"Lather, rinse, repeat. Working through the cybersecurity framework outcomes, talking to people is how you become a baller GRC analyst!"
You read about the CSF Profile Assessment Database getting listed on NIST.gov. You thought, "That's cool, I should contribute." Then you looked at the GitHub page and froze.
If the gap between "I want to contribute" and "I know how to contribute" feels like a canyon, this post is your bridge. No coding experience required. No special tools. Just a willingness to learn and a few hours of focused effort.
Table of Contents
Your First Contribution Option 1: Documents, Procedures or Audit Artifact Examples - Not Code
The community doesn't just need developers writing apps. It needs GRC practitioners documenting controls, writing test procedures, and creating implementation guides.
The most valuable contributions right now are case study content - the kind of work GRC analysts do every day: test procedures, sample artifacts, control documentation, and implementation examples.
Let me walk you through exactly how to make your first contribution.
Step 1: Create a GitHub Account If You Don’t Already Have One
Create a free account at github.com
Navigate to the repository - github.com/CPAtoCybersecurity/csf_profile
Step 2: Pick a "Good First Issue"
Go to the GitHub Issues page and look for issues labeled "good first issue". These are specifically designed for newcomers.Here's one to start with:
Issue #43: DE.AE - Adverse Event Analysis
This means: document how an organization would test whether they're effectively detecting, analyzing, and responding to suspicious events and potential security incidents.
Other good first issues include:
Issue #44: DE.CM - Continuous Monitoring
Issue #45: RS.AN - Incident Analysis
Step 3: Understand What You're Contributing
For Issue #43 (DE.AE), you're helping document how to assess an organization's adverse event analysis capabilities. The issue includes rich context from our fictional case study company,
Real metrics: TTD (Time to Detect) improved from 81 hours to 7 hours
Real tools: CloudTrail, VPC Flow Logs, DNS query logging, Amazon GuardDuty
Real gaps: No 24/7 monitoring, inconsistent log retention (7-30 days)
Think of your contribution as the checklist a GRC analyst would use during an assessment of the DETECT function. You're answering three questions:
What should be tested? - Are monitoring tools configured correctly? Are detection rules effective? Is log collection centralized?
How would you test it? - Review SIEM dashboards, assess correlation rules, measure TTD metrics, verify alert triage procedures
What artifacts prove it? - GuardDuty configurations, SIEM screenshots, TTD trend reports, sample incident analysis records
Think of it like this: you're creating the checklist a GRC analyst would use during an assessment of the DETECT function.
Step 4: Comment on the Issue
Start by commenting on the issue with your ideas.
Example comment
I'd like to contribute test steps for DE.AE-02 (Analyze Potentially Adverse Events). Here's what I'm thinking:
Test Procedure:
Review SIEM/log analysis tool configuration for event correlation rules
Verify CloudTrail and VPC Flow Logs are feeding into centralized analysis
Sample 3-5 GuardDuty alerts and trace the analysis workflow
Compare TTD metrics against baseline (Alma's improved from 81 to 7 hours)
Sample Artifacts:
GuardDuty finding configuration screenshots
SIEM correlation rule documentation
TTD metrics dashboard (Q1/Q2 2026 comparison)
Sample analysis from SOC ticket 1004
I noticed the issue mentions gaps in 24/7 coverage — should I document that as a finding?
Step 5: Iterate Based on Feedback
I’ll respond. I might ask for clarification, suggest additions, or say "looks great, let's add it."
This back-and-forth is how open source works. You're not expected to get it perfect on the first try.
Once we've agreed on your approach, it's time to formally submit your work. Here's how to create a Pull Request from your browser, a good starting point before graduating to the terminal.
Step 6: Your Contribution Gets Checked in and You Are Recognized as a Contributor
6.1: Fork the Repository
Click the "Fork" button (top right corner)
Click "Create fork" (keep the defaults)
You now have your own copy at github.com/YOUR-USERNAME/csf_profile
6.2: Create Your File(s)
In your fork, click "Add file" → "Create new file"
For the filename, type the full path based on what you're contributing:
Contribution Type: Test Procedures
Folder Path: Test_Procedures
Example: DE-AE-02-Adverse-Event-Analysis.md
Contribution Type: Observations
Folder Path: Sample_Observations
Example: DE-AE-02-Q1-Observation.md
Contribution Type: Artifacts
Folder Path: Sample_Artifacts
Example: SOC-Ticket-1005.md
Each folder has a README with templates and naming conventions.
Paste your content into the editor, scroll down to "Commit changes", add a message like
Add DE.AE-02 test procedures, and click "Commit changes".
6.3: Submit the Pull Request
After committing, you'll see a banner: "This branch is 1 commit ahead"
Click "Contribute" → "Open pull request"
Add a clear title: Add DE.AE-02 Adverse Event Analysis Assessment Materials
In the description, type Closes #43 — this automatically links your PR to the issue
Click "Create pull request"
6.4: You're Done! 🙌
I'll review your submission, maybe ask a clarifying question or two, and merge it. Once merged:
Your GitHub username appears on the contributors list
Your work becomes part of a NIST-listed community resource
Your First Contribution Option 2: Add Features or Squash Bugs
If you do have coding chops or security testing experience, there's plenty of work:
Current Focus Areas:
Atlassian Integration - Connecting the tool to Jira and Confluence for teams already using those platforms
AI Chatbot Feature - Running local LLMs (Ollama) with Ethan Troy's NIST training dataset - 523,000 training examples from 568 NIST publications
Security Hardening - Issues #71-76 address credential handling and input validation
Desktop Application - Issue #70 tracks migrating to Tauri for enterprise deployment
Check the full issues list and comment on anything that matches your skills.
What Happens After You Contribute
When your contribution gets merged (added to the project), your GitHub username goes on the contributors list. That's the link you put on your resume.
But more importantly, you've now:
Worked through a real CSF subcategory
Thought about what "good" looks like for that control
Documented your reasoning in a way others can follow
That's the work. That's what hiring managers want to see.
Pro Tips for Standing Out
👉 Pro Tip: Don't just contribute content - ask thoughtful questions. "Should the TTD test procedure account for business hours vs. 24/7 coverage gaps?" shows you're thinking critically about Alma's real constraints.
👉 Pro Tip: Reference NIST guidance in your contributions. Link to specific CSF 2.0 subcategories (DE.AE-01 through DE.AE-07). It shows you did the research.
👉 Pro Tip: Volunteer for multiple issues in the same function. Becoming the go-to person for "DETECT" controls (DE.AE, DE.CM) is more valuable than scattered one-offs across different functions.
Get Started Today
Here's your action plan:
Read the first blog to understand the tool: A Practitioner's Tool for Implementing CSF
Create a GitHub account (if you don't have one)
Pick an issue like #43 - DE.AE Adverse Event Analysis
Comment with your ideas - Test steps for monitoring tools, detection artifacts, TTD metrics
Join the Simply Cyber Discord GRC Courses Channel to connect with other contributors
Don't overthink it. Don't wait until you feel "ready." The best way to learn GRC is by doing GRC.
Please don't be shy in asking questions on the GitHub project issues, in Discord or by sending me an email. I'll see you in those places or others that make up the Simply Cyber community.
Appendix: Installing the App
Follow the steps in the README and watch the pointy clicky installation video. Don’t hesitate to let me know if you have any questions in a YouTube comment, on Simply Cyber Discord, or subscribe to the blog to get my email address.
📚 Free Tool: CSF Profile Assessment Database on GitHub
📚 NIST's Official Resources Page: CSF 2.0 Community Resources
Want to build a stronger GRC foundation before contributing? Check out the Certified Cyber Resilience Fundamentals at Simply Cyber Academy, or start with the free How to Break Into GRC if you're still exploring the field.
