NIST Cyber Security Framework

NIST CSF: NIST CSF core functions

Fakhar Imam
December 19, 2019 by
Fakhar Imam


The National Institute of Standards and Technology (NIST)’s Cybersecurity Security Framework (CSF) Core consists of five functions. They include:

  1. Identify
  2. Protect
  3. Detect
  4. Respond
  5. Recover

These functions are the highest level of abstraction incorporated in the NIST CSF core functions and act as the backbone of all other elements organized around them.

Get NIST CSF training

Get NIST CSF training

Build your understanding of the NIST Cyber Security Framework with seven courses taught by Ross Casanova.

The core functions contain a list of categories, subcategories and informative references that defines specific cybersecurity activities prevalent across all the critical infrastructure sectors. They aren’t intended to form a serial path to a static desired end-state; instead, the core functions should be performed continuously and concurrently to form an operational culture that deals with dynamic cybersecurity risks. 

Informative references are broader and more technical than the NIST CSF itself. Examples of these references include ISO, ISA and COBIT.

In addition to their continuous, concurrent and chronological nature, core functions should also be considered as a set of principles to be balanced in parallel. When it comes to the management of IT risks and risk-based decisions, the role of core functions is always crucial. In a nutshell, core functions act as five key pillars for result-oriented and holistic cybersecurity of any organization.

In this article, we will shed a light on a brief but comprehensive overview of all NIST CSF core functions.


Since cybersecurity risks are continuous and evolving at a rapid pace, the security of your information systems, assets, data, people and capabilities is indispensable. To accomplish this goal, Identify as a first function of the NIST CSF core functions plays its crucial role by assisting organizations with developing an understanding in order to manage cybersecurity risk to their critical infrastructure.

Once you have identified risk, you can effectively prioritize and conduct the accurate risk assessment in the light of such risk and available resources.

The Identify function encompasses five categories that are listed below:

  • Asset Management
  • Business Environment
  • Governance
  • Risk Assessment
  • Risk Management Strategy
  • Supply Chain Risk Management


Once the security team completed all five steps during the Identify function, they can proceed to the Protect function. 

Proper functioning of critical infrastructure services is a prerequisite to business continuity. To achieve this goal, the Protect function provides appropriate security safeguards and assist security professionals with containing or limiting the impact of a cybersecurity event. 

Below is the list of guidelines included in the Protect function:

  • Identify Management and Access Control
  • Security Awareness and Training
  • Data Security
  • Information Protection Processes and Procedures
  • Maintenance
  • Protective Technology


The Detect function is one of the essential components of the NIST CSF core functions. The Detect function mostly helps in achieving the following two targets by providing the appropriate guidelines:

  • Identifying the occurrence of cybersecurity events
  • Enabling the timely discovery of cybersecurity events

Below is the list of outcome categories that are included in the Detect function:

  • Anomalies and Events
  • Security Continuous Monitoring
  • Detection Processes


In the previous phase, you may have detected the cybersecurity incident. In this phase, you will respond to such an incident using the appropriate activities offered by the Respond function. Using this function, you need to develop a clear incident response plan, create a line of communication among all internal and external stakeholders and gather data with regard to incidents for analysis purposes. 

The Respond function also helps in mitigating the impact of the incident and resolving the incident altogether. This function also provides opportunities to improve the security posture by learning from the previous events and addressing the current security loopholes.

Below is the list of outcome categories incorporated in the Respond function:

  • Response Planning
  • Communications
  • Analysis
  • Mitigation
  • Improvements


The Recover function aids enterprises in recovering from incidents and restore services. It also helps in reducing the impact of the incident and timely recovery to normal business operations. 

This function recommends that you follow a recovery plan, establish communication with all stakeholders and explicitly understand the actions or security measures required to recover successfully and swiftly. Based on the results, you have a chance to benefit from learned lessons in order to prevent the occurrence of future incidents. 

The following list demonstrates the outcome categories of the Recovery function:

  • Recovery Planning
  • Improvements
  • Communications


In this article, we have taken a brief but comprehensive overview of the NIST CSF core functions: Identify, Protect, Detect, Respond and Recover. After the detailed analysis, we explored how the NIST CSF core functions are vital for the successful and holistic cybersecurity of any organization. 

While implementing these functions, your organization will be able to timely identify incidents and respond to them quickly. Based on the lessons learned from the previous incidents, you can address the security loopholes in the current security of your critical infrastructure, enhance the cybersecurity posture and attempt to prevent the occurrence of future incidents.



  1. The Five Functions, NIST
  2. An Introduction to the Components of the Framework, NIST
  3. Harness the NIST CSF to boost your security and compliance, CSO
  4. The NIST Cybersecurity Framework: An Introduction to the 5 Functions, I.S. Partners, LLC
Fakhar Imam
Fakhar Imam

Fakhar Imam is a professional writer with a master’s program in Masters of Sciences in Information Technology (MIT). To date, he has produced articles on a variety of topics including on Computer Forensics, CISSP, and on various other IT related tasks.