What Is the Identify Function?

The Identify function represents the first operational step in NIST CSF: building a complete picture of the systems, data, people, and vendors that make up your digital environment. Before any protective safeguard can be effective, you need to know what it is protecting. This sounds obvious, but it is the function where most SMBs — regardless of industry — have the most undocumented exposure.

In NIST CSF 2.0, the Identify function was streamlined from five categories down to three, with Improvement (ID.IM) added as a new category that explicitly connects assessment outputs to organizational learning. This change reinforces that Identify is not a one-time exercise but a continuous discipline: environments change, new SaaS tools get adopted, vendors shift their architecture, and yesterday's asset inventory becomes stale within months.

For regulated SMBs — healthcare practices, financial services firms, government contractors — a credible Identify posture is often the first question auditors and cyber insurers ask. "Show me your asset inventory" and "show me your last risk assessment" are the opening requests in almost every external review. The Identify function provides the documented answers.

Identify Function Map: Three Categories

ID.AM
Asset Management
Inventory and classification of all hardware, software, data, services, and vendors that support organizational objectives. Includes data flows and prioritization by criticality.
ID.RA
Risk Assessment
Identifies threats and vulnerabilities facing inventoried assets, evaluates likelihood and potential impact, and produces a prioritized risk register used to drive security decisions.
ID.IM
Improvement
New in CSF 2.0 — ensures that findings from assessments, exercises, and incident retrospectives feed back into the organization's cybersecurity program as documented improvements.

Common Identify Gaps in SMBs

The Identify function is the most frequently under-addressed area for small organizations, largely because it requires disciplined documentation rather than technical tooling. The gaps we encounter most often:

  • No software or SaaS inventory Tools get adopted at the team level without IT visibility — shadow IT that carries data risk and compliance exposure with no record anywhere.
  • Third-party vendors not inventoried Managed service providers, payroll platforms, and cloud storage vendors all process sensitive data but are rarely included in the asset register or risk assessment scope.
  • No formal risk register Risk is discussed informally but never documented in a structured register with likelihood ratings, impact scores, and assigned owners — making prioritization arbitrary.
  • Assessments done once, then forgotten An initial gap assessment was completed during an insurance renewal or audit prep, but findings were never tracked to closure and ID.IM improvement cycles never established.

Building Your Identify Foundation

A practical Identify program for an SMB starts with ID.AM: a structured asset list covering hardware, software (including SaaS), and data stores, each tagged with a business owner and a data classification level. That list becomes the scope boundary for your ID.RA risk assessment — you can only assess risk against things you've catalogued.

Once your asset inventory and risk register exist, ID.IM requires that you build a feedback loop: assessment findings go into a remediation tracker, tabletop exercise results inform your next review cycle, and incident lessons-learned update your risk ratings. Take our free NIST readiness assessment to benchmark where your Identify posture stands today, or explore our NIST Policy Package for pre-built asset inventory templates and risk register frameworks. For a full framework overview, see our NIST CSF complete guide.