The Core is one of the three overarching components of the NIST CSF. The Core is categorized into six functions, which are further divided into 22 categories. Each category is then further divided, amounting to a total of 106 subcategories of cybersecurity outcomes. For each subcategory, it also provides "Informative Resources" referencing specific sections of a variety of other
information security standards, including
ISO 27001,
COBIT, NIST SP 800–53, ANSI/ISA-62443, and the
Council on CyberSecurity Critical Security Controls (CCS CSC, now managed by the
Center for Internet Security). Special Publications (SP) aside, most of the informative references requires a paid membership or purchase to access their respective guides. The cost and complexity of the framework has resulted in bills from both houses of Congress that direct NIST to create Cybersecurity Framework guides that are more accessible to small and medium businesses. Here are the functions and categories, along with their unique identifiers and definitions, as stated in the framework document.
Govern According to NIST CSF 2.0, the Govern function is defined as: "the organization's cybersecurity risk management strategy, expectations, and policy are established, communicated, and monitored." The Govern function is divided into six categories. These six categories are defined below according to NIST CSF 2.0: • Organizational Context (GV.OC): "The circumstances — mission, stakeholder expectations, dependencies, and legal, regulatory, and contractual requirements — surrounding the organization's cybersecurity risk management decisions are understood." • Risk Management Strategy (GV.RM): " The organization's priorities, constraints, risk tolerance and appetite statements, and assumptions are established, communicated, and used to support operational risk decisions" • Roles, Responsibilities, and Authorities (GV.RR): "Cybersecurity roles, responsibilities, and authorities to foster accountability, performance assessment, and continuous improvement are established and communicated" • Policy (GV.PO): "Organizational cybersecurity policy is established, communicated, and enforced" • Oversight (GV.OV): "Results of organization-wide cybersecurity risk management activities and performance are used to inform, improve, and adjust the risk management strategy" • Cybersecurity Supply Chain Risk Management (GV.SC): "Cyber supply chain risk management processes are identified, established, managed, monitored, and improved by organizational stakeholders"
Identify "Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities." • Asset Management (ID.AM): The data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to business objectives and the organization's risk strategy. • Business Environment (ID.BE): The organization's mission, objectives, stakeholders, and activities are understood and prioritized; this information is used to inform cybersecurity roles, responsibilities, and risk management decisions. • Governance (ID.GV):- The policies, procedures, and processes to manage and monitor the organization's regulatory, legal, risk, environmental, and operational requirements are understood and inform the management of cybersecurity risk. •
Risk Assessment (ID.RA): The organization understands the cybersecurity risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals. • Risk Management Strategy (ID.RM): The organization's priorities, constraints, risk tolerances, and assumptions are established and used to support operational risk decisions. • Supply Chain Risk Management (ID.SC): The organization's priorities, constraints, risk tolerances, and assumptions are established and used to support risk decisions associated with managing supply chain risk. The organization has in place the processes to identify, assess and manage supply chain risks.
Protect "Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services." •
Access Control (PR.AC): Access to assets and associated facilities is limited to authorized users, processes, or devices, and to authorized activities and transactions. • Awareness and Training (PR.AT): The organization's personnel and partners are provided cybersecurity awareness education and are adequately trained to perform their information security-related duties and responsibilities consistent with related policies, procedures, and agreements. • Data Security (PR.DS): Information and records (data) are managed consistent with the organization's risk strategy to protect the confidentiality, integrity, and availability of information. • Information Protection Processes and Procedures (PR.IP): Security policies (that address purpose, scope, roles, responsibilities, management commitment, and coordination among organizational entities), processes, and procedures are maintained and used to manage protection of information systems and assets. • Maintenance (PR.MA): Maintenance and repairs of industrial control and information system components is performed consistent with policies and procedures. • Protective Technology (PR.PT): Technical security solutions are managed to ensure the security and resilience of systems and assets, consistent with related policies, procedures, and agreements.
Detect "Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event." • Anomalies and Events (DE.AE): Anomalous activity is detected in a timely manner and the potential impact of events is understood. • Security Continuous Monitoring (DE.CM): The information system and assets are monitored at discrete intervals to identify cybersecurity events and verify the effectiveness of protective measures. • Detection Processes (DE.DP): Detection processes and procedures are maintained and tested to ensure timely and adequate awareness of anomalous events.
Respond "Develop and implement the appropriate activities to take action regarding a detected cybersecurity incident." • Response Planning (RS.RP): Response processes and procedures are executed and maintained, to ensure timely response to detected cybersecurity events. • Communications (RS.CO): Response activities are coordinated with internal and external stakeholders, as appropriate, to include external support from law enforcement agencies. • Analysis (RS.AN): Analysis is conducted to ensure adequate response and support recovery activities. • Mitigation (RS.MI): Activities are performed to prevent expansion of an event, mitigate its effects, and eradicate the incident. • Improvements (RS.IM): Organizational response activities are improved by incorporating lessons learned from current and previous detection/response activities.
Recover "Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity incident." • Recovery Planning (RC.RP): Recovery processes and procedures are executed and maintained to ensure timely restoration of systems or assets affected by cybersecurity events. • Improvements (RC.IM): Recovery planning and processes are improved by incorporating lessons learned into future activities. • Communications (RC.CO): Restoration activities are coordinated with internal and external parties, such as coordinating centers, Internet Service Providers, owners of attacking systems, victims, other CSIRTs, and vendors. == NIST CSF Organizational Profiles ==