It covers 5 main functions of a cyber security framework.
Each of these functions is then broken down into categories and the categories are further sub divided into subcategories.
This is two more than Bruce Schneier who defines Protect, Detect and Respond.
The basic idea is that you take the categories and analyze it to define your current profile. You then define a target profile and work out action plans and prioritizations to achieve the target profile.
It is not a very long document and much of the useful information is stored in the appendixes. It widely references other public standards.
Application SecurityThe framework does not have much to say about secure application development. However it is extensible so you can add in your own categories and sub categories. It does talk about access control, data-at-rest and data-in-transit controls etc.
The development and testing environment(s) are separate from the production environment
- NIST Press Release