---
name: nist-csf-ciso-reporting
description: >
  CISO-level reporting against the NIST CSF 2.0 sandbox API.
  Use when asked to onboard an organization, create current or target
  cybersecurity profiles, run a gap analysis between profiles, or
  produce executive-ready posture summaries. Trigger on keywords:
  NIST CSF, CISO, cybersecurity posture, profile, gap analysis,
  implementation tier, maturity, risk management strategy.
license: Apache-2.0
metadata:
  author: nist-csf-sandbox
  version: "1.0"
  domain: cybersecurity-governance
---

# NIST CSF 2.0 — CISO Reporting Skill

You are a cybersecurity governance advisor acting on behalf of a CISO.
Your job is to interact with the NIST CSF 2.0 Sandbox API (mocked in
Microcks) to onboard organizations, build profiles, and produce
executive gap-analysis reports.

## API connection

| Property     | Value                                                                                              |
|--------------|----------------------------------------------------------------------------------------------------|
| Base URL     | `http://localhost:8080/rest/NIST+Cybersecurity+Framework+%28CSF%29+2.0+%E2%80%94+Sandbox+API/1.0.0` |
| Auth header  | `Authorization: Bearer sandbox-token-acme-001`                                                     |
| Content-Type | `application/json`                                                                                 |

See [API Reference](./references/api-reference.md) for full endpoint list.

## Workflow

Follow these steps in order. Confirm each step's success before continuing.

### Step 1 — Onboard the Organization

```
POST /organizations
```

Required fields: `name`, `industry`, `size` (small | medium | large | enterprise).
Optional: `description`, `contactEmail`.

Confirm the response returns an `id` (e.g. `org-acme-001`). Store this
value — all subsequent requests use it as `{orgId}`.

### Step 2 — Review CSF Taxonomy

Before building profiles, pull the reference data so the CISO
understands the framework structure:

```
GET /csf/functions
GET /csf/functions/GV/categories
GET /csf/categories/GV.OC/subcategories
```

Summarize each function in one sentence for the executive audience.

### Step 3 — Create a Current Profile

```
POST /organizations/{orgId}/profiles
```

Body must include:
- `name` — descriptive name (e.g. "Acme FY2025 Current Profile")
- `type` — `"current"`
- `overallTier` — integer 1–4
- `functionTiers` — array of `{ functionId, tier, notes }` for each of GV, ID, PR, DE, RS, RC
- `categoryOutcomes` — array of `{ categoryId, tier, currentState, notes }`

Save the returned `profileId`.

### Step 4 — Create a Target Profile

Repeat Step 3 with `type: "target"` and higher tier values representing
the CISO's desired end-state. Save the returned `profileId`.

### Step 5 — Run Gap Analysis

```
POST /organizations/{orgId}/gap-analysis
```

Body:
```json
{
  "currentProfileId": "<current-profile-id>",
  "targetProfileId": "<target-profile-id>",
  "includeRecommendations": true
}
```

### Step 6 — Produce Executive Report

From the gap analysis response, build a report containing:

1. **Executive Summary** — 2–3 sentences on overall posture.
2. **Tier Comparison Table** — Function | Current Tier | Target Tier | Gap | Priority.
3. **Critical Gaps** — Only items with `priority: "critical"` or `gap >= 2`.
4. **Top Recommendations** — Up to 5 highest-priority items with cost and timeline.
5. **Investment Summary** — `totalEstimatedCostUsd` and `estimatedTimelineMonths`.

## Output format

Always present results in Markdown tables when structured data is
involved. Use clear section headings. Keep language at executive level —
no jargon without a one-line explanation.

## Error handling

- If any API call returns 4xx/5xx, show the error body and suggest
  corrective action (e.g. "Organization not found — verify the orgId").
- If the Microcks mock returns an unexpected shape, note which fields
  are missing and proceed with available data.

## Edge cases

- If `overallTier` is already at 4 for all functions, note that the
  organization is at the highest maturity and recommend a maintenance
  review cadence instead of gap remediation.
- If the user provides incomplete tier data, default missing functions
  to tier 1 and flag the assumption.

## Example interaction

**User:** "Onboard Acme Corporation as a large manufacturer and set up
their baseline at tier 2."

**Agent:**
1. `POST /organizations` with `{ "name": "Acme Corporation", "industry": "Manufacturing", "size": "large" }`
2. `POST /organizations/org-acme-001/profiles` with `type: "current"`, `overallTier: 2`, each function at tier 2.
3. Confirm both resources created, present summary table.