Every year, public sector organizations (state agencies, municipalities, counties, transit authorities, utilities, and special districts) invest time and money into National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) assessments, producing maturity scores and document gaps.
And then, more often than not, nothing meaningful happens. This is not necessarily because the assessment was wrong or the scores were inaccurate, but because not all the stakeholders accountable for cybersecurity risk—the agency directors, city managers, and elected officials—were never really part of the conversation. They may have received results, but they did not make decisions.
The Framework Changed, Though Many Leaders Don’t Know It
When NIST released CSF 2.0 in February 2024, it made a significant structural change by adding a sixth core function called “Govern.”
This was not a technical addition. It was a deliberate addition for all the stakeholders who are responsible for cybersecurity risk, e.g., “leadership,” meaning executive, business, financial, and technology leaders collectively—including CIOs, CISOs, and IT leadership. The Govern function addresses organizational context, risk tolerance, roles and authorities, policy, oversight, and supply chain risk management. These are not solely IT responsibilities, but instead they are executive and leadership responsibilities.
The problem, however, is that in most organizations, the NIST CSF assessment is owned entirely by IT. Leadership may see the output, but they do not participate in shaping it. As a result, the Govern function is either scored by the IT team on leadership’s behalf, or it is quietly underscored because the true answers weren’t gathered. The result is an assessment that misses some of the most important questions it was designed to ask.
What Leadership is Missing
The Govern function highlights that an assessment is only as useful as the decisions it triggers. If leadership isn’t engaged early by setting context, agreeing on priorities, and owning risk, then even a well-executed CSF review can become an IT exercise that produces scores but not action. The gaps, listed below, are the patterns that tend to show up when that disconnect is present.
1. Assessments Don’t Begin With a Documented Data Inventory.
Many CSF assessments are performed without a clear, documented understanding of what data the organization actually maintains, where it resides, how it moves, and how it is used. Consequently, sensitive data such as personally identifiable information (PII), financial records, student data, or legal information often exists across systems and vendors without being consistently inventoried, categorized, or tied to specific obligations, creating a visibility gap that impacts an assessment. Controls may be scored, but not always in the context of what they are protecting. Deciding what qualifies as sensitive data, how it is classified, and what requirements apply is more than a technical exercise; it requires leadership input across legal, finance, and operations. In the absence of that alignment, assessments rely on assumptions, and priorities can be misdirected.
2. Critical Systems Are Often Poorly Identified or Disagreed Upon.
NIST CSF assessments score controls across the enterprise, but a Tier 2 score on asset management means something very different for a system processing constituent payroll than for an internal document repository. Since risk is not uniform, consequences are what make a gap worth addressing.
In many NIST CSF assessments, there isn’t a step to ask: do IT and leadership agree on which systems the organization cannot afford to lose? That question sits at the heart of the Identify function and when it goes unasked, the assessment produces a technically accurate score against a set of controls that may not reflect the organization’s actual operational priorities or every system’s actual control effectiveness.
3. Third-Party and Supply Chain Risk Is Often Underscored.
CSF 2.0 elevated supply chain risk management to a dedicated category within the Govern function (GV.SC) with 10 subcategories covering everything from supplier prioritization to post-contract security obligations. This was a response to the reality that a growing share of cybersecurity incidents originate from vendors and technology partners that sit outside an organization’s network.
Public sector organizations are exposed here as much as any industry sector, if not more so. Many rely heavily on shared IT environments, third-party software platforms, and outsourced service delivery. And yet supply chain risk can sometimes be one of the lowest-scored areas in public sector assessments.
The organization’s biggest risk may not be inside their firewall, and many assessments do not surface that as a possibility.
4. Incidents, Exercises, and Near Misses Don’t Change Priorities.
Public sector organizations investigate incidents, run tabletop exercises, and occasionally experience near misses that should serve as clear signals about where risk is real. After-action reports get written, lessons learned are captured, and the organization can usually articulate what went wrong or what would have gone wrong. But when the CSF assessment cycle comes around, those real-world signals often don’t materially change the Target Profile, the remediation road map, or the order in which initiatives get funded.
Leaders can require that each incident, exercise, or credible near miss triggers a short, executive-level decision log, to include: what changed in priority, what funding or resourcing is required, what is being deferred (and why), and how success will be validated, e.g., a retest, a follow-up exercise, or evidence of capability.
5. Documentation is Not the Same as Tested Capability.
An incident response plan exists, but has anyone run a tabletop exercise? A disaster recovery procedure is documented, yet has it ever been executed under actual pressure? For many organizations, CSF maturity scoring accepts documentation as evidence of capability.
Leaders should not assume that documentation is equivalent to readiness. A practiced plan and a documented plan are not the same, and the difference will likely matter most at exactly the moment when there is no time to figure it out.
How Organizations Can Efficiently & Carefully Address These Items
An organization wants an assessment to deliver full CSF coverage (all six functions, all categories), but in a model designed around efficiency and leadership engagement, not documentation volume. This model consists of the following:
Kickoff. A session with both IT leadership and an executive sponsor to define scope, confirm the organization’s most operationally critical systems, and frame the engagement around decisions.
Questionnaire. An instrument that covers CSF self-attestation across all functions, targeted evidence pointers to validate attestations, and a leadership and risk layer that asks the questions traditional assessments never get to: Who owns this risk? Has this been tested? Do leadership and IT agree on what matters most?
The questionnaire goes to both IT and leadership. The gaps between their answers are often the most diagnostic output of the engagement.
Analysis. A review of where attestations are inconsistent, where confidence outpaces evidence, and where the Current Profile diverges meaningfully from what a reasonable Target Profile should look like. The output is a set of observations and identified places where the organization is operating on assumptions its own evidence does not support.
Closeout Session. A conversation that brings IT and leadership into the same room to review themes, take a look at misalignment, and make decisions. This is where the Govern function shines: Who is accountable? What is the risk tolerance? What decisions have been deferred and why?
The deliverable is a maturity scorecard suitable for audit and oversight reporting, along with a leadership summary focused on what the scores mean, where alignment breaks down, and what decisions need to be made.
Preparing for What’s Next
For organizations that complete the NIST CSF Assessment, the next step is clear: a target profile has been defined, decision tensions have been named, and leadership is now aligned on where the gaps actually matter. That creates a direct and logical path to do deeper work in the form of remediation planning, program build-out, control implementation, or a full CSF assessment cycle.
The NIST CSF Assessment doesn’t replace that work, but it can make it smarter and more targeted. Organizations that skip straight to deep remediation without this kind of leadership alignment frequently find themselves revisiting the same priorities two budget cycles later, wondering why nothing stuck.
Conclusion
NIST CSF 2.0 revealed something that practitioners have known for years: cybersecurity is a leadership responsibility, not just a technical one. The Govern function is not an IT problem. Rather, risk tolerance, oversight, and accountability belong to the people who run the organization and an assessment that doesn’t actively engage those people is producing scores without producing decisions.
A NIST CSF Assessment can close the gap if done correctly and produce a leadership conversation that turns maturity scores into action items.
For more information on IT risk and compliance topics, or to learn how our team can help, reach out to a professional at Forvis Mazars.