The NIST Cybersecurity Framework (CSF) 2.0 categories provide a structured approach for organizations to manage and reduce cybersecurity risk. This updated framework, released in March 2024, builds upon the foundational success of version 1.1 while adapting to the evolving threat landscape and feedback from global users. The framework is not a prescriptive checklist but a flexible, risk-based guide designed to help organizations better understand, manage, and communicate about their cybersecurity risks.
Understanding the Core Structure of CSF 2.0
The framework is organized into three main components: the Core, Implementation Tiers, and Profiles. The CSF 2.0 Categories form the backbone of the Core, providing a detailed breakdown of cybersecurity outcomes and objectives. These categories are grouped into four distinct functions, which provide a high-level strategic view of the lifecycle of an organization's management of cybersecurity risk.
The Four Functions of the Framework
The functions act as a roadmap, outlining the key activities required to achieve effective cybersecurity risk management. They are designed to be applicable across critical infrastructure sectors and can be tailored to an organization's specific needs, scale, and complexity. Each function encompasses the Categories and Subcategories that define the desired outcomes and security controls.
Identify
The Identify function is foundational, focusing on the development of an organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities. Key categories within this function include Asset Management, Business Environment, Governance, Risk Assessment, and Information Protection Processes and Procedures. This function ensures that an organization knows what it needs to protect before attempting to defend it.
Protect
The Protect function supports the ability to limit or contain the impact of a potential cybersecurity event. It involves the implementation of appropriate safeguards to ensure delivery of critical infrastructure services. Subcategories cover areas such as Identity Management and Access Control, Awareness and Training, Data Security, Information Protection Processes and Procedures, Maintenance, and Protective Technology.
Detect
The Detect function defines the appropriate activities to identify the occurrence of a cybersecurity event in a timely manner. This is crucial for minimizing damage and ensuring a rapid response. Categories within this function include Anomalies and Events, Continuous Monitoring, and Detection Processes, ensuring that organizations have visibility into their security posture.
Respond and Recover
The final two functions, Respond and Recover, are critical for resilience. The Respond function includes categories for Response Planning, Communications, Analysis, Mitigation, and Improvements, ensuring that when a cybersecurity event occurs, the organization can contain its impact. The Recover function focuses on restoring capabilities or services that were impaired due to a cybersecurity event and includes categories for Recovery Planning, Improvements, and Communications to support timely restoration.
Subcategories: The Detailed Implementation Guidance
Under each Category, the framework provides one or more Subcategories, which offer more specific guidance on the cybersecurity outcomes. These Subcategories serve as the actionable elements that organizations can implement to achieve the objectives outlined in the Categories. For example, the "Data Security" Category (PR.DS) includes Subcategories for data at rest, data in transit, and data in use, providing clear direction on protecting sensitive information throughout its lifecycle.
Function | Category | Category ID | Purpose
Identify | Asset Management | ID.AM | Develop and implement asset inventory to manage risk to assets, systems, and data.
Protect | Identity Management and Access Control | PR.AC | Manage identities and their access rights to ensure appropriate access to data and assets.
