/composer/{company}/nist_csf/ncsr.
When to use it
- After a client completes the annual CIS NCSR Offline Survey and you have the
.xlsx/.xlsmworkbook. - When you also have the state-issued Enhanced Cybersecurity Recommendations PDF.
- To convert survey gaps into a prioritized, module-mapped remediation plan.
- To run a formal, signed review with the client and capture risk decisions.
The flow
Upload the survey workbook
NEXOS CORE parses the NCSR Offline Survey sheet, extracts per-subcategory
maturity, and computes gaps against the target maturity level.
Upload the recommendations PDF
It extracts each “Area of Improvement” (with its Do-Now/Do-Next/Do-Later phase
and recommended products).
Generate the action plan
Nexie produces 1–3 concrete actions per improvement area, each mapped to a
NEXOS CORE module with estimated hours — inserted as POA&M items. This runs as
a background job with progress, cancel, and resume.
Review with the client
Start a live review: the client works open risks, attests to
improvement areas, acknowledges the top priority actions, and signs.
Write back
The session’s decisions are applied back to the actions, improvement areas,
and POA&M — and accepted/deferred risks create entries in the
risk register pending client countersignature.
Good to know
- PDF parsing is tuned to the current (2025) state template — a substantially reformatted future template may parse imperfectly and need review.
- After a review, the status reflects the client’s decisions, but the maturity score itself isn’t recomputed yet (a planned enhancement) — the score shows the surveyed state.
- Action-plan generation requires your tenant’s Claude API key.
