NIST CSF Core Functions

The Core Functions of the NIST Cybersecurity Framework (CSF) 2.0 provide a high-level taxonomy of cybersecurity outcomes that help organizations manage and reduce digital risk. Structurally, the CSF Core is divided into a three-level hierarchy: Functions, Categories, and Subcategories. Rather than acting as a rigid, prescriptive checklist, these elements serve as a strategic guide that can be adapted to any organization's specific use case, threat landscape, and resources.

As detailed in the NIST Cybersecurity Framework 2.0 Overview, NIST visualizes the six core functions—GOVERN, IDENTIFY, PROTECT, DETECT, RESPOND, and RECOVER—as a wheel. This emphasizes that cybersecurity is not a linear, one-time process, but a continuous, interconnected cycle where each function informs and supports the others.

Detailed Breakdown of the Six Core Functions

GOVERN (GV)

Introduced as a central function in CSF 2.0, GOVERN establishes, communicates, and monitors the organization’s cybersecurity risk management strategy, expectations, and policy. It provides the foundational context needed to prioritize the outcomes of the other five functions. Governance activities are critical for incorporating cybersecurity into an organization’s broader enterprise risk management (ERM) strategies.

• Key Categories: Organizational Context (GV.OC), Risk Management Strategy (GV.RM), Roles, Responsibilities, and Authorities (GV.RR), Policy (GV.PO), Oversight (GV.OV), and Cybersecurity Supply Chain Risk Management (GV.SC).
• Practical Example: A board of directors establishing a low risk tolerance for customer data exposure, which subsequently dictates the budget for the PROTECT function and reporting metrics for the DETECT function.
• Deep Dive: For more details on supply chain integration within this function, see NIST CSF 2.0: Governance and Supply Chain Risk.

IDENTIFY (ID)

The IDENTIFY function requires an organization to understand and manage the cybersecurity risks to its systems, assets, data, and capabilities. You cannot secure what you do not know exists; therefore, this function forms the inventory and risk assessment baseline required to implement effective safeguards.

• Key Categories: Asset Management (ID.AM), Risk Assessment (ID.RA), and Improvement (ID.IM).
• Practical Example: Categorizing assets by criticality. For instance, an organization must identify all cloud workloads processing payment data before it can decide how strictly to monitor them.
• Edge Case: In highly dynamic environments, identifying shadow IT (unauthorized software or hardware) can be challenging. IDENTIFY processes must account for rapid, decentralized procurement by business units outside of the core IT team.

PROTECT (PR)

PROTECT focuses on developing and implementing appropriate safeguards to ensure the delivery of critical infrastructure services and contain the impact of potential cybersecurity events. It covers both technical safeguards and human elements.

• Key Categories: Identity Management, Authentication, and Access Control (PR.AA), Awareness and Training (PR.AT), Data Security (PR.DS), Platform Security (PR.PS), and Technology Infrastructure Resilience (PR.IR).
• Practical Example: Enforcing multi-factor authentication (MFA) across all employee accounts or hardening the physical and virtual hardware of a server platform.
• Operational Consideration: While enforcing strict access controls limits risk, organizations must balance the PROTECT function with business availability to ensure legitimate users are not overly burdened, aligning with the operational context defined in GOVERN.

DETECT (DE)

DETECT encompasses the timely discovery and analysis of anomalies, indicators of compromise (IoCs), and other potentially adverse events. This function acts as the organization's alarm system, enabling rapid transition into incident response.

• Key Categories: Continuous Monitoring (DE.CM) and Adverse Event Analysis (DE.AE).
• Practical Example: A Security Information and Event Management (SIEM) tool flagging anomalous outbound traffic at 3:00 AM, triggering an automated alert for the security operations center (SOC) to investigate.

RESPOND (RS)

When the DETECT function uncovers an active incident, RESPOND defines the actions taken to contain the impact of the cybersecurity event. Fast, coordinated action limits organizational damage and sets the stage for efficient recovery.

• Key Categories: Incident Management (RS.MA), Incident Analysis (RS.AN), Incident Response Reporting and Communication (RS.CO), and Incident Mitigation (RS.MI).
• Practical Example: Disconnecting a compromised segment of the network to prevent ransomware from moving laterally, while simultaneously notifying internal legal and public relations teams according to the communication plan.

RECOVER (RC)

The RECOVER function outlines how an organization restores assets and operations that were impaired during a cybersecurity incident. It focuses on the timely restoration of normal operations to reduce business downtime and ensure appropriate communication with stakeholders.

• Key Categories: Incident Recovery Plan Execution (RC.RP) and Incident Recovery Communication (RC.CO).
• Practical Example: Restoring mission-critical databases from immutable, offline backups after a data destruction attack, followed by publishing an incident post-mortem to clients.

Interconnectivity of the Functions

The CSF Core Functions do not operate in a vacuum. Achieving maturity in risk management relies on the synergy between them. For instance, the findings from a post-incident RECOVER phase will directly feed into the Improvement category of the IDENTIFY function, which in turn upgrades the defenses in the PROTECT phase.

Organizations map these interconnected functions to their specific current and target states using NIST CSF Profiles and Tiers to track progress over time. For a broader comparison of how NIST maps against other major standards, refer to the Cybersecurity Frameworks Overview.