Skip to main content
U.S. flag

An official website of the United States government

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock ( ) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Identify

These mappings are intended to demonstrate the relationship between existing NIST publications and the Cybersecurity Framework. These preliminary mappings are intended to evolve and progress over time as new publications are created and existing publications are updated. Initially, each publication has been mapped only once to the category considered most applicable. Certain NIST publications that have broad applicability across multiple categories of a function have been included within the General Mappings section.

General Mappings

This table provides publications that have broad applicability across multiple categories of a function.

IDENTIFY (ID)

800-100

Information Security Handbook: A Guide for Managers

800-35

Guide to Information Technology Security Services

800-39

Managing Information Security Risk: Organization, Mission, and Information System View

 

 

NIST Cybersecurity Publication by Category

This table consists of NIST Publications that have been mapped only once to an individual Category.

IDENTIFY (ID)

Asset Management (ID.AM): The data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to business objectives and the organization’s risk strategy

800-59

Guideline for Identifying an Information System as a National Security System

1800-5

IT Asset Management: Financial Services

 

Business Environment (ID.BE): The organization’s mission, objectives, stakeholders, and activities are understood and prioritized; this information is used to inform cybersecurity roles, responsibilities, and risk management decisions.

800-55 Rev. 1

Performance Measurement Guide for Information Security

 

Governance (ID.GV): The policies, procedures, and processes to manage and monitor the organization’s regulatory, legal, risk, environmental, and operational requirements are understood and inform the management of cybersecurity risk.

800-35

Guide to Information Technology Security Services

800-18 Rev. 1

Guide for Developing Security Plans for Federal Information Systems

800-65

Integrating IT Security into the Capital Planning and Investment Control Process

800-14

Generally Accepted Principles and Practices for Securing Information Technology Systems

800-100

Information Security Handbook: A Guide for Managers

 

Risk Assessment (ID.RA): The organization understands the cybersecurity risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals.

800-171A

Assessing Security Requirements for Controlled Unclassified Information

800-53A Rev. 4

Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans

800-30 Rev. 1

Guide for Conducting Risk Assessments

800-154

Guide to Data-Centric System Threat Modeling

800-163

Vetting the Security of Mobile Applications

800-115

Technical Guide to Information Security Testing and Assessment

 

Risk Management Strategy (ID.RM): The organization’s priorities, constraints, risk tolerances, and assumptions are established and used to support operational risk decisions.

800-37 Rev. 2

Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy (Discussion Draft)

800-60 Vol 1

Guide for Mapping Types of Information and Information Systems to Security Categories

800-60 Vol 2

Guide for Mapping Types of Information and Information Systems to Security Categories: Appendices

800-39

Managing Information Security Risk: Organization, Mission, and Information System View

 

Supply Chain Risk Management (ID.SC): The organization’s priorities, constraints, risk tolerances, and assumptions are established and used to support risk decisions associated with managing supply chain risk. The organization has established and implemented the processes to identify, assess and manage supply chain risks.

800-36

Guide to Selecting Information Technology Security Products

800-161

Supply Chain Risk Management Practices for Federal Information Systems and Organizations

 

 

Created February 1, 2018, Updated March 1, 2018