CPA to Cybersecurity
Posts
Free NIST CSF Tool + Why Your GitHub Profile Matters

Free NIST CSF Tool + Why Your GitHub Profile Matters

Open Source App and Excel Template

Steve McMichael
June 07, 2025

Hey there,

Want to stand out in GRC job applications? Here's a free tool that builds your portfolio AND improves your skills.

GitHub - CPAtoCybersecurity/csf_profile

github.com/CPAtoCybersecurity/csf_profile

If you already have a GitHub repo for your GRC portfolio you’ll have no problem getting set up. And if you don’t, I’ve got this walkthrough with Dr. Gerald Auger talking about the benefits of the tool and another one with a step-by-step installation. 🛠️

In a hurry? Here are the key points from the video: ⚡

The CSF Profile Assessment Database gives you a more dynamic way to assess your organization's security posture against the NIST Cybersecurity Framework than the stock spreadsheets from NIST.gov.
It lets you score each of the 106 subcategories of the CSF based on testing of (up to 363) specific implementation examples. Everything is organized into a simple, usable database structure.
It uses a more granular 0-10 scoring scale than the 4 tiers in CSF or 5 in the Capability Maturity Model, with a novel concept of acknowledging too much security past 8 ⚖️
You can link evidence artifacts directly to controls, making your assessments robust and defensible. In the demo, I show linking a sample SOC ticket as evidence.
All the data can be exported to CSV for offline analysis and record-keeping. You can slice, dice, filter and chart it in Excel which has bar and radar charts ready to go, then re-import it to the database. This makes it easy to present results to different audiences. 📊
Most importantly, it makes the whole assessment process systematic and repeatable. By capturing the details in a structured database, you create a reusable template you can apply to any organization.
Include your copy of this project in the GitHub repo field of your next GRC job application

Now, this is a point-in-time assessment tool, not a full-blown GRC platform for continuous monitoring. We'll talk more about Information System Continuous Monitoring (ISCM) and GRC Engineering in future posts. But in these uncertain times, there is massive value in getting back to basics, having solid, evidence-based assessments, and presenting your analysis in clear, compelling terms. Walking executives and managers through your findings, with the detail to back it up, is how you become a baller GRC analyst.

Call to action: watch the demo video, then go download the CSF Assessment Database from GitHub and try it yourself. Pick a pilot set of controls to assess, gather the evidence, make your findings, and present the results. Get hands-on and make this tool your own. Kick the tires, find what works for you, and open issues for any improvements you'd like to see - let's evolve this as an open source community resource.

To paraphrase Gerry, “Your future self will thank you.”

Good luck getting after it!

Steve

P.S. Check out the reviews and join 1,700+ students in my recently launched free course here: How to Break into GRC | Mindset | Methods | Skills