Workshop applying the NIST Cybersecurity Framework 2.0 to build organizational and target profiles. Covers the new Govern function, the Implementation Tiers, profile-driven gap analysis, and the relationship between CSF and other frameworks (NIST 800-53, ISO 27001, CMMC). Useful for boards and executive briefings.
This four-hour, hands-on workshop moves beyond a survey of NIST Cybersecurity Framework 2.0 and into the mechanics of actually building profiles that your organization can act on. Led by Carl B. Johnson, President and CISO of Cleared Systems, the session is structured around the end-to-end profile development process — from establishing organizational context through producing a prioritized remediation roadmap.
CSF 2.0 elevates governance to a dedicated function alongside Identify, Protect, Detect, Respond, and Recover. The workshop examines what the Govern function demands in practice: defining roles and accountability, setting organizational risk tolerance, and embedding cybersecurity policy into business decision-making. Attendees work through how Govern activities feed directly into profile construction and how to communicate those governance commitments to boards and executive leadership.
The core of the session is building both profile types. The organizational (current) profile captures your present cybersecurity outcomes across all six CSF functions and their underlying categories and subcategories. The target profile defines the outcomes required to meet your mission requirements, risk appetite, and regulatory obligations. Participants draft profile structures they can carry back and complete with their own teams.
The workshop clarifies how Implementation Tiers — Partial, Risk Informed, Repeatable, and Adaptive — describe the rigor and integration of your cybersecurity risk management practices. Critically, attendees learn how to use Tiers as a calibration tool when setting target profiles rather than treating them as a maturity score or compliance checkbox.
With both profiles drafted, the session walks through a structured gap analysis: comparing current and target outcomes, categorizing gaps by severity and business impact, and translating those gaps into an actionable remediation plan. Participants practice prioritizing gaps in a resource-constrained environment — the reality for most defense and federal contractors.
No defense or federal contractor operates under a single framework. The workshop maps CSF 2.0 categories and subcategories to NIST SP 800-53 controls, ISO 27001 Annex A controls, and CMMC practices, showing how a well-built CSF profile can serve as a translation layer across compliance obligations. Organizations already investing in CMMC, CUI, and DFARS compliance will see concrete opportunities to reuse profile work across requirements rather than building parallel programs.
The final segment covers how to reframe profile and gap analysis outputs for non-technical audiences. Attendees learn a briefing structure suited to boards and executive teams — one that connects cybersecurity posture directly to business risk and investment decisions without requiring the audience to interpret subcategory-level detail.
This workshop is built for compliance practitioners, security analysts, and risk managers at defense contractors, federal contractors, and government-adjacent organizations who are responsible for framework implementation, assessment preparation, or security program documentation. If your team members are the ones drafting policies, conducting internal gap analyses, responding to assessment questionnaires, or preparing materials for auditors — this is their session.
Managers approving this training should know that CSF 2.0 profile development is increasingly expected as a baseline deliverable in risk management programs supporting CMMC, FISMA, and contract-specific cybersecurity requirements. Sending a practitioner to this workshop produces tangible artifacts — not just awareness. Organizations looking to build a more structured risk management foundation may also want to explore compliance program development support to extend workshop outputs into a sustained program.
A completed CSF 2.0 profile is a powerful starting point, but translating it into ongoing risk management requires the right support structure. Cleared Systems works with defense and federal contractors at every stage of program maturity. If you are evaluating how ongoing advisory support could accelerate your team's progress, Regulatory vCISO Services offer a structured path from profile development to continuous program leadership.
Ask about group rates, private delivery of this curriculum for your team, or whether this session fits your compliance roadmap.
Contact Us
