Download free policy and standard templates for the NIST CSF 2.0 Identify Core Function, which focuses on understanding the organizational environment and the risks to its systems, people, assets, and data.
The Identify Function helps organizations understand their cybersecurity risks and establish a robust risk management strategy. By identifying key assets (such as data, hardware, software, systems, facilities, services, and personnel) along with suppliers and associated risks, this function enables organizations to prioritize their efforts in alignment with their risk management objectives. It also includes identifying opportunities to enhance policies, plans, processes, procedures, and practices that support effective cybersecurity risk management. The Identity Function is comprised of Categories. These Categories break down the Function into more specific outcomes and activities, providing a structured approach for organizations to manage and implement cybersecurity practices.
The following policy and standard templates help ensure that the NIST CSF Identify categories are adequately addressed, including Asset Management; Risk Assessment; and Improvement:
- Risk Assessment Policy
- Security Assessment and Authorization Policy
- Configuration Management Policy
- Secure Configuration Standard
Visit Template Instructions for help completing these templates and the Implementation Guide for tips on how to implement these policies and standards once the templates are completed.
- Description: The Risk Assessment Policy ensures that Information Technology performs risk assessments in compliance with IT security policies, standards, and procedures
- Word Template Link: Risk-Assessment-Policy.docx
- Primary NIST CSF 2.0 Category:: Risk Assessment
- Description: The Security Assessment and Authorization Policy establishes that Information Technology and the various business units (information owners) will ensure security controls in information systems, and the environments in which those systems operate, as part of initial and ongoing security authorizations, annual assessments, continuous monitoring and system development life cycle activities.
- Word Template Link: Security-Assessment-and-Authorization-Policy.docx
- Primary NIST CSF 2.0 Category:: Risk Assessment
- Description: The Configuration Management Policy ensures that Information Technology resources are inventoried and configured in compliance with IT security policies, standards, and procedures.
- Document Link: Configuration-Management-Policy.docx
- Primary NIST CSF 2.0 Category: Asset Management
- Description: The Secure Configuration Standard establishes baseline configurations for information systems that are owned and/or operated by the entity. Effective implementation of this standard will maximize security and minimize the potential risk of unauthorized access to information and technology.
- Document Link: Secure-Configuration-Standard.docx
- Primary NIST CSF 2.0 Category: Asset Management
- Description: The Secure System Development Life Cycle Standard ensures that information security is adequately considered and built into every phase of the SDLC. Failure to identify risks and implement proper controls can result in inadequate security, potentially putting entities at risk of data breaches, reputational exposure, loss of public trust, compromise to systems/networks, financial penalties and legal liability.
- Document Link: Secure-System-Development-Life-Cycle-Standard.docx
- Primary NIST CSF 2.0 Category: Asset Management
- Description: The Maintenance Policy ensures that Information Technology resources are maintained in compliance with IT security policies, standards, and procedures.
- Document Link: Maintenance-Policy.docx
- Primary NIST CSF 2.0 Category: Improvement
The Identify Categories are designed to help organizations establish a comprehensive understanding of their cybersecurity landscape, including asset management, risk assessment, and governance structures. Key components include the development of policies and practices for identifying critical assets, assessing risks, and ensuring compliance, as well as the establishment of clear roles and responsibilities for cybersecurity. By strengthening these Categories, organizations can better prioritize resources, address vulnerabilities, and ensure effective risk management across their entire infrastructure. A list and description of each specific Identity Category can be found below:
- Description: Assets (e.g., data, hardware, software, systems, facilities, services, people) that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to organizational objectives and the organization’s risk strategy
- NIST CSF 2.0 Identifier: ID.AM
- Description: The cybersecurity risk to the organization, assets, and individuals is understood by the organization
- NIST CSF 2.0 Identifier: ID.RA
- Description: Improvements to organizational cybersecurity risk management processes, procedures and activities are identified across all CSF Functions
- NIST CSF 2.0 Identifier: ID.IM
- Greg Belding. “NIST CSF Core Functions: Identify.” NIST Cyber Security Framework, Infosec Institute, 2 Jan. 2020, https://www.infosecinstitute.com/resources/nist-csf/nist-csf-core-functions-identify.
- “Identify.” NIST, National Institute of Standards and Technology, 3 May 2021, https://www.nist.gov/cyberframework/identify.
- “Identify - CSF Tools.” CSF Tools - The Cybersecurity Framework for Humans, 29 May 2021, https://csf.tools/reference/nist-cybersecurity-framework/v1-1/id.
- National Institute of Standards and Technology. The NIST Cybersecurity Framework (CSF) 2.0, https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.29.pdf.
- “NIST Cybersecurity Framework 2.0: Small Business Quick-Start Guide Overview.” NIST Cybersecurity Framework 2.0, National Institute of Standards and Technology, Feb. 2024, https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1300.pdf.