA-13Priority | Supply Chain Compliance Assessment | No Gap | GV.SC-05 GV.SC-07 GV.OC-02 GV.OC-03 ID.IM-01 | Absent | CSA maps to NIST CSF 2.0, but practice is not attested. Priority for this lens. |
| BCR-01Priority | Business Continuity Management Policy and Procedures | Partial Gap | GV.PO-01 GV.PO-02 GV.OC-01 GV.OC-04 RC.RP-01 ID.IM-03 ID.IM-04 | Absent | CSA maps to NIST CSF 2.0, but practice is not attested. Priority for this lens. |
| BCR-02Priority | Risk Assessment and Impact Analysis | Partial Gap | ID.RA-04 ID.RA-05 GV.OC-04 | Absent | CSA maps to NIST CSF 2.0, but practice is not attested. Priority for this lens. |
| BCR-08 | Backup | No Gap | PR.DS-01 PR.DS-11 RC.RP-03 | Partial | Partially attested; close the practice gap before treating the NIST CSF 2.0 mapping as ready. |
| BCR-06Priority | Business Continuity Exercises | Partial Gap | ID.IM-02 GV.SC-08 | Absent | CSA maps to NIST CSF 2.0, but practice is not attested. Priority for this lens. |
| IPY-01Priority | Interoperability and Portability Policy and Procedures | Partial Gap | GV.PO-01 GV.PO-02 ID.IM-03 ID.AM-03 | Absent | CSA maps to NIST CSF 2.0, but practice is not attested. Priority for this lens. |
| IPY-03Priority | Secure Interoperability and Portability Management | Partial Gap | PR.DS-02 | Absent | CSA maps to NIST CSF 2.0, but practice is not attested. Priority for this lens. |
| IPY-04Priority | Data Portability Contractual Obligations | Partial Gap | GV.SC-05 GV.SC-10 | Absent | CSA maps to NIST CSF 2.0, but practice is not attested. Priority for this lens. |