What is a NIST CSF Profile, and what's the difference between Current and Target Profile?
A Profile is the alignment of the CSF Core to a specific organisation's business requirements, risk tolerance, and resources. The Current Profile captures where you are; the Target Profile describes where you want to be — the delta is your roadmap.
* A Profile tailors the Core to your business: the delta between Current and Target Profile is your improvement roadmap. *
Profiles enable:
- Current snapshot — which sub-categories are implemented, partially, or not at all.
- Ideal future state — based on business goals, regulatory requirements, threat landscape.
- Gap analysis & roadmap — what to invest in to close the gap.
- Reporting — easy to communicate to non-security leadership.
Branchen-spezifische Profiles also exist — sector working groups can publish reference profiles. Example:
NIST Interagency Report 8473 — "Cybersecurity Framework Profile for Electric Vehicle Extreme Fast Charging Infrastructure"
These reference profiles let everyone in a sector start from a vetted baseline.
Tip: A great trick: maintain Current + Target Profiles in a spreadsheet, refresh quarterly, and use the year-over-year delta as evidence of progress. Auditors and boards eat that up.
Go deeper:
The NIST CSF 2.0 (CSWP 29) — defines Current vs Target Profiles and using the gap as a roadmap.
NIST Cybersecurity Framework home — hub for Profile templates and sector Community Profiles you can start from.