The NIST CSF Identify Function

NIST CSF 2.0 Identify Function: The organization's current cybersecurity risks are understood.

Source: NIST CSF 2.0

The NIST CSF Identify Function helps you better understand and manage cybersecurity risks through identifying and prioritizing threats, vulnerabilities, and assets. Your organization can build a thorough awareness of your cybersecurity posture, including your present condition, risk tolerance, and business objectives, with the help of this systematic method.

The goals of the Identify Function are:

• Organizational environmental analysis
• Cybersecurity posture measurement
• Strategies of continuous improvement

The Identify Function helps you identify and prioritize your most important systems, data, and assets. Examples of these tasks include asset management and risk assessment. You can also gain a thorough grasp of your organization's cybersecurity threats and lay the groundwork for efficient cybersecurity controls and risk management techniques. In all, the Identify Function gives you the ability to recognize and handle cybersecurity issues proactively, strengthen your defenses against online attacks, and safeguard your vital resources and operations.

The Identify Function has three Categories, and each Category has multiple Subcategories.

1. Asset Management (ID.AM)

This Category concentrates on the fundamental duty of thoroughly identifying and overseeing all organizational assets that facilitate business operations. This covers both intangible assets, like data, intellectual property, and reputational assets, as well as physical assets, like hardware, software, and facilities. Organizations may efficiently manage resources and prioritize tasks to safeguard and secure their most important assets from cybersecurity threats by keeping a precise inventory of assets and comprehending their worth, criticality, and interdependencies.

The Subcategories of ID.AM are:

• ID.AM-01: Inventories of hardware managed by the organization are maintained.

  This Subcategory emphasizes the importance of keeping an up-to-date inventory of all hardware assets within an organization. This inventory includes all devices, systems, and equipment, whether on-premises or connected remotely.

  These actionable steps can help you comply with this Subcategory:

  • Document details such as hardware type, manufacturer, model, serial number, location, and the person responsible for each asset.
  • Update inventory changes details, such as new acquisitions, decommissioned equipment, or reassignments within the organization.
  • Deploy automated tools and asset management systems that can be used to simplify the process of tracking and maintaining the hardware inventory.
• ID.AM-02: Inventories of software, services, and systems managed by the organization are maintained.

  This Subcategory emphasizes the importance of maintaining up-to-date inventories of software, services, and systems managed by an organization.

  These actionable steps can help you comply with this Subcategory:

  • Ensure that all assets are accounted for, properly secured, and aligned with the organization’s cybersecurity policies.
  • Update the inventory changes to reflect changes such as new installations, decommissioning, and updates.
  • Deploy automated tools that can be used to simplify the process of tracking and maintaining the software inventory.
• ID.AM-03: Representations of the organization’s authorized network communication and internal and external network data flows are maintained.

  This Subcategory emphasizes the importance of documenting and maintaining accurate representations of network communications and data flows within an organization.

  These actionable steps can help you comply with this Subcategory:

  • Map out how data moves across your organization’s networks, including both internal and external communications.
  • Understand and document which systems, devices, and users are authorized to communicate and exchange data.
  • Update and review the changes in the network infrastructure or business processes that can affect data flows.
• ID.AM-04: Inventories of services provided by suppliers are maintained.

  This Subcategory focuses on the importance of systematically tracking and managing the services that your organization receives from third-party suppliers.

  These actionable steps can help you comply with this Subcategory:

  • Create a comprehensive list of all external services that are integral to the organization's operations, such as cloud services, software-as-a-service (SaaS) applications, managed IT services, and other vendor-provided solutions.
  • Understand your dependencies on external providers and assess the security implications associated with these relationships.
  • Document these services to better manage risks related to third-party suppliers, such as potential disruptions, data breaches, or compliance issues.
  • Include details about the nature of the services, the criticality to business operations, the data involved, and any security controls implemented by the supplier.
  • Update this inventory to ensure that any changes in the services provided, such as new suppliers or modifications to existing services, are tracked.
• ID.AM-05: Assets are prioritized based on classification, criticality, resources, and impact on the mission.

  This Subcategory emphasizes the importance of prioritizing organizational assets based on specific criteria to ensure effective cybersecurity risk management.

  These actionable steps can help you comply with this Subcategory:

  • Categorize assets according to their classification, which refers to the sensitivity and confidentiality level of the information they contain or process.
  • Assess the criticality, which involves determining how essential an asset is to your organization's operations.
  • Analyze resources by evaluating the amount of effort, funding, and manpower required to protect, maintain, and recover each asset.
  • Evaluate the impact on the mission by understanding how the security and functionality of each asset directly affect the organization's ability to achieve its strategic objectives.
  • Review and update the asset prioritizations to ensure that the organization's cybersecurity posture adapts to evolving threats.
• ID.AM-07: Inventories of data and corresponding metadata for designated data types are maintained.

  This Subcategory shows the importance of systematically cataloging and managing data assets within an organization.

  These actionable steps can help you comply with this Subcategory:

  • Maintain accurate and up-to-date inventories of your data and associated metadata.
  • Include details such as data ownership, sensitivity level, format, location, and retention requirements.
  • Create stringent access controls and safety measures to make sure this data inventory isn't tampered with.
• ID.AM-08: Systems, hardware, software, services, and data are managed throughout their life cycles.

  This Subcategory highlights the importance of comprehensive life cycle management for all IT assets within an organization.

  These actionable steps can help you comply with this Subcategory:

  • Track and manage assets from acquisition to disposal, ensuring that each phase of their existence is secure, compliant, and efficient.
  • Identify assets, apply security controls, perform regular maintenance, and retire them securely.
  • Maintain data integrity throughout the asset's life cycle, reducing the likelihood of data breaches or loss.
  • Conduct regular updates, patches, and upgrades to keep systems and software resilient.

2. Risk Assessment (ID.RA)

The main objective of this Category is understanding and controlling cybersecurity risks. It entails the methodical process of locating, evaluating, and ranking any threats to the information assets, operations, and systems of an organization. Organizations may make well-informed choices, efficiently allocate resources, and apply suitable measures to manage identified risks by carrying out risk assessments.

The Subcategories of ID.RA are:

• ID.RA-01: Vulnerabilities in assets are identified, validated, and recorded

  This Subcategory shows the importance of proactively managing vulnerabilities within an organization’s assets.

  These actionable steps can help you comply with this Subcategory:

  • Identify vulnerabilities in hardware, software, and other critical assets.
  • Validate the identified vulnerabilities to confirm their existence and assess their potential impact.
  • Recorded these vulnerabilities in a centralized system or vulnerability management platform to track them effectively. This record includes details such as the nature of the vulnerability, the affected assets, the potential impact, and any associated risks.
  • Prioritize the vulnerabilities based on risk levels.
  • Ensure regular scanning and assessments to ensure new vulnerabilities are promptly identified and managed.
• ID.RA-02: Cyber threat intelligence is received from information-sharing forums and sources

  This Subcategory highlights the significance of utilizing cyber threat intelligence (CTI) from many information-sharing platforms and sources to improve corporate risk assessment capabilities.

  These actionable steps can help you comply with this Subcategory:

  • Obtain significant insights on new risks, attack patterns, and adversary tactics, techniques, and procedures (TTPs) by actively engaging in information-sharing forums.
  • Integrate timely and relevant CTI to proactively detect possible threats and vulnerabilities.
  • Ensure the CTI details are valid and updated regularly.

  ManageEngine Log360's integrated threat detection module and sophisticated threat analytics add-on will assist you with blocking perilous sources, data breaches, and malicious site visits. This integrated platform helps prioritize essential security threats, decrease false positives, and expedite threat detection by combining both commercial and open-source threat feeds.

• ID.RA-03: Internal and external threats to the organization are identified and recorded.

  This Subcategory's main emphasis is the critical duty of recognizing and documenting internal and external risks to the organization's cybersecurity posture.These actionable steps can help you comply with this Subcategory:

  • Identify and document various risks to acquire a significant understanding of the complexity of the risks.
  • Implement comprehensive threat intelligence collection, vulnerability assessments, and security audits for identification.
  • Keep an up-to-date inventory of possible hazards by documenting these threats in a unified repository.

  Log360 is a unified SIEM solution with effective attack detection capabilities. Log360 provides an advanced TDIR engine, Vigil IQ, which helps organizations identify, navigate, and investigate threats. Vigil IQ provides vast coverage to both internal and external security threats, intuitive analytics, and automated playbooks to help organizations overcome cybersecurity challenges.

• ID.RA-04: Potential impacts and likelihoods of threats exploiting vulnerabilities are identified and recorded

  This Subcategory focuses on the importance of understanding and documenting the potential consequences of cyber threats exploiting vulnerabilities within an organization.

  These actionable steps can help you comply with this Subcategory:

  • Evaluate the severity of the impact that a successful attack could have on critical assets, systems, or data.
  • Assess the likelihood of potential cyber threats.
  • Use a combination of threat intelligence, historical data, vulnerability assessments, and expert judgment for the assessment.
  • Understand your organization’s risk landscape, enabling informed decision-making.
  • Update this information to ensure that the organization remains responsive to emerging threats and evolving vulnerabilities.
• ID.RA-05: Threats, vulnerabilities, likelihoods, and impacts are used to understand inherent risk and inform risk response prioritization.

  This Subcategory emphasizes the systematic use of identified threats, vulnerabilities, their likelihood, and potential impacts to comprehend an organization’s inherent risk.

  These actionable steps can help you comply with this Subcategory:

  • List the potential malicious events that could exploit vulnerabilities, such as cyberattacks, insider threats, or natural disasters.
  • Discover vulnerabilities that could be exploited by these threats, including outdated software, misconfigured systems, or inadequate access controls.
  • Assess the likelihood by evaluating the probability of a threat exploiting a vulnerability, based on historical data, threat intelligence, and current security controls.
  • Calculate the impact by analyzing potential consequences or damage that could result from such an exploitation, including financial loss, reputational damage, or operational disruptions.
  • Quantify and qualify your inherent risk by combining these four factors.
• ID.RA-06: Risk responses are chosen, prioritized, planned, tracked, and communicated

  This Subcategory shows the importance of a structured approach to managing cybersecurity risks.

  These actionable steps can help you comply with this Subcategory:

  • Select an appropriate risk response based on your organization's risk tolerance and business objectives.
  • Prioritize the risks to address the most critical ones first, ensuring that resources are allocated efficiently.
  • Develop detailed action plans to implement the chosen risk responses, with clear timelines and responsibilities.
  • Track and monitor the implementation process, ensuring that the actions are executed as planned.
  • Inform all relevant stakeholders, including leadership and affected departments, about the risks, planned responses, and progress.
  • Conduct reviews of the risk responses to ensure they remain effective over time.
• ID.RA-07: Changes and exceptions are managed, assessed for risk impact, recorded, and tracked

  This Subcategory emphasizes the structured management of changes and exceptions. Organizations must evaluate any modifications—such as software updates, infrastructure changes, or policy adjustments—to determine their security impact. Additionally, any exceptions to security policies or controls (e.g., allowing legacy systems with outdated encryption) should be documented, assessed for risks, and continuously monitored.

  These actionable steps can help you comply with this Subcategory:

  • Establish a change management process to review, approve, and document all security-related changes and exceptions before they are implemented.
  • Evaluate the potential security risks of any changes or exceptions and determine their impact on business operations, data security, and compliance.
  • Maintain a centralized log of all changes and exceptions, including justifications, risk assessments, and approvals.
  • Apply alternative security measures (e.g., additional monitoring, MFA, or network segmentation) if an exception introduces security risks .
• ID.RA-08: Processes for receiving, analyzing, and responding to vulnerability disclosures are established

  This Subcategory ensures that organizations have mechanisms to accept vulnerability reports from security researchers, employees, and third parties, assess the potential impact of reported vulnerabilities, and take appropriate remediation actions.

  These actionable steps can help you comply with this Subcategory:

  • Create and publish a vulnerability disclosure policy outlining how external researchers or internal employees can report security vulnerabilities.
  • Provide an email address, web form, or bug bounty platform for receiving vulnerability reports and ensure it's monitored regularly.
  • Define procedures to analyze reported vulnerabilities, assess their impact, prioritize based on risk, and determine remediation steps.
  • Assign a security team to verify vulnerabilities, apply patches, and coordinate disclosure with affected stakeholders.
• ID.RA-09: The authenticity and integrity of hardware and software are assessed prior to acquisition and use.

  This Subcategory ensures that organizations, before acquiring hardware and software, verify their authenticity and integrity to prevent supply chain attacks, counterfeit products, or maliciously altered components.

  These actionable steps can help you comply with this Subcategory:

  • Choose reputable vendors with established security standards, conduct vendor risk assessments, and review security certifications (e.g., ISO 27001, SOC 2).
  • Before installing software or firmware updates, verify their digital signatures and hash values to ensure authenticity and detect tampering.
  • Before deploying new hardware or software in production environments, conduct thorough security testing in a sandbox or isolated environment.
• ID.RA-10: Critical suppliers are assessed prior to acquisition.

  This Subcategory emphasizes the importance of evaluating the security posture of critical suppliers before integrating their products or services into an organization’s infrastructure.

  These actionable steps can help you comply with this Subcategory:

  • Define security requirements and risk assessment factors for evaluating critical suppliers.
  • Perform cybersecurity risk assessments, including evaluating past security incidents, vulnerability management practices, and data protection measures.
  • Verify whether suppliers meet regulatory and industry standards such as HIPAA, GDPR, SOC 2, or ISO 27001 to ensure alignment with security expectations.
  • Enforce security clauses in contracts, requiring suppliers to adhere to security best practices, conduct regular audits, and report security incidents.

3. Improvement (ID.IM)

This Category is dedicated to constantly enhancing the cybersecurity posture of the organization. It highlights the criticality of having procedures in place that help find and rank areas for improvement in accordance with the organization's goals and priorities for risk management. Organizations may boost their entire cybersecurity posture, adapt more effectively to new threats, and increase resilience by cultivating a culture of continuous improvement.

The Subcategories of ID.IM are:

• ID.IM-01: Improvements are identified from evaluations.

  This Subcategory emphasizes the importance of continuously identifying and implementing security improvements based on evaluations, audits, or past incidents.

  These actionable steps can help you comply with this Subcategory:

  • Perform periodic cybersecurity audits, penetration tests, and risk assessments to evaluate security controls.
  • Analyze past security breaches, incidents, or near-misses to determine root causes and apply corrective measures.
  • Gather insights from IT teams, security analysts, and end users on potential security gaps.
  • Maintain a documented process to track security enhancements, apply necessary updates, and align security practices with industry best practices.
• ID.IM-02: Improvements are identified from security tests and exercises, including those done in coordination with suppliers and relevant third parties.

  The Subcategory emphasizes the need to continuously enhance security by learning from tests and exercises.

  These actionable steps can help you comply with this Subcategory:

  • Perform vulnerability assessments, penetration testing, and red team exercises to identify weaknesses in security controls.
  • Require suppliers and third-party service providers to participate in security assessments and remediation processes as part of contractual agreements.
  • Maintain detailed reports of security test results and create action plans to address identified gaps in coordination with relevant stakeholders.
  • Regularly update cybersecurity policies and procedures based on findings from security tests and exercises to align with best practices.
• ID.IM-03: Improvements are identified from execution of operational processes, procedures, and activities.

  This Subcategory emphasizes the importance of continuously refining cybersecurity processes by identifying weaknesses, inefficiencies, and areas for enhancement during day-to-day operations.

  These actionable steps can help you comply with this Subcategory:

  • Schedule periodic evaluations of operational processes and security procedures to identify gaps and inefficiencies.
  • Review past security incidents to determine root causes and implement corrective measures.
  • Encourage employees and IT teams to provide feedback on security processes.
  • Use automated monitoring and threat detection tools to identify areas where operational efficiency can be improved.
• ID.IM-04: Incident response plans and other cybersecurity plans that affect operations are established, communicated, maintained, and improved.

  This Subcategory emphasizes the need to establish well-defined plans, communicate them across relevant teams, continuously maintain them to reflect emerging threats, and improve them through lessons learned from past incidents.

  These actionable steps can help you comply with this Subcategory:

  • Outline key steps for detecting, responding to, mitigating, and recovering from cybersecurity incidents.
  • Ensure all relevant stakeholders understand their roles in incident response by conducting regular training and awareness sessions.
  • Periodically assess the plan based on new threats, changes in IT infrastructure, or business requirements and update it accordingly.
  • Simulate real-world attack scenarios to test the effectiveness of the plan.