NIST Cyber Security Framework

NIST CSF core functions: Identify

Greg Belding
January 2, 2020 by
Greg Belding

The National Institute of Standards and Technology’s Cybersecurity Framework, or NIST CSF, was first published in 2014 to provide guidance for organizational cybersecurity defenses and risk management. This framework is renowned for its inherent flexibility and open-endedness to account for different organizational needs. 

At its center, NIST CSF comprises five core functions. This article will detail the first of these functions, Identify, and explore the Framework’s five core functions, what the Identify function is, what a successfully implemented Identify function allows an organization to do, and the outcome categories and subcategory activities of this function.

What is the NIST CSF framework core?

The framework core is a set of recommended activities designed to achieve certain cybersecurity outcomes and serves as guidance. It is not intended to serve as a checklist. The framework core is composed of five functions that work together to achieve the outcomes mentioned above. These elements are:

  • Identify
  • Protect
  • Detect
  • Respond
  • Recover

What is the Identify function?

The Identify function is the first of the five Framework functions. As such, it provides the foundation for the rest of the functions to be built upon. This function centers around pinpointing all organization systems and platforms included in its infrastructure. Proper execution of the Identify function will ensure that no vital IT assets will fall through the cracks and will help combat shadow IT. 

This function also entails identifying potential risks that could adversely impact organization systems necessary for daily operations (such as production servers) and other critical organization activities. This will help cybersecurity executives better prioritize organization cybersecurity efforts.

According to the NIST CSF, the Identify function is defined as “Develop an organizational understanding to manage cybersecurity risk to systems, people, assets, data, and capabilities”. As you can see, this is a high-level definition that will serve as a skeleton for other important details to fill out. These details will come into play with the core function categories for Identify, but more on this later.

What happens when the Identify function is successfully implemented? 

A successfully implemented Identify function allows an organization to:

  • Define the organization’s current state of cybersecurity, identification of gaps and illuminate a path toward addressing these gaps
  • Define mitigation priorities
  • Define reliable and reproducible processes
  • Meet all stakeholder needs
  • Make it easier to manage complex systems
  • Have communication methods with all important parties

Outcome categories and subcategory activities

Each Framework function is comprised of outcome categories that describe the kinds of processes and tasks organizations should carry out for that Framework level. The Identify function contains six outcome categories which in turn comprises subcategory activities.

Asset Management

Asset management is the identification and management of data, systems, devices, personnel and facilities that allow the organization to achieve their objectives and is consistent with the relative importance of the asset to organizational risk strategies and objectives.

Subcategory activities

  • Inventory organization physical systems and devices
  • Inventory software platforms and applications
  • Map organization communication and data flows
  • Catalogue external information systems
  • Prioritization of resources (hardware, devices, data, etc.) based upon classification, criticality and business value
  • Establish cybersecurity roles and responsibilities for the workforce

Business Environment

The mission, objectives, activities and stakeholders of the organization are understood and prioritized. These details inform of cybersecurity risk management decisions, roles and responsibilities. 

Subcategory activities

  • Identification and communication of organization’s role in its supply chain
  • Identification and communication of organizations role in its industry sector and critical infrastructure
  • Establishment and communication of organization mission, objectives and activities
  • Establishment of critical functions and dependencies of the delivery of critical services
  • Establishment of resilience requirements to support critical services delivery for all operating states


The policies, processes and procedures to monitor and manage organizational risk, legal, regulatory, operational and environmental requirements are understood. This in turn informs the organization’s management of cybersecurity risk.

Subcategory activities

  • Establishment and communication of the organization’s cybersecurity policy
  • Alignment and coordination of cybersecurity roles and responsibilities with internal roles (including external partners)
  • Cybersecurity legal and regulatory requirements, including privacy and civil liberties, are understood and managed
  • Risk management and governance processes cover cybersecurity risks

Risk Assessment

The organization understands the relative cybersecurity risk associated with organization operations, operational assets and individuals.

Subcategory activities

  • Vulnerabilities of organization assets are identified and documented
  • Cyber-threat intelligence received from information-sharing forums and sources
  • Internal and external threats are identified and documented
  • Potential business likelihoods and impacts are identified
  • Threats, vulnerabilities, impacts and likelihoods are used to determine risk
  • Risk responses are identified and prioritized

Risk Management Strategy

The organization’s priorities, risk tolerances, constraints and assumptions are established and assist operational risk decisions.

Subcategory activities

  • Organizational stakeholders established, managed and agreed to risk management processes
  • Risk tolerance for the organization is established and clearly expressed
  • Risk tolerance determination is informed by its industry-specific risk analysis and its role in critical infrastructure

Supply Chain Risk Management

Organizational priorities, constraints, risk tolerances and assumptions are established and used to support risk decisions associated with managing supply chain risk. The organization has established and implemented processes to identify, assess and manage supply chain risks.

Subcategory activities

  • Cyber supply chain risk management processes are identified, established, managed, assessed and agreed to by organization stakeholders
  • Suppliers and third-party partners of information systems, components and services are identified, prioritized and assessed, using a cyber supply chain risk assessment process
  • Supplier and third-party contracts are used to implement appropriate measures to meet the organization’s cybersecurity program objectives and Cyber Supply Chain Risk Management Plan
  • Suppliers and third-party partners are routinely assessed using test results, audits and other evaluation methods to confirm they are satisfying their contractual obligations
  • Recovery planning and testing and response are conducted with both suppliers and third-party providers


The Identify function is one of the five core Framework functions of the CSF. It is the first one and forms the foundation of all the Framework functions. By applying this function’s outcome categories and respective subcategory activities, an organization will have solid footing for the functions to come. 

Get NIST CSF training

Get NIST CSF training

Build your understanding of the NIST Cyber Security Framework with seven courses taught by Ross Casanova.


Greg Belding
Greg Belding

Greg is a Veteran IT Professional working in the Healthcare field. He enjoys Information Security, creating Information Defensive Strategy, and writing – both as a Cybersecurity Blogger as well as for fun.