The NIST Cybersecurity Framework (CSF) 2.0 represents the latest evolution in guidance for managing and reducing cybersecurity risk. This updated framework maintains its core mission of providing a flexible, risk-based approach to cybersecurity while adapting to the evolving threat landscape and feedback from global users. The framework is structured around five core Functions, which are further divided into Categories that organize the desired outcomes and outcomes into subcategories, creating a detailed matrix of cybersecurity practices.
The Structure of NIST CSF 2.0
The framework is built on a common taxonomy of cybersecurity concepts and definitions intended to improve communication about cybersecurity risk across different sectors and stakeholders. The core of the framework is organized into five Functions: Identify, Protect, Detect, Respond, and Recover. These Functions provide a high-level, strategic view of the lifecycle of an organization's management of cybersecurity risk. Each Function is then broken down into Categories, which are high-level groupings of cybersecurity outcomes.
Deep Dive into CSF 2.0 Categories
Within each Function, the Categories represent the critical aspects of cybersecurity risk management. They are the thematic grouping of the outcomes that drive cybersecurity practices and inform the selection of the Subcategory references. The following sections detail the specific categories defined under each Function in NIST CSF 2.0.
ID. Identify Function Categories
The Identify Function helps organizations develop an organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities. There are six categories within this Function.
ID.AM (Asset Management): Data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to organization objectives and the organization’s cybersecurity risk strategy.
ID.BE (Business Environment): The organization’s mission, business processes to be performed, stakeholders, and current operations are understood and prioritized to inform cybersecurity roles and responsibilities.
ID.CI (Cybersecurity Information): Information about the organization’s cybersecurity risk is collected from multiple sources and used to inform decisions about cybersecurity risk.
ID.DE (Data Governance): Data integrity, confidentiality, and availability are ensured to meet organizational needs, business objectives, and legal requirements.
ID.RA (Risk Assessment): The organization understands the cybersecurity risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals.
ID.RM (Risk Management): The organization’s risk management strategy and processes are established and integrated into organizational decision-making processes.
PR.DE Protect Function Categories
The Protect Function supports the ability to limit or contain the impact of a potential cybersecurity event. It encompasses the appropriate safeguards to ensure delivery of critical infrastructure services. This Function contains six categories.
PR.AC (Access Control): Access to assets and related facilities is restricted to authorized users, processes, or devices, and to authorized activities and transactions.
PR.AI (Awareness and Training): The organization’s personnel and partners are provided cybersecurity awareness education and training, and are equipped to be informed participants in the organization’s cybersecurity practices.
PR.DA (Data Security): Information and records (data) are managed consistent with the organization’s risk strategy to protect their confidentiality, integrity, and availability.
PR.DE (Data Encryption): Data is encrypted in transit and at rest to protect its confidentiality and integrity.
PR.IR (Incident Response): The organization has in place the appropriate safeguards to ensure prompt detection, analysis, and response to cybersecurity events.
PR.MP (Maintenance): Mechanisms are implemented to provide protection of industrial control systems, cloud systems, and software assets against vulnerabilities that could be exploited by malicious actors.
