NIST CSF 2.0 Identify Function for Small & Mid-Size Businesses

The Identify function is about understanding your cybersecurity risk posture. Before you can protect, detect, or respond to threats, you need to know what you have, what risks you face, and where your gaps are. In NIST CSF 2.0, the Identify function has three categories. ID.AM — Asset Management. Know what hardware, software, data, and services your organization uses and how they are managed. You cannot protect assets you do not know about. Shadow IT — unapproved cloud services, personal devices accessing business data, forgotten test servers — is one of the biggest risks for small businesses. ID.RA — Risk Assessment. Identify and analyze cybersecurity risks to your organization, assets, and individuals. This means understanding the threats you face (ransomware, phishing, insider threats), the vulnerabilities in your environment (unpatched software, weak passwords, missing MFA), and the potential impact if those threats exploit those vulnerabilities. ID.IM — Improvement. Identify improvements to your cybersecurity risk management processes and activities. This is about continuously getting better — learning from incidents, scan results, industry developments, and changes in your business to strengthen your program over time. For small businesses, Identify is often the most neglected function. It is not as tangible as installing antivirus (Protect) or setting up alerts (Detect), but it is foundational. Every dollar you spend on security should be informed by what Identify tells you about your actual risks.

Asset management sounds like an enterprise activity, but every small business needs to know what they are protecting. Here is a practical approach. Start with a simple spreadsheet. Create columns for: asset name, type (hardware/software/data/service), location (on-premises/cloud/hybrid), owner (who manages it), data sensitivity (public/internal/confidential/regulated), and last review date. Hardware inventory: list all computers, servers, network equipment, mobile devices, and IoT devices (cameras, smart locks, printers). Include personal devices that access business data (BYOD). Walk through your office and check every Ethernet port and Wi-Fi connection. Software inventory: list all applications — installed software, cloud services (SaaS), browser extensions, and plugins. Check your credit card statements and email for SaaS subscriptions you may have forgotten. Ask every employee what tools they use daily. Data inventory: categorize the data you handle. Customer PII, financial records, health information, employee records, intellectual property. Document where each data type is stored (which systems from your software inventory) and who has access. Service provider inventory: list every third party that touches your data or systems. Cloud hosting, email, accounting software, CRM, payment processing, IT support, backup services. Each is a potential supply chain risk. Cyber Defense Agent accelerates asset discovery for your external posture. A CDA scan automatically identifies your domains, subdomains, DNS records, mail servers, web servers, open ports, and exposed services — giving you a comprehensive view of your internet-facing assets in 60 seconds.

A risk assessment does not need to be a 100-page document. For a small business, a focused, practical assessment is far more useful than an exhaustive one you never complete. Step 1: Identify your critical assets. From your asset inventory, highlight the 5-10 most important systems and data stores. These are the ones that, if compromised, would cause the most damage — customer financial data, your practice management system, your email, your website. Step 2: Identify threats to those assets. Common threats for small businesses include: ransomware, business email compromise (BEC), phishing, credential theft, insider threats (including accidental), and vendor/supply chain compromise. You do not need an exotic threat model — these six threats account for the vast majority of small business incidents. Step 3: Identify vulnerabilities. For each critical asset, what weaknesses could a threat exploit? Unpatched software, missing MFA, weak passwords, lack of encryption, misconfigured cloud services, untrained employees. Run a Cyber Defense Agent scan to identify external vulnerabilities automatically. Step 4: Assess likelihood and impact. For each threat-vulnerability pair, estimate: How likely is this to happen? (Low/Medium/High) What would the impact be? (Low/Medium/High) Multiply to get a risk score. Focus your remediation on high-likelihood, high-impact risks first. Step 5: Document your findings and plan. Write down what you found, what you are going to fix, who is responsible, and by when. This document — even if it is just two pages — is your risk assessment. Review it at least annually or when something significant changes.

Supply chain risk deserves special attention because it is one of the most underestimated risks for small businesses. You might secure your own systems perfectly, but if a critical vendor is compromised, you are compromised too. The CDK Global attack in 2024 demonstrated this at scale: thousands of auto dealerships were paralyzed because their DMS provider was hit with ransomware. The SolarWinds attack in 2020 showed how a compromised software update could infiltrate thousands of organizations. The MOVEit breach in 2023 exposed data from hundreds of organizations through a single file transfer tool. For your Identify function, evaluate supply chain risk in three ways. First, identify your single points of failure. Which vendors, if they went down, would halt your operations? Your DMS, your practice management system, your email provider, your cloud host. For each, ask: do we have a contingency plan? Second, assess vendor security posture. Request SOC 2 Type II reports from critical vendors. Check their security pages and incident history. Run a CDA scan on their domains (with their permission or using publicly available information) to assess their external security posture. Third, manage vendor risk contractually. Ensure your contracts with critical vendors include: security requirements, breach notification obligations (timeframe and process), right to audit or request security documentation, data handling and deletion requirements, and liability provisions for security failures. Document your supply chain risk assessment as part of your overall risk assessment. Update it when you add new vendors, change existing ones, or learn about vendor security incidents.