What's the relationship between Categories, Sub-categories, and Informative References in the NIST CSF Core?
Functions split into Categories (themes), Categories split into Sub-categories (specific outcomes), and each Sub-category is mapped to entries in other frameworks (ISO 27001, COBIT, CIS Controls, SP 800-53) via Informative References.
* The Core drills down: Functions to Categories to outcome-based Sub-categories, each mapped to other frameworks via Informative References. *
Function → Category → Sub-category → Informative References
Govern GV.SC (Cyber GV.SC-01: A cyber supply chain CIS Controls v8.0: 15.2
supply chain risk management program is CRI Profile v2.0: GV.SC-01
risk management) established SP 800-221A: GV.PO-1
CSF v1.1: ID.SC-1
Informative References are the Rosetta Stone of cybersecurity frameworks: they let an organisation that already implements SP 800-53 instantly find the relevant 27002 control, or vice versa.
Tip: CSF Sub-categories are written as outcomes, not actions ("a program is established"), so they can be mapped to almost any control catalogue. That's deliberate — it lets the CSF stay implementation-agnostic.
Go deeper:
NIST CSF 2.0 Informative References — the actual mappings that link each Sub-category to ISO 27001, SP 800-53, CIS Controls and more.
The NIST CSF 2.0 (CSWP 29) — defines the Function to Category to Sub-category structure and the role of Informative References.