Untangling the confusion around the NIST CSF and NIST RMF
One of the most important aspects of the new Cybersecurity Executive Order (EO) is also the aspect of the order causing the most confusion.
When President Trump signed the EO on Thursday, it included the requirement that federal agencies use the NIST Cybersecurity Framework (CSF) to manage their cybersecurity risk. However, some have confused the NIST CSF with the NIST Risk Management Framework (RMF), which all federal agencies have been required to follow since its introduction in 2010.
To put it succinctly – they are two different frameworks. As industry and government work together to execute this order, it is very important for everyone to fully understand the two frameworks, and how they differ.
NIST CSF Overview
The NIST CSF was released in February 2014 in response to Executive Order 13636, “Improving Critical Infrastructure Cybersecurity,” issued a year earlier. That EO called for a voluntary framework of industry standards and best practices to help organizations — particularly those in critical infrastructure — manage cybersecurity risk.
The CSF was created as a result of collaboration between government and the private sector. It “uses a common language to address and manage cybersecurity risk in a cost-effective way based on business needs without placing additional regulatory requirements on businesses.”
The heart of the NIST CSF is the Framework Core, which consists of five functions—Identify, Protect, Detect, Respond, and Recover. The functions and their components aren’t a checklist of actions to be performed in a certain order. Rather, they are concurrent and continuous activities that “provide a high-level, strategic view of the lifecycle of an organization’s management of cybersecurity risk.”
Building on accepted standards and guidelines for IT security and risk management, the Framework provides a common taxonomy and mechanism for organizations to:
- Describe their current cybersecurity posture.
- Describe their target state for cybersecurity.
- Identify and prioritize opportunities for improvement within the context of a continuous and repeatable process.
- Assess progress toward the target state.
- Communicate among internal and external stakeholders about cybersecurity risk.
Notably, “The Framework complements, and does not replace, an organization’s risk management process and cybersecurity program. The organization can use its current processes and leverage the Framework to identify opportunities to strengthen and communicate its management of cybersecurity risk…”
Thus, the CSF is not intended to replace the RMF. A risk management process, like the RMF, is still necessary.
NIST RMF Overview
In contrast to the NIST CSF — originally aimed at critical infrastructure and commercial organizations — the NIST RMF has always been mandatory for use by federal agencies and organizations that handle federal data and information. The RMF prescribes a six-step process:
Step 1: Categorize – Define environment, CIA value, etc.
Step 2: Select – What controls and overlays are appropriate.
Step 3: Implement – Define how controls are implemented.
Step 4: Assess – Test to determine if controls are effective, identify risks, create POA&Ms.
Step 5: Authorize – Risk-based decision to authorize system for use, or not.
Step 6: Monitor – Monitor for on-going compliance and progress toward POA&M remediation.
Similarly, the CSF suggests a seven-step use case that illustrates how an organization can use the Framework to create a new cybersecurity program or improve an existing program:
Step 1: Prioritize and Scope – Organizational priorities (similar to RMF step 1)
Step 2: Orient – Identify assets and regulatory requirements (similar to RMF step 1 and 2)
Step 3: Current Profile – Assess to determine how current operation compares to CSF framework Core (similar to RMF step 4)
Step 4: Risk Assessment – This is where RMF likely comes into play (Similar to RMF step 4)
Step 5: Target Profile – Define desired outcomes based on determined risks associated with Current Profile (similar to RMF steps 1 and 2)
Step 6: Prioritize Gaps: What do you focus on and when based on risks (Similar to RMF step 4… identify Risk Elements and define POAMs)
Step 7: Action Plan: Address issues in attempt to close Gap and achieve Target Profile (Similar to RMF step 6, monitor on going compliance status and progress with regard to POAMs)
The CSF use case has no steps comparable to RMF Steps 3 and 5.
Comparing and Contrasting the Frameworks
There are some similarities between the RMF and CSF. Some of the differences are the result of the RMF being a mandate for federal agencies and the CSF having originated as a voluntary commercial framework (e.g., no Authorization step with CSF, the CSF does not assume there is a Designated Approving Authority, etc.).
NIST is working to offer guidelines on how federal agencies can – and must, based on the new EO – use the NIST CSF and RMF together.
I had hoped that the new Cybersecurity Executive Order would have helped clarify the confusion between the CSF and RMF; though, it actually seems to have exacerbated the problem.
My hope is that as industry and government discover the differences, it will help to guide them down the correct path for improving cybersecurity through the proper use of these frameworks. And if someone needs a crash course on the frameworks, please send them this article.