NIST CSF Identify Function
NIST CSF foundational function for understanding organizational cybersecurity risk to systems, people, assets, and capabilities.
Continue your mission
NIST CSF foundational function for understanding organizational cybersecurity risk to systems, people, assets, and capabilities.
# NIST CSF Identify Function
The Identify function is the foundational element of the NIST Cybersecurity Framework (CSF), focused on developing organizational understanding of cybersecurity risk to systems, people, assets, data, and capabilities. It encompasses asset management, business environment analysis, governance structures, risk assessment, and risk management strategy. The Identify function answers the fundamental question: what do we need to protect and what are the risks to those assets?
The Identify function exists because security programs built without comprehensive organizational understanding fail predictably. Organizations cannot protect assets they do not know exist, prioritize risks they have not assessed, or allocate security budgets effectively without understanding their business context. The function establishes the organizational foundation that makes all other cybersecurity activities strategic rather than reactive.
Within the NIST CSF structure, the Identify function provides the baseline understanding that enables the other four functions. Protect activities target the assets and risks identified in this phase. Detect capabilities monitor the systems and data flows catalogued here. Respond and Recover plans address the business processes and dependencies mapped during Identify activities. Without this foundation, subsequent security activities lack strategic direction and business alignment.
The function is particularly critical for organizations operating in complex environments with multiple business units, extensive third-party relationships, or regulatory requirements. These organizations cannot afford to discover critical assets during incident response or learn about compliance obligations during audit season.
The NIST CSF Identify function contains six categories, each addressing a specific aspect of organizational understanding. These categories work together to create a comprehensive picture of what needs protection and how security risks map to business impact.
Asset Management (ID.AM) requires organizations to inventory and document physical devices, systems, platforms, applications, and data flows. This extends beyond traditional IT assets to include operational technology, Internet of Things devices, cloud services, and mobile endpoints. Effective asset management maintains real-time awareness of what exists on the network, where sensitive data resides, and which systems support critical business functions.
Organizations implement asset management through automated discovery tools, configuration management databases, and data flow mapping exercises. The goal is not perfect inventory accuracy but sufficient visibility to support risk-based decision making. Many organizations start with business-critical systems and work outward rather than attempting comprehensive discovery simultaneously.
Business Environment (ID.BE) establishes understanding of the organization's mission, objectives, stakeholders, and place within critical infrastructure. This category answers questions about regulatory obligations, industry sector requirements, and dependencies on external services. Organizations document their role in supply chains, identify their most important customers and business processes, and map how cybersecurity incidents would impact business operations.
Business environment analysis typically involves interviews with business unit leaders, review of regulatory filings and strategic plans, and assessment of contractual obligations. The output includes business impact analyses that quantify how system outages or data breaches would affect revenue, operations, and reputation.
Governance (ID.GV) covers the policies, procedures, and management oversight that guide cybersecurity activities. This includes board oversight, executive accountability, policy frameworks, and integration of cybersecurity into enterprise risk management. Governance ensures that cybersecurity decisions align with business strategy and that accountability for cyber risk is clearly assigned.
Effective governance establishes cybersecurity roles and responsibilities, defines risk appetite and tolerance levels, and creates mechanisms for regular reporting to senior management and board oversight. It also ensures that cybersecurity considerations are integrated into business processes like vendor selection, product development, and merger and acquisition activities.
Risk Assessment (ID.RA) involves identifying cybersecurity risks to organizational operations, assets, and individuals. This includes threat identification, vulnerability assessment, and analysis of how identified risks could impact business objectives. Risk assessment connects technical vulnerabilities to business consequences and provides the foundation for prioritizing security investments.
Organizations conduct risk assessments through a combination of automated vulnerability scanning, threat modeling, penetration testing, and business impact analysis. The assessment process considers both internal vulnerabilities and external threats relevant to the organization's industry, geography, and threat profile. Results are documented in risk registers that track identified risks, their potential impact, likelihood of occurrence, and current mitigation status.
Risk Management Strategy (ID.RM) establishes the organization's approach to managing cybersecurity risk, including risk tolerance levels, risk response strategies, and criteria for risk acceptance. This category ensures that cybersecurity risk management integrates with enterprise risk management and that risk decisions are made consistently across the organization.
Risk management strategy defines when risks should be mitigated, transferred, accepted, or avoided. It establishes criteria for vendor risk assessment, incident response escalation, and business continuity planning. The strategy also addresses how cybersecurity risks are communicated to stakeholders and how risk posture changes are monitored over time.
Supply Chain Risk Management (ID.SC) addresses cybersecurity risks arising from suppliers, vendors, and other external dependencies. This includes third-party risk assessment, vendor security requirements, and monitoring of supply chain cybersecurity practices. Supply chain risk management has become increasingly important as organizations rely more heavily on cloud services, software-as-a-service applications, and outsourced business processes.
Organizations implement supply chain risk management through vendor security questionnaires, contract security requirements, and ongoing monitoring of third-party security posture. This includes understanding which vendors have access to sensitive data or critical systems, assessing vendor cybersecurity capabilities, and developing contingency plans for vendor security incidents.
Each category contains multiple subcategories with specific outcome statements that guide implementation. For example, the Asset Management category includes subcategories for hardware asset inventory, software asset inventory, and organizational communication flows. Organizations can assess their maturity against each subcategory and prioritize improvements based on their risk profile and business objectives.
The Identify function determines whether an organization's cybersecurity program addresses actual risk or operates based on assumptions and generic best practices. Organizations that implement security controls without completing Identify activities often discover during incidents that their most critical assets were unprotected while substantial resources were devoted to defending less important systems.
Consider the financial impact of inadequate asset management. When organizations do not maintain accurate inventories of their systems and data, they cannot scope security assessments effectively, leading to either incomplete coverage or unnecessary spending on low-risk areas. During incident response, incomplete asset knowledge extends recovery time because teams must discover what was affected before they can remediate damage. The 2017 Equifax breach exemplified this problem: the company initially could not determine which systems were compromised or how many consumers were affected because of inadequate asset inventory.
Regulatory compliance requires the foundational understanding that the Identify function provides. Privacy regulations like GDPR and CCPA require organizations to know where personal data is stored, how it flows through their systems, and which third parties have access to it. Financial services regulations require understanding of which systems support critical business functions and how those systems would be restored after a cyber incident. Organizations that attempt to address compliance requirements without completing Identify activities often fail audits or face regulatory enforcement actions.
The business environment category prevents security programs from operating in isolation from business strategy. Security teams that do not understand their organization's business model, customer relationships, and competitive environment make decisions that conflict with business objectives. For example, security policies that interfere with customer experience or business development can damage revenue while providing little additional protection against relevant threats.
Risk assessment failures compound over time. Organizations that do not systematically identify and evaluate cybersecurity risks often experience "security theater" where visible controls are implemented to satisfy stakeholders while actual vulnerabilities remain unaddressed. This approach fails when sophisticated attackers target the unassessed vulnerabilities rather than testing the well-defended systems.
Supply chain risk management has become business-critical as organizations increasingly depend on third-party services. The 2020 SolarWinds attack affected thousands of organizations that had not adequately assessed the cybersecurity risks in their supply chain. Similarly, cloud service outages can disrupt business operations for organizations that have not assessed their dependencies on external providers or developed appropriate contingency plans.
A common misconception is that the Identify function requires perfect information before security activities can begin. In practice, organizations can start with high-level understanding and refine their knowledge over time. The goal is sufficient visibility to make informed decisions, not comprehensive documentation of every asset and risk.
CDA's approach to the NIST CSF Identify function centers on the Risk Governance & Assurance (RGA) domain principle that compliance and security are continuous states rather than periodic projects. The Identify function requires ongoing organizational awareness that evolves as business operations, technology infrastructure, and threat landscape change. CDA's Perpetual Compliance Assurance (PCA) methodology ensures that the foundational understanding established through Identify activities remains current and actionable.
The C-RECON campaign tier maps directly to the NIST CSF Identify function, providing theater missions that guide organizations through comprehensive asset discovery, risk assessment, and governance establishment. Rather than treating asset inventory as a one-time project, C-RECON missions establish continuous discovery processes that adapt to infrastructure changes. Business environment analysis becomes an ongoing assessment that monitors changes in regulatory requirements, business strategy, and threat landscape rather than an annual exercise.
CDA's Rosetta Stone engine maps Identify function subcategories to specific theater missions, ensuring complete coverage while avoiding duplicated effort. For organizations implementing multiple frameworks simultaneously, this mapping prevents the common problem of conducting separate asset inventories for NIST CSF, ISO 27001, and SOC 2 compliance. Instead, a single continuous discovery process satisfies multiple framework requirements.
The RGA domain owns the Identify function because it establishes the governance foundation for all cybersecurity activities. Risk assessment, policy development, and compliance management all depend on the organizational understanding that the Identify function provides. CDA's approach ensures that this understanding translates into actionable governance rather than documentation that becomes obsolete.
CDA differs from conventional NIST CSF implementation by emphasizing automation and integration over manual documentation. While many organizations implement the Identify function through periodic assessment projects that produce static reports, CDA establishes continuous monitoring capabilities that provide real-time visibility into asset changes, risk posture evolution, and compliance status. This approach aligns with the reality that modern organizations change too rapidly for annual or quarterly assessment cycles to maintain accuracy.
The PCA methodology recognizes that the Identify function must account for both planned changes (new systems, business expansion, vendor relationships) and unplanned changes (shadow IT, configuration drift, emerging threats). CDA theater missions establish monitoring capabilities for both categories, ensuring that organizational understanding remains current despite operational complexity.
• The Identify function provides the foundational understanding required for all other cybersecurity activities, including asset inventory, business context, governance structure, risk assessment, and supply chain dependencies.
• Organizations cannot protect assets they do not know exist or prioritize risks they have not assessed, making the Identify function prerequisite to effective cybersecurity program development.
• The six categories work together to create comprehensive organizational understanding: Asset Management catalogs what exists, Business Environment establishes context, Governance provides oversight, Risk Assessment identifies threats, Risk Management Strategy defines approach, and Supply Chain Risk Management addresses third-party dependencies.
• Effective implementation requires continuous monitoring rather than periodic assessment projects, as modern organizations change too rapidly for static documentation to remain accurate.
• The Identify function enables regulatory compliance, business alignment, and strategic security investment by connecting technical vulnerabilities to business impact and ensuring security activities address actual organizational risk.
• NIST CSF Protect Function • Risk Governance & Assurance (RGA) Domain • Perpetual Compliance Assurance (PCA): Compliance Is a State • Third-Party Risk Management • Asset Management and Discovery
CDA Theater missions that address topics covered in this article.
COBIT 2019 is ISACA's IT governance framework with 40 objectives across five domains, featuring a flexible design factor system that aligns IT strategy with business goals and maps to standards like NIST CSF and ISO 27001.
CMMC 2.0 requires defense contractors to demonstrate cybersecurity maturity at three levels.
HITRUST CSF harmonizes multiple frameworks into one certifiable standard for healthcare.
Written by CDA Editorial
Found an issue? Help improve this article.