NIST CSF Five Functions

The core of the NIST Cybersecurity Framework

The NIST Cybersecurity Framework (CSF) organizes cybersecurity activities into five core functions: Identify, Protect, Detect, Respond, and Recover. These functions provide a high-level, strategic view of an organization's cybersecurity risk management lifecycle. They are not meant to be followed sequentially but rather operate concurrently and continuously as part of a mature security program.

The five functions apply to organizations of all sizes and across all industries. They serve as a common language for communicating cybersecurity posture to executives, boards, regulators, and technical teams. Each function breaks down into categories and subcategories that provide progressively more specific guidance.

Note that NIST CSF 2.0 introduced a sixth function, Govern, which is covered in the NIST CSF 2.0 changes topic.

Identify (ID)

The Identify function develops an organizational understanding of how to manage cybersecurity risk to systems, people, assets, data, and capabilities. Before you can protect anything, you must know what you have and what risks you face.

Key categories

Asset management (ID.AM) - Inventory and manage all physical devices, software platforms, data flows, and external information systems. You cannot protect assets you do not know exist. This includes hardware inventories, software bills of materials, data classification schemes, and mapping of information flows between systems.

Business environment (ID.BE) - Understand the organization's mission, objectives, stakeholders, and supply chain. Cybersecurity priorities should align with business goals and risk tolerance. This category ensures that security investments support the most critical business functions.

Governance (ID.GV) - Establish and maintain cybersecurity policies, roles, responsibilities, and coordination between internal and external stakeholders. Governance provides the management framework that directs all other cybersecurity activities.

Risk assessment (ID.RA) - Identify, analyze, and prioritize cybersecurity risks. This includes threat intelligence, vulnerability identification, likelihood and impact analysis, and risk determination. Risk assessments inform where to allocate resources for the greatest security benefit.

Risk management strategy (ID.RM) - Define risk tolerance and establish processes for managing risk on an ongoing basis. This includes policies for accepting, mitigating, transferring, or avoiding identified risks.

Supply chain risk management (ID.SC) - Identify, assess, and manage risks associated with third-party service providers, vendors, and supply chain partners. This category has grown in importance as organizations increasingly depend on external services and software.

Practical application

The Identify function should produce a comprehensive picture of your organization's cybersecurity posture. This includes a current asset inventory, a risk register prioritized by business impact, documented governance structures, and an understanding of your supply chain dependencies. This foundation enables informed decisions across all other functions.

Protect (PR)

The Protect function implements safeguards to ensure delivery of critical services and limit the impact of potential cybersecurity events. This is where preventive controls are designed and deployed.

Key categories

Identity management, authentication, and access control (PR.AC) - Manage credentials, implement multi-factor authentication, enforce least privilege, and control access to physical and logical assets. Access control is consistently one of the most critical protective measures across all compliance frameworks.

Awareness and training (PR.AT) - Ensure that personnel at all levels receive cybersecurity awareness training appropriate to their roles. Privileged users, executives, and third-party stakeholders each need tailored training programs.

Data security (PR.DS) - Protect data at rest and in transit through encryption, integrity checking, and data loss prevention mechanisms. This category covers the entire data lifecycle from creation through disposal.

Information protection processes and procedures (PR.IP) - Maintain and use security policies, baselines, and procedures that protect information and systems. This includes configuration management, change control, backup procedures, and incident response planning.

Maintenance (PR.MA) - Perform and log maintenance on organizational assets in a controlled manner. Remote maintenance must be approved, logged, and conducted using secure channels.

Protective technology (PR.PT) - Deploy technical security solutions including firewalls, intrusion prevention systems, endpoint protection, and security monitoring tools. Audit logs must be maintained and protected, and communications and control networks must be secured.

Practical application

The Protect function translates risk assessments from the Identify function into concrete security controls. Effective protection requires layered defenses that address people (training), process (policies and procedures), and technology (security tools). No single control is sufficient -- defense in depth is the guiding principle.

Detect (DE)

The Detect function defines activities to identify the occurrence of a cybersecurity event in a timely manner. The speed of detection directly impacts the severity of a security incident.

Key categories

Anomalies and events (DE.AE) - Establish baselines of normal activity and detect deviations that may indicate malicious behavior. This includes analyzing event data from multiple sources, correlating events to identify patterns, and determining the impact of detected anomalies.

Security continuous monitoring (DE.CM) - Monitor information systems and assets at regular intervals to detect cybersecurity events and verify the effectiveness of protective measures. This encompasses network monitoring, physical environment monitoring, personnel activity monitoring, malicious code detection, unauthorized mobile code detection, and external service provider activity monitoring.

Detection processes (DE.DP) - Maintain and test detection processes and procedures to ensure awareness of anomalous events. Detection roles and responsibilities must be defined, detection activities must comply with applicable requirements, detection processes must be tested, and event detection information must be communicated to appropriate parties.

Practical application

The Detect function relies heavily on technology solutions such as SIEM platforms, intrusion detection systems, endpoint detection and response (EDR) tools, and network traffic analysis. However, technology alone is insufficient. Organizations must define what constitutes normal activity, establish alert thresholds, create response playbooks for different detection scenarios, and regularly test their detection capabilities through exercises like red team engagements and tabletop exercises.

Respond (RS)

The Respond function defines activities to take action regarding a detected cybersecurity incident. A well-prepared response capability limits the damage of an incident and supports faster recovery.

Key categories

Response planning (RS.RP) - Develop and maintain incident response plans that are executed during and after an incident. Plans should be documented, assign roles and responsibilities, and be tested regularly through exercises.

Communications (RS.CO) - Coordinate response activities with internal and external stakeholders. This includes notifying affected parties, coordinating with law enforcement when appropriate, sharing information with ISACs and other intelligence sharing organizations, and managing public relations.

Analysis (RS.AN) - Investigate detected incidents to understand their scope, determine impact, and support forensic analysis. Notifications from detection systems must be investigated, the impact of the incident must be understood, and forensic evidence must be collected and preserved.

Mitigation (RS.MI) - Contain the incident to prevent expansion and mitigate its effects. This includes isolating affected systems, implementing temporary countermeasures, and addressing newly identified vulnerabilities.

Improvements (RS.IM) - Incorporate lessons learned from detection and response activities into future response plans and strategies. Post-incident reviews should identify what worked, what did not, and what changes are needed.

Practical application

Effective incident response requires preparation long before an incident occurs. Organizations should maintain documented response plans, conduct tabletop exercises at least annually, establish communication templates for different incident types, maintain relationships with law enforcement and forensic firms, and test recovery procedures. The Respond function works hand-in-hand with the Detect function -- detection without response capability provides limited value.

Recover (RC)

The Recover function develops and implements activities to maintain plans for resilience and restore any capabilities or services that were impaired due to a cybersecurity incident.

Key categories

Recovery planning (RC.RP) - Develop and maintain recovery plans that are executed during and after an incident. Plans should address the restoration of systems, data, and operations to normal levels within defined recovery time objectives.

Improvements (RC.IM) - Incorporate lessons learned from recovery activities into updated recovery strategies. This creates a feedback loop that strengthens resilience over time.

Communications (RC.CO) - Manage public relations, repair reputational damage, and communicate recovery activities to internal and external stakeholders. Coordinated communication during recovery maintains trust with customers, partners, and regulators.

Practical application

Recovery planning encompasses business continuity planning, disaster recovery procedures, data backup strategies, and communications planning. Organizations should define recovery time objectives (RTOs) and recovery point objectives (RPOs) for all critical systems, test backup restoration regularly, and maintain alternate processing capabilities for mission-critical services.

How the five functions work together

The five functions are not a linear sequence but a continuous cycle. Risk identification informs protective controls, protective controls support detection capabilities, detection triggers response, response enables recovery, and recovery feeds back into improved identification and protection.

Organizations using the NIST CSF should assess their maturity across all five functions using implementation tiers and build framework profiles that capture their current and target states. The five functions also map to other frameworks like SOC 2, ISO 27001, and PCI DSS, making them a useful organizing structure for organizations managing multiple compliance requirements.