NIST Cybersecurity Framework - Identify and Protect functions in practice

The NIST Cybersecurity Framework (CSF) is one of the most widely adopted tools for structuring an organization’s cybersecurity program. First published in 2014 and updated to version 2.0 in February 2024, the framework defines six functions: Govern, Identify, Protect, Detect, Respond, and Recover. Each answers a different question: Govern - who makes decisions? Identify - what are we protecting? Protect - how do we prevent? Detect - how do we find? Respond - how do we react? Recover - how do we restore?

This article focuses on the first two operational functions - Identify and Protect - because they build the foundation without which the remaining functions cannot operate effectively. You cannot detect threats to assets you do not know exist. You cannot respond to incidents when basic access controls are missing.

NIST CSF 2.0 - what changed

Version 2.0 introduced several significant changes compared to version 1.1:

Aspect	CSF 1.1 (2018)	CSF 2.0 (2024)
Scope	Critical infrastructure	All organizations, regardless of sector and size
Functions	5 (Identify, Protect, Detect, Respond, Recover)	6 (added Govern)
Govern	None	New function: governance, strategy, roles, policies
Profiles	Community Profiles	Organizational Profiles + Community Profiles
Supply chain	Limited	Expanded C-SCRM requirements
Continuous improvement	Implicit	Explicit improvement subcategories in each function

The addition of the Govern function is the most significant change. NIST recognized that without clear decision-making structures, roles, and responsibilities, even the best technical controls do not deliver expected results. Govern “wraps around” all other functions and provides organizational context.

The Identify function - what we protect and from what

Identify answers fundamental questions: what assets does the organization own, what data does it process, who has access, and what risks are associated.

ID.AM - Asset Management

You cannot protect what you cannot see. Asset inventory is the starting point of every security program. NIST CSF 2.0 expands the scope of inventory to include:

Hardware assets (servers, workstations, mobile devices, IoT, PLC controllers)
Software assets (applications, operating systems, firmware)
Data assets (where stored, how classified, who has access)
Human assets (roles, permissions, access to critical systems)
External assets (cloud services, suppliers, API interfaces)

TIP

In OT environments, asset inventory poses a particular challenge. Active scanning can disrupt controller operation. NIST SP 800-82 Rev. 3 recommends passive network traffic monitoring as a safe method for ICS asset inventory.

ID.RA - Risk Assessment

After identifying assets, the next step is risk assessment. NIST CSF 2.0 expects:

Threat identification - which APT groups, which malware types, which attack scenarios are realistic for our sector
Vulnerability identification - what gaps exist in our systems, processes, and procedures
Likelihood and impact assessment - a risk matrix combining the probability of threat materialization with its impact on the organization
Risk prioritization - which risks require immediate action, which can be accepted

ID.IM - Improvement

A new subcategory in CSF 2.0 - continuous improvement of identification processes. It includes:

Regular asset inventory reviews (at minimum quarterly)
Risk assessment updates after infrastructure changes or threat landscape shifts
Benchmarking against industry standards and best practices

The Protect function - how we prevent

Protect encompasses controls that reduce the likelihood and impact of a security incident. It is the broadest function in terms of technology and process scope.

PR.AA - Identity management and access control

Access control is the foundation of protection. NIST CSF 2.0 expects:

Least privilege principle - every user and system has only the permissions necessary to perform their tasks
Multi-factor authentication (MFA) - required on all administrative and remote interfaces
Identity lifecycle management - procedures for creating, modifying, and removing accounts
Access reviews - regular verification that granted permissions remain justified

PR.DS - Data security

Encryption of data at rest and in transit
Data classification with controls appropriate to the classification
Backups with regular restoration verification
Data flow control (DLP - Data Loss Prevention)

PR.PS - Platform security

System and application hardening:

Configuration based on CIS Benchmarks or DISA STIGs
Regular updates and patching (NIST recommends 15-day SLA for critical, 30 for high)
Disable unused services and ports
Endpoint protection (EDR/XDR)
Network segmentation - isolating critical systems

PR.AT - Awareness and training

Security awareness training for all employees (at minimum annually)
Specialized training for technical personnel (administration, SOC, OT)
Phishing simulations and incident response exercises
Cybersecurity training for management

WARNING

One-off training (“once a year, check the compliance box”) has minimal effectiveness. NIST CSF 2.0 emphasizes the need for continuous competency building, not merely satisfying a formal requirement.

PR.IR - Technology infrastructure resilience

A new subcategory in CSF 2.0 covering:

Redundancy of critical systems and communication links
Business continuity plan testing (BCP/DRP)
Fault-tolerant architecture (failover, load balancing)

Implementation checklist for Identify + Protect

Identify

Complete IT and OT asset inventory (hardware, software, data)
Asset classification by criticality to business processes
Data flow maps (source, destination, channels)
Formal risk assessment with likelihood/impact matrix
Identification of regulatory requirements (NIS2, DORA, GDPR)
Supply chain analysis - key suppliers and their risk profiles

Protect

MFA on all administrative and remote interfaces
Least privilege principle implemented and audited
Encryption of data at rest and in transit
Regular backups with restoration verification
System hardening per CIS Benchmarks
Training program and phishing simulations
Network segmentation with boundary controls
Business continuity plan tested within the last 12 months

NIST CSF and NIS2

For European Union organizations subject to the NIS2 Directive, NIST CSF serves as an excellent tool for meeting regulatory requirements. Mapping:

NIS2 Requirement (Art. 21)	NIST CSF 2.0 Function
Risk analysis policies	Govern + Identify (ID.RA)
Incident handling	Detect + Respond
Business continuity	Protect (PR.IR) + Recover
Supply chain security	Govern (GV.SC) + Identify
Network security	Protect (PR.PS, PR.DS)
Training	Protect (PR.AT)
Cryptography	Protect (PR.DS)
Access control	Protect (PR.AA)

NIST CSF is not mandatory in the EU, but its structure enables systematic addressing of NIS2 requirements without building a process from scratch.

Where to start

NIST CSF implementation does not require a single, large-scale project. NIST recommends an iterative approach:

Current Profile - describe the organization’s current cybersecurity state
Target Profile - define the desired state (considering regulatory requirements and risk appetite)
Gap Analysis - compare both profiles and identify gaps
Prioritized Action Plan - plan actions to close gaps, starting with those having the highest impact on risk reduction

Organizations that need support in building or improving a cybersecurity program based on NIST CSF can benefit from an experienced partner who will guide the process from current state assessment to implementing specific controls.

Sources:

NIST, Cybersecurity Framework 2.0, February 2024 - nist.gov
NIST SP 800-53 Rev. 5, Security and Privacy Controls for Information Systems and Organizations - nist.gov
ENISA, NIS2 Directive Implementation Guidance - enisa.europa.eu
NIST SP 800-82 Rev. 3, Guide to Operational Technology (OT) Security - nist.gov