Skip to content
NIST CSF Assessment

A NIST CSF 2.0 program you operate, not just assess.

Valentra Labs aligns the program to the NIST CSF 2.0 functions and runs them continuously — Govern, Identify, Protect, Detect, Respond, Recover as operated controls with evidence.

The problem

A current profile and a target profile, with nothing operating the distance between.

A NIST CSF assessment produces a current profile and a target. The distance between them is where most programs stall, because nothing operates the work to close it.

The functions are clear. Running them continuously is the hard part.

  • 01 / 03 A NIST CSF assessment produces a current profile and a target profile.
  • 02 / 03 The distance between them is where most programs stall.
  • 03 / 03 Nothing operates the Govern, Identify, Protect, Detect, Respond, and Recover work continuously.

Insight

Insight
The framework names the work. A program is what runs it.

The Valentra operating principle

The Valentra approach

The Valentra approach: the CSF functions, operated.

Valentra Labs operates the CSF functions inside the Managed Security Program: Valentra Nexus carries each control and its evidence and surfaces the board-ready Decision Packet that shows progress against the target profile.

  • Valentra Labs aligns the program to the six NIST CSF 2.0 functions.
  • Each function runs as controls on Valentra Nexus, with evidence attached.
  • Work to close the gap to the target profile is tracked in one record.
  • A board-ready Decision Packet reports progress by function.
Outcome

What leadership gets the functions run, not just assessed

  • 01 / 03 Govern, Identify, Protect, Detect, Respond, and Recover as operated controls.
  • 02 / 03 Evidence tied to each function’s controls.
  • 03 / 03 A Decision Packet that reports progress against the target profile.
Consequence

What a profile-only assessment costs

  • Stalled progress

    The gap between current and target profile never closes without a program to operate it.

  • Function blind spots

    A function is assumed to be running when no evidence proves it.

  • Fragmented ownership

    Each function is handled by a different team with no shared record.

  • Assessment on repeat

    The next assessment restates the same target instead of showing movement toward it.

Impact

The first thirty days

  1. Days 1–10 Align
    • The program is aligned to the six CSF 2.0 functions.
    • The current and target profiles are recorded.
  2. Days 11–20 Operate
    • Each function runs as controls with owners on Valentra Nexus.
    • Gap-closing work is assigned and tracked.
  3. Days 21–30 Report
    • The Decision Packet reports progress by function.
    • Leadership sees the program operating, not just profiled.

Built for the committee that owns the decision

The board-ready Decision Packet this produces

Every Valentra Labs program produces the same artifact: a board-ready Decision Packet carrying the situation, options, recommendation, evidence, and approval chain — generated by Valentra Nexus.

Decision Packet · v1.0

Q2 2026 — Crown-Jewel Risk Disposition

pkt_2026-04-17_a3f8e1

Situation

Q2 program review covers the crown-jewel ePHI store and its supporting control envelope. 487 endpoints catalogued across three network segments; 12 unsanctioned SaaS surfaces detected by the shadow-IT scan. Continuous monitoring posture is operating; the residual question is risk acceptance for two compensating-control gaps surfaced this cycle.

Risk & Impact

14 critical findings scored against the revenue-at-risk model. Two compensating gaps (vendor-SOC-2 attestation lapse + patch-cycle #38 awaiting CAB sign-off) carry residual risk of $1.4M in unmitigated regulatory exposure if a HITRUST audit lands before remediation closes. Patient-data confidentiality remains the load-bearing impact dimension.

Options

  1. Accept residual risk through Q3, with quarterly board re-review.
  2. Accelerate remediation by re-prioritizing the patch cycle ahead of the planned Q3 platform migration (cost: 2 engineer-weeks).
  3. Transfer risk via expanded cyber-insurance rider (cost: $48K/yr premium delta; coverage gap on ePHI exfiltration remains).

Recommendation

Pursue Option 2 — accelerate remediation. The 2 engineer-weeks of effort cost is recoverable in Q3; the residual exposure is asymmetric (regulatory floor of $1.4M vs. ~$120K labor delta). Document the patch-cycle re-prioritization as a logged decision with the program owner; close the SOC-2 attestation gap via vendor outreach in the same window. Insurance rider deferred to Q4 review.

Evidence

Twelve evidence artifacts back the recommendation — asset inventory, control mapping, vendor SOC-2 status, residual-risk model, patch-cycle telemetry, and the prior packet's audit trail. One control attestation is overridden with a documented compensating-control narrative; two vendor attestations are pending the Q2 refresh window.
ArtifactHashStatusDetailCaptured
Asset inventory snapshot — 487 endpoints#a3f8e1b2verified
Control mapping cross-walk — 93 controls#b7c4d9e0verified
Vendor SOC-2 attestation — current#c9d0e2f1pendingRefresh window opens 2026-05-12; vendor confirmed window…
Vendor SOC-2 attestation — secondary processor#d2e3f4a5pending
Residual-risk model — revenue-at-risk#e1f2a3b4verified
Patch cycle #38 — CAB queue position#f3a4b5c6overridden
Overridden per compensating-control narrative — see attached
Penetration test report — Q1 follow-up#a5b6c7d8stale
Prior packet audit trail — pkt_2026-01-09_b8c4e2#b6c7d8e9verified

Approval Chain

CIO and CISO have signed. The CCO signature is pending receipt of the vendor-SOC-2 refresh; the program owner has logged the override and the compensating-control narrative.
  1. Chief Information OfficerM. AlvarezSigned 2026-04-17T14:08:11Z
  2. Chief Information Security OfficerJ. ParkSigned 2026-04-17T14:18:42Z
  3. Chief Compliance OfficerPending signatureAwaiting vendor SOC-2 refresh — window opens 2026-05-12
Generated by Valentra Nexuspkt_2026-04-17_a3f8e1
FAQ

The questions we hear most.

Which version of the framework?

Valentra Labs aligns the program to NIST CSF 2.0, including the Govern function introduced in that revision.

Do you operate all six functions?

Yes. Govern, Identify, Protect, Detect, Respond, and Recover each run as controls on Valentra Nexus, with evidence recorded per function.

Is this a substitute for a maturity assessment?

They are related. The CSF assessment sets the current and target profiles; a maturity view grades how well each function operates. Both run on the same record.

How is progress reported?

Progress toward the target profile is tracked per function and summarized in a board-ready Decision Packet.

Valentra Labs operates the NIST CSF 2.0 functions inside the Managed Security Program: Valentra Nexus carries each control and its evidence and surfaces the board-ready Decision Packet that shows progress against the target profile.

as of NIST CSF 2.0