nist cybersecurity framework scytale
Ronan Grobler

Compliance Success Manager


The 5 Functions of the NIST Cybersecurity Framework

Summary: The NIST Cybersecurity Framework lays out five core functions to focus your efforts: Identify, Protect, Detect, Respond, and Recover.

With threats evolving at a rapid pace, it can feel overwhelming to determine what controls and safeguards to put in place. The good news is, the National Institute of Standards and Technology developed a helpful framework to simplify this process. Their Cybersecurity Framework lays out five core functions to focus your efforts: Identify, Protect, Detect, Respond, and Recover. By understanding each function and implementing controls within them, you can develop a robust and risk-based cybersecurity program. Over the next few minutes, we’re going to unpack each of these functions so you have a blueprint to get started. cybersecurity doesn’t have to be complicated when you have the right tools and resources. The NIST Framework is one of those tools, so let’s dive in!

History of NIST Compliance

The National Institute of Standards and Technology (NIST) Cybersecurity Framework was created in 2014 to help organizations manage cybersecurity risks.

Originally designed for critical infrastructure sectors, the Framework has since been adopted by organizations across industries. It provides five key functions to help identify, protect, detect, respond to, and recover from cyberattacks.

The NIST Cybersecurity Framework provides a common language and systematic methodology for managing cyber risks. Following these five functions can help strengthen your cyber defenses and build a more cyber resilient organization.

Identify: Develop an Organizational Understanding of Cyber Risk

The Identify function is all about understanding your organization’s cybersecurity risks. This means identifying your critical assets, like customer data, intellectual property, and operational systems. It also means pinpointing the vulnerabilities in those assets and the threats targeting them.

Some key steps in the Identify process:

  1. Inventory your critical assets. Make a list of your most important data, systems, devices, and infrastructure. These are your “crown jewels” that need protection.
  2. Analyze your vulnerabilities. Figure out the weaknesses in your IT systems and infrastructure that could be exploited. Are there any software flaws, configuration errors or outdated components?
  3. Identify internal and external threats. Consider potential threats from inside your organization, like errors or malicious insiders, as well as outside threats like hackers, malware or data breaches affecting your suppliers.
  4. Prioritize risks. Not all risks are equal, so focus on addressing high-impact or high-likelihood threats to your most critical assets. Continually re-evaluate as new threats emerge and your business changes.

By understanding your organization’s cyber risks and vulnerabilities, you’ll be in a much better position to implement controls and safeguards to reduce exposure. The Identify function is an important first step to building a comprehensive cybersecurity program based on your unique needs and priorities. Regular reviews and updates help ensure your efforts remain targeted and effective.

Protect: Implement Safeguards to Ensure Delivery of Critical Services

The Protect function focuses on developing and implementing appropriate safeguards to ensure delivery of critical infrastructure services. This includes:

  • Access control: Strictly limiting access to systems and data only to authorized users. This could include multi-factor authentication, role-based access controls, and routine auditing of access levels.
  • Awareness and training: Educating personnel about cyber risks and their responsibilities to strengthen security practices. This may involve phishing simulation campaigns to help identify vulnerabilities.
  • Data security: Classifying data by level of sensitivity and implementing strong encryption and other protection methods. Backup data regularly in case of breaches or system failures.
  • Protective technology: Employing firewalls, antivirus software, intrusion detection systems and other tools to monitor systems and defend against threats. Keep all software up-to-date with the latest patches.
  • Maintenance: Performing regular maintenance on hardware, software and systems. Conduct routine tests and drills to identify weaknesses. Develop and practice response plans in the event of security events or incidents.

To summarize, the Protect function aims to build robust safeguards and foster a strong cybersecurity culture. By taking a proactive stance, organizations can reduce risks to critical infrastructure and ensure the continuous delivery of essential services. Overall, the Protect function works to limit or contain the impact of potential cybersecurity events.

Detect: Develop and Implement Activities to Identify the Occurrence of a Cybersecurity Event

The Detect function focuses on developing and implementing the appropriate activities to identify the occurrence of a cybersecurity event. This means setting up monitoring processes and controls to detect potential cyber threats in a timely manner.

Some of the key things you’ll want to do here include:

  • Continuously monitoring networks, systems, and assets for signs of compromise or attack. This could include reviewing logs, analyzing traffic patterns, and monitoring for anomalies.
  • Deploying intrusion detection systems, intrusion prevention systems, and data loss prevention solutions to monitor events and detect malicious activity.
  • Conducting regular vulnerability scans and penetration tests to identify weaknesses and vulnerabilities that could be exploited.
  • Encouraging employees to report suspicious activity or events as soon as possible. Effective detection relies on a combination of people, processes, and technology.
  • Reviewing alerts and events to determine if they warrant further investigation. Not all alerts turn out to be actual cybersecurity events, so triage and analysis is important.
  • Conducting forensic investigations when events are detected to determine the impact and root cause. This information can then be used to strengthen defenses and prevent similar events from happening again.

The detect function is all about gaining visibility into your systems and networks so you can spot the signs of an attack or compromise as early as possible. The sooner you detect events, the faster you can contain and remediate them to minimize damage. Continuous monitoring and improvement will make your detection capabilities stronger over time.

nist compliance scytale

Respond: Develop and Implement Activities to Take Action Regarding a Detected Cybersecurity Incident

Once a cyber attack has been detected, time is of the essence. You need to respond quickly to contain the damage and get systems back online. Here are the key steps to take:

Detect the Incident

First, determine what systems and data have been impacted. Check for signs of unauthorized access or malicious software like ransomware. Interview users and review system logs to understand the scope of the attack.

Assess the Damage

Evaluate how critical systems and data were compromised to grasp how severe the situation is. See what sensitive data may have been stolen or encrypted. Assess how operations have been disrupted to determine response priorities.

Contain the Incident

Take affected systems offline to prevent further compromise. Block malicious IP addresses or disable compromised user accounts. Isolate infected systems to avoid the attack spreading. These containment actions may cause temporary operational issues but are necessary to limit damage.

Eradicate the Threat

Remove any malicious software or backdoors left behind. Wipe and restore critical systems from backups. Install software patches to fix any vulnerabilities that were exploited. Permanently block malicious actors from accessing your systems again.

Recover and Improve

Bring systems back online and restore access to data from backups as needed. Monitor closely for signs of another attack. Conduct a post-incident review to determine lessons learned and ways to strengthen defenses for the future. Update policies, procedures, and staff training to better respond to similar incidents going forward.

Following these steps in a quick and organized fashion is critical to overcoming a damaging cyber attack. How you respond can mean the difference between a minor hiccup and a major crisis. Be prepared by practicing your incident response plan before an actual attack occurs.

Recover: Develop and Implement Activities to Maintain Plans for Resilience and to Restore Capabilities or Services That Were Impaired Due to a Cybersecurity Incident

Once you’ve identified and contained a cybersecurity incident, it’s time to start recovering. This means developing and implementing plans to restore any capabilities or services that were impacted.

To recover, focus on resilience—the ability to adapt to and withstand disruption. Have procedures in place ahead of time for various scenarios. For example, if your network goes down, do you have a manual process to continue critical operations? Regularly test these plans to ensure they’ll work when needed.

After an incident occurs, activate your recovery plans. Diagnose the issue, determine what’s needed to resolve it, and take corrective action. Work with relevant stakeholders to prioritize recovery of essential systems and data. Be transparent by communicating actions taken and timelines for full recovery.

Review how effective your response was and make improvements for the future. Update plans and procedures accordingly and provide additional training as needed. Practice resilience by anticipating potential new threats and building in redundancies to critical systems so your organization can stay up and running even after facing cyberattacks and other disruptions.

The key to successful recovery is laying the groundwork before an incident happens. Develop, test, and practice plans so you have the capabilities in place to adapt and respond to events quickly and effectively. Learn from your experiences and continuously strengthen your resilience over time. This will minimize impacts to your organization and allow for a swift return to normal operations.

Why The NIST Framework Matters

The NIST Cybersecurity Framework matters because it provides a common language for understanding and managing cybersecurity risk. It enables organizations, regardless of size, degree of cybersecurity risk, or cybersecurity sophistication, to apply the principles and best practices of risk management to improving security and resilience.

Universal Application

The Framework is designed to be flexible and adaptable to different sectors, organizations, and technologies. It provides a common taxonomy and mechanism for organizations to:

  • Describe their current cybersecurity posture
  • Describe their target state for cybersecurity
  • Identify and prioritize opportunities for improvement within the context of a continuous and repeatable process
  • Assess progress toward the target state
  • Communicate among internal and external stakeholders about cybersecurity risk

Continuous Improvement

The Framework enables organizations to continuously monitor cybersecurity risks and make cost-effective improvements to cybersecurity programs over time based on experiences, new technologies, and threats. Using the Framework, an organization can determine its current level of cybersecurity risk management and set targets for improvement to work toward over time.


So there you have it, the 5 key functions of the NIST Cybersecurity Framework in a nutshell. As you’ve seen, it provides a comprehensive set of best practices and guidance for organizations of any size to better understand, manage, and reduce their cybersecurity risks. By implementing the framework, you’ll gain visibility into your systems and data, find and fix vulnerabilities, and be in a much better position to prevent, detect, and respond to cyberattacks. Though no system is 100% foolproof, using a proven framework like this is a huge step in the right direction. Cyber threats aren’t going away anytime soon, so take action today to shore up your defenses and gain peace of mind that your critical systems and information are as secure as possible. 

Share this article

A CTO’s Roadmap to Security Compliance: Your Go-To Handbook for Attaining SOC 2 and ISO 27001

Security Compliance for CTOs