Governance Assessment Framework for Startups and SMEs
CSFLite is a governance assessment framework built on 25 curated NIST CSF 2.0 subcategories. It answers a single question: Do these security controls exist at all?
This is not a compliance tool. CSFLite measures coverage existence before maturity, giving resource-constrained organizations a structured baseline without enterprise overhead. Crosswalk reference documents for SOC 2, HIPAA, and SP 800-53 are provided for structured starting points for external assessment readiness. Scanning and other control enforcements are handled by external projects.
See the Assessment Philosophy for the full design rationale.
☕ Support CSFLite: If this project helps you in any way consider buying me a coffee.
- Governance assessment pipeline — Complete end-to-end workflow for manual governance baseline assessment
- Weighted scoring and heatmaps — Gap analysis with severity ratings across all CSF Functions
- Top 25 subcategory framework — Curated, validated against NIST CSWP 29
- Remediation guidance — Actionable follow-up steps for every governance gap
- Governance questionnaire template — Ready-to-use CSV covering all 25 subcategories with evidence requirements
- SOC 2 readiness assessment — CSFLite-to-Trust Services Criteria crosswalk (CC1–CC9, A1, C1), supplement questionnaire for gap domains, gap analysis template, and executive summary template
- HIPAA readiness assessment — CSFLite-to-HIPAA Security Rule crosswalk (§164.308, §164.310, §164.312) and Breach Notification Rule, 9-question supplement questionnaire for gap domains, gap analysis template, and executive summary template; scoped for Business Associates serving US healthcare Covered Entities
- SP 800-53 framework reference — CSFLite-to-SP 800-53 Rev 5 crosswalk mapping all 25 CSFLite subcategories to SP 800-53 Rev 5 controls with assessment methods sourced from SP 800-53A Rev 5
⚠️ Scanner integration is being extracted from CSFLite core. Scan tooling will move to separate adapter projects. CSFLite is becoming a pure governance assessment framework. Scanner code is preserved in the separate branch.
- Nuclei scan tooling — CLI wrapper, profile-based scan configuration, and raw output conversion are implemented but not yet validated end-to-end against live targets
- Scan-to-CSF mapping — CSV-based template lookups exist (
⚠️ deprecated; YAML tag-based system in development on feature branch) - Combined assessment — Tool to merge scan findings with governance results is built but awaiting integration testing
- Curated CSFLite Top 25 subcategories list
- Mapping of Nuclei templates → CSF subcategories (CSV format, YAML migration pending)
- Lookup tables for automation (CSV/JSON)
- Governance assessment tool (
governance_check.py) — Processes questionnaire responses into scored assessments and heatmaps - Nuclei scan tool (
nuclei_scan_tool.py) — Profile-based scan configuration and execution (preview) - Nuclei converter (
nuclei_convert_tool.py) — Maps raw scan output to CSF subcategories (preview) - Combined assessment (
assess.py) — Merges scan and governance data into unified report (preview)
- Governance checklist template — Pre-built CSV questionnaire for all 25 subcategories
- Remediation guidance — Step-by-step actions for each governance gap
- Scan profiles — Pre-configured Nuclei scan profiles (baseline_web, baseline_network, baseline_cloud, comprehensive)
- SOC 2 crosswalk — Full mapping of Trust Services Criteria (CC1–CC9, A1, C1) to NIST CSF 2.0 subcategories with coverage ratings
- SOC 2 supplement questionnaire — 28-question CSV covering five gap domains not addressed by the CSFLite 25 (change management, physical access, security awareness, business continuity, data disposal)
- SOC 2 gap analysis template — Client-facing markdown template organized by SOC 2 category, pre-populated from the crosswalk
- SOC 2 executive summary template — One-page client-facing summary with coverage score, criteria breakdown, and top remediation items
- HIPAA crosswalk — Full mapping of HIPAA Security Rule (§164.308, §164.310, §164.312) and Breach Notification Rule to NIST CSF 2.0 subcategories with Required/Addressable designations and coverage ratings
- HIPAA supplement questionnaire — 9-question CSV covering gap domains not addressed by the CSFLite 25 (physical safeguards, device disposal, security training, BAA existence, breach notification, contingency planning, workforce security, minimum necessary)
- HIPAA gap analysis template — Client-facing markdown template organized by HIPAA safeguard category, scoped for Business Associates
- HIPAA executive summary template — One-page BA-framed readiness summary
This toolkit is for SMEs, startups, freelance consultants, and security-oriented DevOps teams who want structured risk insight without enterprise overhead.
Who this is for:
- Startups preparing for SOC 2, HIPAA, or customer security questionnaires
- Solo security practitioners or consultants serving multiple small clients
- DevOps teams implementing security controls without dedicated security staff
- Organizations that need evidence-based security assessments, not compliance theater
Who this is NOT for:
- Enterprises with dedicated GRC teams (you need enterprise tools)
- Organizations seeking compliance certification (this measures coverage, not maturity)
- Teams wanting automated risk quantification (we do existence checks, not risk scores)
Ready to run your first CSF assessment?
The Getting Started guide walks you through:
- Installing dependencies (Python 3.12+, Poetry)
- Running a governance baseline assessment
- Interpreting your scored results and heatmap
See docs/development_roadmap.md for phased deliverables and progress tracking.
Current phase: Integration & Pilot Testing (Phase 5)
Next milestones:
- End-to-end validation of scan pipeline against live targets
- YAML-based tag mapping system (feature branch)
- Integration test coverage for full assessment workflow
Released under the MIT License.
Contributions are welcome. Please read CONTRIBUTING.md before submitting a pull request.
High-value contributions right now:
- Bug fixes in the scan pipeline
- Integration test coverage for governance → scan → combined assessment
- Scan profiles for specific environments (SaaS, healthcare, fintech)
Currently frozen:
- Nuclei template mappings (YAML migration in progress on feature branch)
This project uses Claude Code for spec-driven development. See CLAUDE.md for context and conventions, and claude-project/ for spec templates and artifacts.
Requires discussion first:
- Subcategory changes
- Scoring methodology changes
All contributions must align with the Assessment Philosophy.
CSFLite is built on three core principles:
- Coverage before depth — Determine if controls exist before measuring their effectiveness
- Governance as infrastructure — Policy becomes code, not documents
- Lean by default — Eliminate waste, prioritize secure defaults, design for scalability
This is not a maturity assessment framework. We measure existence, not excellence.
- Assessment Philosophy — Design rationale and methodology
- Getting Started — Installation and first assessment
- Development Roadmap — Progress tracking and future work
- Contributing Guide — How to contribute effectively
- Top 25 Subcategories — Selection criteria and definitions
- Automatable Subcategories — Automation classification
- Manual Remediation Guide — Step-by-step remediation for governance gaps
- Nuclei-to-CSF Mapping — Template mapping rationale
- claude-project/ — Seed documents, spec templates, and ADRs for Claude Code workflows
- CSFLite-to-SOC 2 Crosswalk — Full TSC mapping with coverage ratings (full / partial / gap)
- SOC 2 Gap Analysis Template — Client-facing findings template organized by Security, Availability, Confidentiality
- SOC 2 Executive Summary Template — One-page client-facing readiness summary
- SOC 2 Supplement Questionnaire — Standalone CSV covering gap domains outside the CSFLite 25
- ADR-0001: Full CSF Crosswalk Decision — Architectural decision record
- CSFLite-to-HIPAA Crosswalk — Full Security Rule and Breach Notification Rule mapping with Required/Addressable designations and coverage ratings (full / partial / gap)
- HIPAA Gap Analysis Template — Client-facing findings template organized by Administrative, Physical, Technical Safeguards, and Breach Notification; scoped for Business Associates
- HIPAA Executive Summary Template — One-page BA-framed readiness summary
- HIPAA Supplement Questionnaire — 9-question standalone CSV covering gap domains outside the CSFLite 25
- CSFLite-to-SP 800-53 Crosswalk — Maps all 25 CSFLite subcategories to SP 800-53 Rev 5 controls with assessment methods from SP 800-53A Rev 5
- Language: Python 3.12+
- Dependency Management: Poetry
- Testing: pytest
- Code Quality: Black (formatting), Ruff (linting), Bandit (security)
- Scanning: Nuclei (vulnerability detection)
- Data: CSV/JSON (current), YAML (future)
- Claude Code: Latest — AI-assisted spec execution
- Scan pipeline has not been validated against live targets (see Phase 5 in roadmap)
- Nuclei mapping uses deprecated CSV approach (YAML migration on feature branch)
- No maturity scoring or risk quantification (by design)
- Limited to 25 subcategories (intentional scope constraint)
- Designed for startups/SMEs, not enterprises
- Issues: Report bugs or request features via GitHub Issues
- Discussions: Not yet enabled (project too early)
- Security: Email maintainer directly for vulnerability reports (see GitHub profile)
- Donations: Help sustain development → Buy Me a Coffee
CSFLite is successful if it helps organizations:
- Identify security gaps with minimal effort
- Prioritize remediation based on weighted risk
- Generate evidence for compliance needs without compliance-driven work
- Scale security practices as the organization grows
If you're spending more time on the framework than on fixing security gaps, we've failed.
Built with the philosophy that security is governance under adversarial conditions.