Back
Policy Audit
NIST CSF 2.0
NIST CSF 2.0GovernProtect

Policy & Governance Auditor

Policy document review against NIST CSF 2.0 and 800-53 control families

PM-1, PL-1, PL-2, AT-1NIST 800-53 (All families)

Overview

The Policy & Governance Auditor reviews organizational security policy documents against NIST CSF 2.0 functions and NIST 800-53 control families. It analyzes document quality, identifies missing control coverage, assesses policy maturity, and produces gap analysis reports. The auditor checks for the presence of all 20 NIST 800-53 control families and evaluates policy language quality, review cadence, and approval authority documentation.

Prerequisites

Python 3.8+ standard library
Policy documents in Markdown or plain text format
Access to organizational governance documentation
Understanding of NIST CSF 2.0 and 800-53 frameworks

Capabilities

NIST 800-53 control family coverage analysis (20 families)
NIST CSF 2.0 function mapping (Govern, Identify, Protect, Detect, Respond, Recover)
Policy document quality scoring (language, structure, completeness)
Gap identification with specific missing control families
Review cadence and approval authority verification
Compliance percentage calculation per framework
Markdown report with prioritized recommendations

Usage Guide

1

Gather Policy Documents

Collect all organizational security policy documents in Markdown or text format. Place them in a single directory for batch processing.

bash
# Organize policies
mkdir -p /audit/policies
cp information_security_policy.md /audit/policies/
cp acceptable_use_policy.md /audit/policies/
cp incident_response_policy.md /audit/policies/
2

Run the Policy Audit

Execute the auditor against the policy directory. It will analyze each document and produce a consolidated governance report.

bash
python3 policy_audit.py \
  --policy-dir /audit/policies \
  --output /reports/policy_audit.md
3

Review Gap Analysis

Examine the report for missing NIST control families, weak policy language, and areas requiring immediate attention.

4

Feed Gaps into Risk Assessment

Import significant policy gaps as risks into the consolidated risk register.

bash
python3 risk_report.py add-risk \
  --project my-audit \
  --title 'Missing 9 NIST Control Families' \
  --source policy-audit \
  --likelihood 3 --impact 5 \
  --control PM-1

CLI Commands

Audit all policy documents in the specified directory against NIST frameworks.

bash
python3 policy_audit.py --policy-dir /policies --output policy_report.md
Expected Output
Analyzing 2 policy documents...

Document: information_security_policy.md
  NIST 800-53 Coverage: 11/20 families (55%)
  CSF Functions Addressed: Govern, Identify, Protect
  Quality Score: 72/100

Document: acceptable_use_policy.md
  NIST 800-53 Coverage: 5/20 families (25%)
  CSF Functions Addressed: Govern, Protect
  Quality Score: 65/100

Overall Coverage: 55% | Missing: 9 control families
Report saved to: policy_report.md

Sample Outputs

Policy Governance Audit Report

markdown
# Policy & Governance Audit Report
**Date:** 2026-03-01 | **Framework:** NIST CSF 2.0 / NIST 800-53

## Coverage Summary
| NIST 800-53 Family | Status | Policy Reference |
|--------------------|--------|-----------------|
| AC - Access Control | ✅ Covered | Info Security Policy §4.2 |
| AT - Awareness Training | ✅ Covered | Acceptable Use Policy §3 |
| AU - Audit & Accountability | ❌ Missing | — |
| CA - Assessment | ❌ Missing | — |
| CM - Configuration Mgmt | ✅ Covered | Info Security Policy §5.1 |
| CP - Contingency Planning | ❌ Missing | — |
| IA - Identification & Auth | ✅ Covered | Info Security Policy §4.3 |
| IR - Incident Response | ✅ Covered | Info Security Policy §6 |
| ...

## Missing Control Families (9)
AU, CA, CP, MA, MP, PE, PS, SA, SC

NIST Control Mappings

PM-1
Information Security Program Plan
Program Management

Develop and disseminate an organization-wide information security program plan.

PL-1
Policy and Procedures
Planning

Develop, document, and disseminate security and privacy planning policy.

PL-2
System Security and Privacy Plans
Planning

Develop security and privacy plans for organizational systems.

AT-1
Policy and Procedures
Awareness and Training

Develop, document, and disseminate awareness and training policy.

Best Practices

Audit policies at least annually or after significant organizational changes
Ensure every NIST 800-53 control family has at least one governing policy
Include review dates, approval authorities, and version history in all policies
Use clear, enforceable language — avoid vague terms like 'should' or 'may'
Map each policy section to specific NIST controls for traceability
Involve legal and compliance teams in policy review cycles

Limitations

Analyzes document content via keyword matching — cannot assess implementation effectiveness
Policy quality scoring is heuristic-based and may require human validation
Does not verify that policies are actually enforced or followed
Limited to English-language policy documents
Back to DashboardNIST SP 800-115 / 800-53 / CSF 2.0 / 800-61 / 800-37