| Scope and covered activity | Current: define the current business unit, mission/business process, information system, or supplier context and record which CSF outcomes are actually being achieved there today. | Target Profile Template: define the future CSF outcome set for the same or a broader context, and note where the desired posture changes because of new requirements, technology, or threat intelligence. | Use separate scope statements for the baseline and the desired state so the Target Profile does not simply repeat Current wording. |
|---|
| Who must act | Current: identify the teams, roles, and owners already responsible for each CSF outcome, including where governance, operations, and suppliers are already assigned. | Target Profile Template: name the future accountable owners for each selected outcome and note any new governance or supplier responsibilities needed to close the gap. | Keep owners explicit on both sides so the comparison shows who is already accountable and who must be added or changed in the target state. |
|---|
| Trigger or threshold | Current: state the condition that makes the present CSF posture relevant, such as a new profile review, a control gap, a supplier change, or a change in mission, threat, or technology. | Target Profile Template is triggered by a planned change in desired CSF outcomes, such as a new requirement, new technology adoption, or a threat trend that changes the target posture. | Use CSF-specific triggers so the comparison is rerun when the current posture or desired posture changes, not when a generic compliance event occurs. |
|---|
| Core obligations | A Current Profile documents which CSF outcomes the organization achieves today, at what implementation tier, and with what supporting evidence for each outcome. It serves as the authoritative baseline for measuring improvement over time and as the primary input to gap analysis, risk prioritization, and resource allocation discussions. | A Target Profile documents which CSF outcomes the organization intends to achieve, at which tier, and by what target date for each improvement initiative. It defines the acceptance criteria that must be met before an improvement is considered complete, and it drives the prioritized action plan that bridges the gap between the current and desired security state. | Turn the comparison into an action list with separate duties, shared controls, and unresolved gaps, then cite the source that supports each reused artifact. |
|---|
| Evidence and records | Current: keep the records that show what is operating now, including policies, tests, logs, reviews, and other evidence that demonstrates the current CSF posture. | Target Profile Template: keep the records that show what must change, including target outcomes, planned controls, open gaps, and decision criteria for the desired CSF posture. | Separate proof of present-state operation from proof of planned future-state completion, even when some artifacts are reused. |
|---|
| Timing and cadence | Current: capture the review cycle that keeps the baseline current, including the cadence for revisiting the profile after changes in mission, threats, suppliers, or technology. | Target Profile Template: capture the implementation timeline and re-review cadence for the desired state, including when target outcomes are expected to be reached. | Use separate clocks for the baseline review and the target-state delivery plan so the comparison shows both current cadence and future deadlines. |
|---|
| Enforcement or assurance route | Current: identify the assurance path already used to validate the current CSF posture, such as internal review, audit, supplier assurance, or executive oversight. | Target Profile Template: identify the assurance path that will validate the future CSF posture, such as a new audit, a supplier requirement, or a governance review tied to the target state. | Keep assurance routes separate when the future state needs different proof or different governance than the current state. |
|---|
| Overlap and reuse | Current: reuse controls only where the source-linked duty, evidence standard, owner, and timing align with the comparator; otherwise keep a bridge note. | Target Profile Template can reuse evidence from the other side only when the same CSF outcome, same boundary, and same review expectation apply to both the baseline and the target state. | Reuse evidence carefully: overlap can reduce duplicated work, but it does not merge scope, actors, timing, or the difference between achieved and desired outcomes. |
|---|
| Practical decision rule | Current: use this column when the question is what the organization is already doing today and what gaps remain against the CSF Core outcomes. | Target Profile Template: use this column when the question is what CSF outcomes the organization has selected, prioritized, and plans to achieve next. | Choose the side that answers the present decision: baseline posture, desired posture, or the gap between them. |
|---|