SchellmanCON is back! Join us for our virtual conference on March 6 & 7, 2025

Learn More
866.254.0000
Contact Us
Services
Services
View All Services
SOC & Attestations
SOC & Attestations
SOC 1 / SSAE 18 Examination
SOC 2 Examination
SOC 3 Examination
SOC for Supply Chain
SOC for Cybersecurity
C5 Attestation
CSA STAR Programs
Payment Card Assessments
Payment Card Assessments
PCI DSS Validation
PCI SSF
PCI P2PE Validation
PCI PIN Assessments
PCI 3DS Compliance
ISO Certifications
ISO Certifications
ISO 27001
ISO 42001
ISO 27701
ISO 9001
ISO 22301
ISO-20000-1
Privacy Assessments
Privacy Assessments
APEC Certification
GDPR Assessment
International Privacy Assessments
US State Privacy Assessments
Microsoft SSPA/DPR Assessment
Privacy Program Assessment
FERPA Assessment
EU Cloud Code of Conduct
Federal Assessments
Federal Assessments
FedRAMP®
CMMC / NIST SP 800-171
FISMA/NIST
ITAR
CJIS
IRAP
FTC Consent Decrees
Healthcare Assessments
Healthcare Assessments
HITRUST CSF Certification
HIPAA Compliance
HIPAA Express
EPCS-DEA Audits
Health Data Host (HDS) Certification
Penetration Testing
Penetration Testing
Application
Network
Mobile
Social Engineering
Cloud
Physical
Hardware and IoT
Advanced Series
Cybersecurity Assessments
Cybersecurity Assessments
Cloud Configuration Assessments
Ransomware Assessments
NIST Cybersecurity Framework Assessments
Schellman Software Security Assessment (S3A)
TISAX®
SWIFT Customer Security Programme
Internal Audit Co-Sourcing
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
Sustainability Services
Sustainability Services
AI Services
AI Services
Learning Center
Our Technology
About Us
About Us
About Us
Leadership Team
Leadership Team
Corporate Social Responsibility
Corporate Social Responsibility
Careers
Careers
Strategic Partnerships
Strategic Partnerships
ISO Certificate Directory
Contact Us

«  View All Posts

What is the NIST CSF Assessment Process? Blog Feature
JEFF SCHIESS

By: JEFF SCHIESS

Print/Save as PDF

What is the NIST CSF Assessment Process?

Federal Assessments

While the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) is technically just a set of guidelines, best practices, and standards intended to improve your infrastructure so that organizations can better manage and reduce cybersecurity risk, it’s possible to go through a five-step assessment process to make sure you really are adhering to those standards and provide independent assurance to your customers.

More and more organizations are giving the NIST CSF a close look now that the Securities and Exchange Commission (SEC) has dropped its final rule on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure rule. As the rule is scheduled to take effect in December 2023, that doesn’t leave a lot of time to prepare for the impending changes ahead, but the good news is that implementing the NIST CSF can help.

As can an assessment against the framework—you can do this internally, but some organizations may be more interested in an independent, expert perspective. As assessors who are well-established in the federal compliance space with long-time familiarity with NIST, Schellman offers such assessments against the NIST CSF, and in this article, we’ll explain how the NIST CSF assessment process works so that you can better understand what to expect.

The 5 Phases of a Schellman NIST CSF Assessment

 

Should you elect to undergo a NIST CSF assessment—having already implemented the guidelines—you can generally expect the process to proceed through the following five steps (particularly if you choose to work with Schellman):

1. Finding an Assessor and Scoping Completion

When you engage your assessor—whoever that may be—you’ll of course need to have that first conversation so they can learn more about your environment and what you're looking for specifically.

And like all compliance efforts, one of the most crucial preliminary steps to successfully completing a NIST CSF assessment is to scope the assessment appropriately from the start—in our experience, we’ve found the most effective and efficient approach to this is a live discussion that allows our subject matter expert and your project sponsor to have open dialogue around what the most common scope is for organizations and what a typical assessment looks like.

Timing and scoping are the factors that most strongly determine the cost of an engagement, so once that information is gathered, you can peruse the different proposals from assessors and contract with your desired partner.

 

2. Introductions and Planning

Around four weeks before the start of the assessment, there should be a kickoff call to:

  • Introduce the assessors assigned to the project;
  • Review the scope and timing;
  • Touch on outstanding action items; and
  • Answer any remaining questions.

 After that, you’ll need to do the following:

 

  • Start work on your end to provide evidence, where applicable, to satisfy the Subcategories based on the evidence request list provided by your assessor.
  • Concurrently, you should let your key stakeholders and relevant teams know the cybersecurity assessment will be happening—this is a collaborative effort and should not be kept secret. As part of the kickoff and planning efforts, your assessor should provide a walkthrough schedule to ensure folks are aware of what topics will be discussed and when.

3. Testing

At this point, the assessment will actually commence. Testing typically lasts four calendar weeks (in our experience), which will be spent completing the review of the Subcategories and supporting evidence.

Your assessor will follow the testing schedule to complete walkthroughs for each Subcategory. As part of those walkthroughs, they’ll discuss the controls process in depth and will expect to review evidence live to support the conclusions being made.

Should you elect to work with Schellman, we’ll provide a detailed status report that will contain all control gaps and identified findings every week, including any small issues or questions we have. That being said, any high-risk findings will be escalated within one business day of verification.

 

4. Follow-Up and Reporting

Once testing has finished, any necessary follow-up discussions will be held and then your assessors will draft the report—you should expect that to take around a full two weeks upon completion of testing before your assessor shares the draft report for your review.

Once you approve the draft report, your assessor will finalize the deliverable and provide the completed report to you.

At Schellman, we have a “no surprises” policy, so rest assured that all findings listed in our updates will be included in the final report. Our report will also contain additional details on our testing methodology and attack path narrative. (If you’re interested in seeing a sample report, contact us.)

We typically provide both an internal and external report deliverable—the external-facing report would be scrubbed of any information you don’t want to be shared with the public so that you’d be able to share at least a summary of your assessment with any interested party.

 

5. Cadence Establishment

 After completing your first NIST CSF assessment, we recommend having a formal debrief with your assessors to discuss the plan for future assessments.

Given that the NIST CSF is a maturity-based assessment, the most common approach we’re seeing being taken so far is organizations having a NIST CSF assessment performed at least twice—about 18 to 24 months apart—as this will allow you to gauge progress and take comfort in that while proving more than once to your customers that your commitment to the NIST CSF Subcategories is maturing.

 

Moving Forward with a NIST CSF Assessment

 

The NIST CSF is a well-known and widely adopted framework—not only can it help you develop an improved cybersecurity program in general, but it can now also aid in your attempts to satisfy the requirements of the SEC’s new mandate regarding the disclosure of cyber risk management strategies as well as Board-level oversight of your cybersecurity programs.

And while undergoing an independent assessment of your efforts to comply with this framework is not (yet) required, should you ever consider the prospect of this valuable third-party validation, now you know what to expect.

However, maybe the NIST CSF compliance isn’t the right move for your organization, even if you do need to comply with the new SEC Cyber Disclosure rule. Other standards can also help with this though, and we wrote an article comparing them to the NIST CSF to help you discern which makes the most sense for you.

And if you’re interested in learning more about Schellman and potential partnership with us—whether on a NIST CSF assessment or another initiative—contact us today so that we can schedule a call with our experts.

About JEFF SCHIESS

Jeff Schiess is a Managing Director with Schellman. Jeff is focused on governance, risk and compliance (GRC) assessments, including performing System Organization Controls (SOC 1 and 2) reporting, Health Insurance Portability and Accountability Act (HIPAA), International Organization for Standardization (ISO) 27001, and NIST CSF. Jeff has worked with Fortune 1000 and publicly traded companies across a wide range of industries, including Software-as-a-Service providers, cybersecurity services, data center hosting providers, financial services, insurance claims processing, and information technology.

4010 W Boy Scout Boulevard
Suite 600
Tampa, FL 33607

U.S. 1.866.254.0000

Outside the U.S.
1.813.288.8833

Resources
Company
Stay Up-to-Date

Sign up to receive Schellman's Weekly Read delivered every Friday morning.

© SchellmanPrivacy PolicyTerms of Use

“Schellman” is the brand name under which Schellman & Company, LLC and Schellman Compliance, LLC provide professional services. Schellman & Company, LLC and Schellman Compliance, LLC practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations and professional standards. Schellman & Company, LLC is a licensed certified public accounting firm (Florida license number AD62941) registered with the Public Company Accounting Oversight Board (PCAOB) that provides attest services to its clients, and Schellman Compliance, LLC provides nonattest cybersecurity and compliance professional services to its clients. Schellman Compliance, LLC is not a licensed CPA firm. Schellman & Company, LLC and Schellman Compliance, LLC are independently owned and are not liable for the services provided by any other entity providing services under the Schellman brand. Our use of the terms “our firm” and “we” and “us” and terms of similar import, denote the alternative practice structure conducted by Schellman & Company, LLC and Schellman Compliance, LLC.