NIST CSF 2.0 maturity you operate toward, not just measure.
Valentra Labs grades program maturity against the NIST CSF 2.0 functions and operates the gap-closing work, so the maturity score moves between assessments instead of resetting each year.
A maturity score on a slide tells you where you stand once. Without a program operating behind it, the gaps it names — across Govern, Identify, Protect, Detect, Respond, and Recover — are still open at the next assessment.
Valentra Labs measures maturity against NIST CSF 2.0, then runs the remediation on Valentra Nexus — each gap tied to a control, its evidence, and the work that closes it — and reports progress against the target profile in a board-ready Decision Packet.
What you have
What a maturity score on a slide leaves you with.
You have
A maturity rating across the CSF functions.
A gap list from the last assessment.
But
The gaps it named are still open at the next one.
No program operates behind the score.
The number resets instead of moving.
What it costs you
What that costs you.
01A maturity score that measures, but never moves.
02Gap lists that outlive the assessment that made them.
03Progress you can't show against a target profile.
The system
Maturity you operate toward, function by function.
Each CSF gap is tied to the work that closes it, so the score moves between assessments.
01AssetThe assets each CSF function has to cover.
02RiskWhere the function is weakest, ranked as a gap.
03ControlThe control that closes the gap, owned.
04EvidenceProof the control operates, tied to the function.
05WorkThe gap-closing work, with an owner and a date.
06DecisionA Decision Packet showing maturity against the target.
30-day impact
What changes in the first thirty days.
No ramp-up theater. The first month produces visible, measurable progress — by design.
Day 1–10Discover
Program maturity is graded against the NIST CSF 2.0 functions and the gaps are loaded into one operating record.
Day 11–20Operate
Each gap is tied to a control, its evidence, and the work that closes it — every item owned.
Day 21–30Report
The first Decision Packet shows maturity against the target profile and the gaps now in motion.
What you get
What you get.
01A graded maturity baseline
Program maturity scored against the NIST CSF 2.0 functions, not a self-attested guess.
02Gaps tied to closing work
Each gap carries the control and the remediation that closes it.
03Evidence against each function
Proof the controls operate across Govern, Identify, Protect, Detect, Respond, and Recover.
04Progress against a target profile
Maturity moving toward the target between assessments, in an artifact leadership signs.
The artifact this produces
Every Valentra Labs program produces the same artifact: a board-ready Decision Packet
carrying the situation, options, recommendation, evidence, and approval chain —
generated by Valentra Nexus.
Decision Packet · v1.0
Q2 2026 — Crown-Jewel Risk Disposition
pkt_2026-04-17_a3f8e1·
Situation
Q2 program review covers the crown-jewel ePHI store and its supporting control envelope. 487 endpoints catalogued across three network segments; 12 unsanctioned SaaS surfaces detected by the shadow-IT scan. Continuous monitoring posture is operating; the residual question is risk acceptance for two compensating-control gaps surfaced this cycle.
Risk & Impact
14 critical findings scored against the revenue-at-risk model. Two compensating gaps (vendor-SOC-2 attestation lapse + patch-cycle #38 awaiting CAB sign-off) carry residual risk of $1.4M in unmitigated regulatory exposure if a HITRUST audit lands before remediation closes. Patient-data confidentiality remains the load-bearing impact dimension.
Options
Accept residual risk through Q3, with quarterly board re-review.
Accelerate remediation by re-prioritizing the patch cycle ahead of the planned Q3 platform migration (cost: 2 engineer-weeks).
Transfer risk via expanded cyber-insurance rider (cost: $48K/yr premium delta; coverage gap on ePHI exfiltration remains).
Recommendation
Pursue Option 2 — accelerate remediation. The 2 engineer-weeks of effort cost is recoverable in Q3; the residual exposure is asymmetric (regulatory floor of $1.4M vs. ~$120K labor delta). Document the patch-cycle re-prioritization as a logged decision with the program owner; close the SOC-2 attestation gap via vendor outreach in the same window. Insurance rider deferred to Q4 review.
Evidence
Twelve evidence artifacts back the recommendation — asset inventory, control mapping, vendor SOC-2 status, residual-risk model, patch-cycle telemetry, and the prior packet's audit trail. One control attestation is overridden with a documented compensating-control narrative; two vendor attestations are pending the Q2 refresh window.
Overridden per compensating-control narrative — see attached
Penetration test report — Q1 follow-up
#a5b6c7d8
stale
—
Prior packet audit trail — pkt_2026-01-09_b8c4e2
#b6c7d8e9
verified
—
Approval Chain
CIO and CISO have signed. The CCO signature is pending receipt of the vendor-SOC-2 refresh; the program owner has logged the override and the compensating-control narrative.
Chief Information OfficerM. AlvarezSigned 2026-04-17T14:08:11Z
Chief Information Security OfficerJ. ParkSigned 2026-04-17T14:18:42Z
The program maps each operating stage — asset, risk, control, evidence, work, decision —
to the frameworks healthcare cybersecurity teams report against. Valentra Nexus carries
the full framework-alignment grid; see how the stages line up on the platform page.
Valentra Labs grades program maturity against NIST CSF 2.0 and operates the gap-closing work on Valentra Nexus — each gap tied to a control, its evidence, and the work that closes it — so the maturity score moves between assessments instead of resetting each year.