NIST CSF Categories & Subcategories Explained
Quick Answer
NIST CSF 2.0 has 22 categories and 106 subcategories organized under 6 core functions. Categories group related cybersecurity outcomes (e.g., Asset Management, Access Control), while subcategories define specific outcomes to achieve. Together they provide a detailed roadmap for cybersecurity activities.
NIST CSF Category Structure
The NIST CSF Core is organized in a hierarchy: Functions → Categories → Subcategories. Functions (6) provide the highest-level view. Categories (22) group related activities within each function. Subcategories (106) define specific outcomes that, when achieved together, build a comprehensive cybersecurity program.
Key Takeaways
- CSF 2.0 has 6 functions, 22 categories, and 106 subcategories
- Each subcategory describes a specific cybersecurity outcome to achieve
- Subcategories include informative references linking to other standards (800-53, ISO 27001, CIS)
- Not all subcategories apply to every organization — select based on your risk profile
- Implementation examples (new in 2.0) show how to achieve each subcategory in practice
Categories by Function
| Function | Category ID | Category Name | Subcategories |
|---|---|---|---|
| Govern | GV.OC | Organizational Context | 5 |
| Govern | GV.RM | Risk Management Strategy | 7 |
| Govern | GV.RR | Roles, Responsibilities, and Authorities | 4 |
| Govern | GV.PO | Policy | 2 |
| Govern | GV.OV | Oversight | 3 |
| Govern | GV.SC | Cybersecurity Supply Chain Risk Management | 10 |
| Identify | ID.AM | Asset Management | 7 |
| Identify | ID.RA | Risk Assessment | 10 |
| Identify | ID.IM | Improvement | 4 |
| Protect | PR.AA | Identity Management, Authentication, and Access Control | 6 |
| Protect | PR.AT | Awareness and Training | 2 |
| Protect | PR.DS | Data Security | 10 |
| Protect | PR.PS | Platform Security | 6 |
| Protect | PR.IR | Technology Infrastructure Resilience | 4 |
| Detect | DE.CM | Continuous Monitoring | 9 |
| Detect | DE.AE | Adverse Event Analysis | 8 |
| Respond | RS.MA | Incident Management | 5 |
| Respond | RS.AN | Incident Analysis | 8 |
| Respond | RS.CO | Incident Response Reporting and Communication | 3 |
| Respond | RS.MI | Incident Mitigation | 2 |
| Recover | RC.RP | Incident Recovery Plan Execution | 6 |
| Recover | RC.CO | Incident Recovery Communication | 4 |
How to Use Categories and Subcategories
Working with CSF Categories
Start at the function level
Understand what each of the six functions covers and how they apply to your organization.
Review applicable categories
Within each function, identify which categories are relevant to your business, risk profile, and regulatory requirements.
Assess at the subcategory level
For each relevant category, evaluate your current state against each subcategory. This is where the detailed assessment happens.
Use informative references
Each subcategory maps to specific controls in other frameworks (NIST 800-53, ISO 27001, CIS Controls). Use these to identify specific implementation steps.
Reference implementation examples
CSF 2.0 provides implementation examples for each subcategory showing practical ways to achieve the outcome.
Key Categories Deep Dive
Asset Management (ID.AM)
Asset Management is foundational — you cannot protect what you do not know you have. ID.AM requires inventorying hardware, software, data, external services, and understanding the business criticality of each asset.
Access Control (PR.AA)
Identity management and access control is one of the most impactful categories. It covers identity lifecycle management, authentication (including MFA), access permissions, and credential management.
Continuous Monitoring (DE.CM)
Continuous Monitoring is often the largest gap in organizations. DE.CM requires monitoring networks, personnel activity, external service providers, and computing hardware for cybersecurity events.
Supply Chain Risk Management (GV.SC)
New in CSF 2.0, GV.SC has 10 subcategories covering supply chain risk identification, due diligence, contractual requirements, and ongoing monitoring of suppliers and service providers.
ℹ️ Informative References
Every subcategory includes informative references — mappings to specific controls in other standards. For example, PR.AA-01 maps to NIST 800-53 AC-1, AC-2, IA-1, and ISO 27001 A.5.15-A.5.18. These references provide the specific 'how' behind each CSF outcome.
Do I need to implement all 106 subcategories?
No. NIST CSF is designed to be customized. Select subcategories based on your risk assessment, business requirements, and regulatory obligations. A small business might focus on 30-40 high-priority subcategories, while a large enterprise might address all 106.
How do categories map to other frameworks?
NIST provides detailed mappings through informative references. For example, Protect categories map to ISO 27001 Annex A controls, SOC 2 Trust Service Criteria, PCI DSS requirements, and HIPAA safeguards. GRC platforms automate these mappings.
What changed in categories from CSF 1.1 to 2.0?
CSF 2.0 reorganized several categories, added the entire Govern function (6 new categories), and consolidated some subcategories. The total went from 23 categories to 22, and from 108 subcategories to 106, but the Govern function adds significant new content.
How detailed should my assessment be at the subcategory level?
For each applicable subcategory, document: (1) your current state (not implemented, partial, largely, fully), (2) evidence supporting the assessment, (3) target state, and (4) gap/action items if any. This level of detail enables actionable gap analysis.
Map Your Controls to NIST CSF
Find GRC tools that automatically map your security controls to NIST CSF categories and subcategories.
Browse NIST CSF Tools