Skip to main content

5: Create a Target Profile

The agency creates a Target Profile that focuses on the assessment of the Framework Categories and Subcategories describing the agency's desired cybersecurity outcomes. Agencies also may develop their own additional Categories and Subcategories to account for unique agency risks. The agency may also consider influences and requirements of external stakeholders such as sector entities, customers, and business partners when creating a Target Profile.


The purpose of this instruction is to continue facilitating the implementation or enhancement of a security program. This specifically addresses steps to take to complete Step 5: Create a Target Profile for establishing or improving a Cybersecurity Program as identified in the NIST Cybersecurity Framework. 


  • This instruction depends on the outcomes of the Current Profile developed in Step 3, it will similarly touch upon every control family in the NIST Framework in order to determine what control outcomes are desired.
  • This instruction will use the tier system identified in the Framework Core to help determine at what level the control outcomes are achieved.

Target Profile

For the target profile the agency should go back through the recommended controls for a cybersecurity program identified in Step 3: Create a Current Profile to determine what outcomes the agency desires.

Now that the agency knows what is recommended, and what is currently accomplished, the agency needs to determine what outcomes they desire. This will eventually allow them to create a plan for implementing those outcomes through the NIST Security Controls. We recommend downloading the tool in the sidebar and to follow these instructions: 

Tool: We have developed a comprehensive questionnaire to assist with this effort. It breaks the controls down into simplified questions and asks questions based on the given answers. 
Note: This tool uses macros that will need to be enabled in order to function properly.
  •  Download this tool into the same folder as the current profile tool was downloaded. This will enable the scoring to adapt based on the target controls.
  •  Upon opening the Target Profile Questionnaire, ensure it is “opened for editing’ and that the content is enabled (this allows the macros to function)
  • The target profile tool is laid out very similarly to the Current Profile Tool.  This is intentional and allows the two to be cross-referenced easier.
  • The first tab is the “Intro” tab and it displays a non-interactive comprehensive score of the current program compared to the target controls that have been selected.
  •  The Program Management tab is again based on the overall cybersecurity program regardless of what type of system, application, or information the rest of the assessment is for or where it resides. The rest of the tabs are specific to that individual system (or common controls if that is the goal), application or information that is currently being analyzed.
  • The questions here will adapt to the answers in order to simplify the process. If “Yes” is selected to an overarching control question, all sub-questions will shift to match the selection (this also works with “No” selections). This does not lock in the control answers, Simply select a different answer for any sub-question whenever desired, thus overwriting the formula. NOTE: changing a sub-questions response overwrites the code and the questionnaire will need to be re-downloaded in order to reset it

Back on the scoring sheet the complete score will be updated. This only scores the current profile items of selected controls in the target profile questionnaire, ignoring any “no” selections.


Due to the nature of this step, it does not directly correlate to any function or category of the NIST Cybersecurity Framework. In fact, since the agency is selecting where it wants to go with its program, it doesn't even map to anything in any of the NIST Security Control Family from NIST Special Publication 800-53.