NIST CSF Core Functions Explained: Govern, Identify, Protect, Detect, Respond, Recover
Quick Answer
The NIST CSF organizes cybersecurity into six core functions: Govern (strategy and governance), Identify (understand risk posture), Protect (implement safeguards), Detect (discover events), Respond (take action on incidents), and Recover (restore services). Together they cover the full cybersecurity lifecycle.
The Six Core Functions
The NIST CSF Core is the heart of the framework. It organizes all cybersecurity activities into six high-level functions that together represent a comprehensive approach to managing cybersecurity risk. Each function contains categories and subcategories that provide increasingly specific guidance.
Key Takeaways
- CSF 2.0 has six functions (Govern was added in 2.0); the original five remain unchanged
- Functions are not sequential — they operate concurrently and continuously
- Each function has 2-6 categories, with a total of 22 categories across all functions
- Categories are further divided into 106 subcategories with specific outcomes
- The functions provide a common vocabulary for discussing cybersecurity across the organization
Govern (GV) — New in CSF 2.0
The Govern function establishes the organization's cybersecurity risk management strategy, expectations, and governance. It is the foundation that informs and supports all other functions. Govern addresses the organizational context, risk management strategy, and oversight needed for effective cybersecurity.
| Category | ID | Purpose |
|---|---|---|
| Organizational Context | GV.OC | Understand the organization's mission, stakeholder expectations, and dependencies |
| Risk Management Strategy | GV.RM | Establish risk management priorities, constraints, and risk tolerance |
| Roles, Responsibilities, and Authorities | GV.RR | Define cybersecurity roles and establish accountability |
| Policy | GV.PO | Establish and communicate cybersecurity policy |
| Oversight | GV.OV | Monitor and review cybersecurity risk management activities |
| Cybersecurity Supply Chain Risk Management | GV.SC | Identify, assess, and manage supply chain risks |
Identify (ID)
The Identify function develops your organization's understanding of its cybersecurity risk posture. You cannot protect what you do not know exists. Identify covers asset discovery, risk assessment, and understanding your business environment.
- Asset Management (ID.AM): Maintain inventories of hardware, software, data, and external services
- Risk Assessment (ID.RA): Identify vulnerabilities, threats, likelihoods, and impacts
- Improvement (ID.IM): Identify improvements from assessments, exercises, and lessons learned
Protect (PR)
The Protect function implements safeguards to ensure delivery of critical services. It covers the technical and procedural measures that limit or contain the impact of potential cybersecurity events.
- Identity Management, Authentication, and Access Control (PR.AA): Manage identities, authenticate users, enforce least privilege
- Awareness and Training (PR.AT): Ensure personnel understand their cybersecurity responsibilities
- Data Security (PR.DS): Protect data at rest, in transit, and in use
- Platform Security (PR.PS): Manage hardware, software, and services to ensure security
- Technology Infrastructure Resilience (PR.IR): Manage security architectures to protect against threats
Detect (DE)
The Detect function enables timely discovery of cybersecurity events. Effective detection requires continuous monitoring, anomaly detection, and event analysis capabilities.
- Continuous Monitoring (DE.CM): Monitor assets continuously for cybersecurity events
- Adverse Event Analysis (DE.AE): Analyze anomalies and events to characterize and detect incidents
Respond (RS)
The Respond function takes action when a cybersecurity incident is detected. It covers incident management, communication, analysis, and mitigation to contain impact.
- Incident Management (RS.MA): Execute incident response plans and manage incidents through resolution
- Incident Analysis (RS.AN): Investigate incidents to determine scope, root cause, and impact
- Incident Response Reporting and Communication (RS.CO): Report incidents to stakeholders, regulators, and law enforcement as required
- Incident Mitigation (RS.MI): Contain and eradicate the incident, prevent recurrence
Recover (RC)
The Recover function restores services and capabilities impaired by a cybersecurity incident. It also incorporates lessons learned to improve future resilience.
- Incident Recovery Plan Execution (RC.RP): Execute recovery plans to restore systems and services
- Incident Recovery Communication (RC.CO): Communicate recovery activities to stakeholders
How the Functions Work Together
NIST CSF Function Lifecycle
The six functions operate concurrently as a continuous cycle, with Govern providing the foundation
GOVERN
Strategy, risk management, governance (foundation for all)
IDENTIFY
Know your assets, risks, and business context
PROTECT
Implement safeguards and access controls
DETECT
Monitor and discover cybersecurity events
RESPOND
Take action on detected incidents
RECOVER
Restore services and learn from incidents
✅ Not a waterfall — a continuous cycle
The functions are not sequential steps. All six operate simultaneously and continuously. You do not complete Identify before starting Protect. Instead, you develop capabilities across all functions in parallel, with maturity improving over time in each area.
Did NIST CSF go from five to six functions?
Yes. NIST CSF 1.0/1.1 had five functions (Identify, Protect, Detect, Respond, Recover). CSF 2.0 added Govern as a sixth function to emphasize the importance of cybersecurity governance, risk strategy, and organizational oversight.
Which function is most important?
All functions are essential and interdependent. However, Govern and Identify are foundational — without understanding your risk posture and having a governance structure, the other functions lack direction. In practice, most organizations need the most improvement in Detect and Respond.
Do I need to implement all six functions?
NIST CSF is flexible — you can prioritize functions based on your risk profile and business needs. However, all six functions are important for a comprehensive cybersecurity program. Even small organizations should address all six at a level appropriate to their risk.
How do the functions map to other frameworks?
NIST CSF functions map broadly to other frameworks: Protect maps to many ISO 27001 and SOC 2 controls, Detect maps to monitoring requirements in PCI DSS (Req 10-11), Respond maps to incident response requirements across frameworks. NIST provides informative references showing these mappings.
Implement NIST CSF
Compare tools and consultants that help implement all six NIST CSF functions in your organization.
Browse NIST CSF Tools