Skill Being Reviewed
Skill name: nist-csf-assessment
Skill path: skills/compliance/nist-csf-assessment/
False Positive Analysis
Scenario: Function: PROTECT (PR.DS-01) Data-at-rest protection.
Observation: The skill flags the absence of enterprise-managed encryption keys (CMEK) as a "Tier 1" maturity gap.
Why this is a false positive: For small organizations or startups (the target of CSF 2.0's simplified guidance), platform-managed encryption (e.g., default AWS S3 encryption) is perfectly acceptable and meets the NIST 800-53 baseline.
Recommendation: The skill should allow "Platform-Managed Encryption" for Maturity Tier 2 and only require CMEK for Tier 3/4 (Repeatable/Adaptive).
Coverage Gaps
1. NIST AI RMF 1.0 Mapping:
NIST CSF 2.0 was designed to work alongside the AI Risk Management Framework (AI RMF 1.0). The skill currently misses the "AI-specific" Categories in the GOVERN function, such as AI Transparency and Model Robustness.
2. Zero Trust Architecture (ZTA) Maturity:
The skill uses the older "Tier" model (1-4) but doesn't map them to the CISA Zero Trust Maturity Model (v2.0). 2026 assessments must reflect ZTA progress (Initial, Advanced, Optimal).
3. Supply Chain 'Software Integrity' (GV.SC):
The GOVERN function includes Supply Chain, but the skill lacks checks for SLSA (Supply-chain Levels for Software Artifacts) requirements, which is the current "Informative Reference" for NIST.
Remediation Quality
Overall Assessment
A very high-quality skill that correctly reflects the 2024 CSF 2.0 structure. Adding the AI RMF 1.0 mapping and the SLSA integrity checks would make it the definitive tool for 2026 compliance audits.
Bounty Info
Skill Being Reviewed
Skill name:
nist-csf-assessmentSkill path:
skills/compliance/nist-csf-assessment/False Positive Analysis
Scenario: Function: PROTECT (PR.DS-01) Data-at-rest protection.
Observation: The skill flags the absence of enterprise-managed encryption keys (CMEK) as a "Tier 1" maturity gap.
Why this is a false positive: For small organizations or startups (the target of CSF 2.0's simplified guidance), platform-managed encryption (e.g., default AWS S3 encryption) is perfectly acceptable and meets the NIST 800-53 baseline.
Recommendation: The skill should allow "Platform-Managed Encryption" for Maturity Tier 2 and only require CMEK for Tier 3/4 (Repeatable/Adaptive).
Coverage Gaps
1. NIST AI RMF 1.0 Mapping:
NIST CSF 2.0 was designed to work alongside the AI Risk Management Framework (AI RMF 1.0). The skill currently misses the "AI-specific" Categories in the GOVERN function, such as AI Transparency and Model Robustness.
2. Zero Trust Architecture (ZTA) Maturity:
The skill uses the older "Tier" model (1-4) but doesn't map them to the CISA Zero Trust Maturity Model (v2.0). 2026 assessments must reflect ZTA progress (Initial, Advanced, Optimal).
3. Supply Chain 'Software Integrity' (GV.SC):
The GOVERN function includes Supply Chain, but the skill lacks checks for SLSA (Supply-chain Levels for Software Artifacts) requirements, which is the current "Informative Reference" for NIST.
Remediation Quality
Issues found: The remediation roadmap should include "Policy-as-Code" (PaC) as a key recommendation for the "GOVERN" function. Automating governance via OPA or Kyverno is how modern teams reach Tier 4 (Adaptive).
Overall Assessment
A very high-quality skill that correctly reflects the 2024 CSF 2.0 structure. Adding the AI RMF 1.0 mapping and the SLSA integrity checks would make it the definitive tool for 2026 compliance audits.
Bounty Info