Skip to main content

6: Determine, Analyze & Prioritize Gaps

The agency determines, analyzes and prioritizes gaps based on the results of the Current and Target Profiles.


The purpose of this instruction is to continue determining the actions and prioritization of actions needed to implement or enhance the security program. This specifically addresses the requirements in order to complete Step 6: Determine, Analyze, and Prioritize Gaps for establishing or improving a Cybersecurity Program as identified in the NIST Cybersecurity Framework


This instruction depends on the outcomes of the Current Profile developed in Step 3, as well as the results specified in the Target Profile in Step 5. A priority scale has been provided to sort each control and control family in the NIST Cybersecurity Framework in order to determine which control outcomes need to be addressed first.

Gap Analysis

Conducting a Gap Analysis is an integral part of implementing or enhancing a cybersecurity program. The gap analysis will help determine the best course of action to effectively accomplish the cybersecurity outcomes the agency seeks to pursue. By comparing the answers gathered in the Current and Target profiles, a gap analysis can most efficiently be generated.

In accordance with the NIST Cybersecurity Framework, Priority codes are to be used to determine the order in which to implement controls.  Based upon the priority score given to each control in the Target profile, the agency can begin to prioritize which controls need to be addressed first. The first table provided on the next page indicates that each control graded with “Priority Code 1 (P1)" should be implemented first, followed by controls with a "Priority Code 2 (P2)" grade, and so on. Individual Controls or Control Families with a graded “Priority Code 0 (P0)" should be the very last items to be implemented. These items, while still important, are minor in comparison to other items, which require immediate attention if they are not currently in place.


Priority Code Sequencing Action
Priority Code 1 (P1)  FIRST Implement P1 security controls first. 
Priority Code 2 (P2) 


Implement P2 security controls after implementation of P1 controls. 
Priority Code 3 (P3)   LAST Implement P3 security controls after implementation of P1 and P2 controls. 
Unspecified Priority Code 0 (P0)   NONE Security Control not selected by any baseline 

Considering that more than half of the controls listed in NIST Special Publication 800-53 are P1s a method to prioritize implementation of these controls was needed.  Each cybersecurity environment will differ; therefore, the prioritization of the controls and control families will vary from agency to agency. There may be multiple controls marked Priority Code 1 that have yet to be implemented within the agency. Depending on the current state of the environment, certain controls will come before others (an example demonstrating the prioritization of multiple controls with P1 to be addressed can be found in the next Table).

Current Environment Analysis An electronics manufacturing agency in South Florida with an implementation percentage of 85% 
Controls The agency allowing the system to be accessed from external information systems
The Agency is providing a short-term uninterruptible power supply 
Suggestions According to the current environment, the short-term uninterruptible power supply should be the first to be implemented due to the location of the agency and the likelihood of power outages due to weather. 

Impact, Difficulty, Cost, & Time

There are many ways to further refine the order in which the agency should address their weaknesses/implement new security controls. It is recommended that these are given a number scale, they can be 1-4 or 1-10, whatever distinction the agency prefers to use. Below are a few examples using a scale of 1-4).

Impact: This is a measurement that the security control would have on the agency's cybersecurity program. Something like implementing new Security User Training, which may not be very difficult would likely have a great impact (4) on an agency that never had one before.

Difficulty: This is a measurement of how difficult a control is to implement. It only considers from a technical perspective the difficulty. For instance, if a control calls for a new building to secure the data center, that would be very difficult as it would require experts in multiple fields to implement, this would get the highest rating, say a 4. Whereas, implementing a new Group Policy on an existing Microsoft network would take significantly less effort which may earn it a 1 rating in this category.

Cost: This is a measurement in resource costs for implementation of a security control. The resources this accounts for could be only monetary, but it could also include other things, for instance space, equipment, or any manner of important resource to the agency. Looking again at the example for Difficulty, new building versus the GPO, the cost would get similar ratings. However, something like scrubbing active directory to remove extraneous accounts, could be a tedious task, while cost little outside of time.

Time: This is concerned with how long it takes to implement a security control.  A good example is back to the scrubbing of accounts in active directory (which would take a long time, but is not too difficult, and depending on how many accounts exist, may take a long time.


Scoring can be handled in many different ways.  Using a 1-4 scale with 1 being the least and 4 being the greatest. It is recommended the following method to assist with prioritization is used: Time, Cost, Difficulty are all added together, while subtracting the Impact.

T(ime) + C(ost) + D(ifficulty) - I(mpact) = Prioritization level

A: 3 + 2 + 2 - 3 = 4
B: 3 + 3 + 3 - 2 = 7
C: 2 + 3 + 4 - 1 = 8
D: 2 + 2 + 1 - 4 = 1
E: 4 + 4 + 4 - 4 = 8
F: 4 + 4 + 4 - 1 = 11

  • It is recommended that the security controls be prioritize by lowest score first. This results in a possible score set of -1 through 11. The order of the above would come out to D, A, B, C, E, F.
  • If the agency would rather the impact rating (or any other rating) have a larger impact on the score, they could use a higher range (for example: 1-6, or 1-10).