The NIST CSF and NIST RMF are both frameworks that focus on quantifying risk. Although there are commonalities between the two, it’s important to note they are distinct and separate, set up for two types of organizations and with distinct but overlapping purposes.
What is the NIST RMF?
In short, the NIST RMF is an information security risk management framework for the U.S. federal government system authorization process. While this framework has undergone some recent enhancements, the focus of the NIST RMF is still largely government systems that must be granted an authority to operate. Systems/system owners must provide evidence that system risks are acceptable before a system is connected to an operational network. The RMF steps are specifically designed for this rigorous authorization process. The RMF is heavy (time-consuming and costly) and is not well-suited for most organizations beyond the government.
What is the NIST CSF?
The NIST CSF was designed to help organizations manage their cyber risk posture. Though originally intended for the U.S. critical infrastructure sectors, the NIST CSF has been adopted by many types of organizations worldwide. Updates to the NIST CSF since its introduction have only broadened its applicability and appeal to organizations and many different sectors worldwide.
Recent changes to the NIST CSF
Most recently, NIST introduced an updated version of the CSF (2.0), which is the first significant update since the CSF was released in 2014. Unlike the original CSF, which was intended for critical infrastructure, NIST makes a point of saying that CSF 2.0 is for industry, government, and organizations that want to manage and reduce cyber risk. From this statement, we can see that the target audience for the CSF has expanded greatly since the original iteration of this framework in 2014.
One of the more noteworthy enhancements to the CSF (i.e., CSF 2.0) includes elevating governance from a category (which previously fell under the Identify function) to a function, which means that Govern is now one of the key operational objectives of the framework along with Identify, Protect, Detect, Respond, and Recover. Govern, as part of CSF 2.0, is used to establish the organizational tone for cyber risk management. Risk management professionals might argue that this focus (i.e., governance) is much needed and was undervalued in earlier versions of the CSF. This enhancement recognizes the importance of cyber risk management as a major source of enterprise risk that senior leaders should consider alongside other risk factors like financial, operational, and reputational risk. The addition of this new Govern function makes the CSF more relevant to enterprise risk management activities and decision-making at the leadership level within organizations.
Overlap between the NIST RMF and NIST CSF
There is some overlap between the RMF and the CSF. For example, system owners map 800-53 control compliance to CSF categories and subcategories in their Assessment and Authorization (A&A) packages – meaning control compliance data is mapped to the CSF to offer cyber risk visibility that is seen through a CSF lens. This was made a requirement by Presidential Executive Order, Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure, in 2017.
Despite such overlap, the CSF and RMF are two separate frameworks designed for different audiences and have distinct roles in managing cyber risk for different constituents. The RMF is a cyber risk management framework for government organizations with a system authorization requirement. The audience for the CSF is theoretically much larger as it focuses on cyber risk management activities that are potentially relevant to every other organization in every other sector worldwide. The recent updates to the CSF, including the elevation of governance to the function level, serve to enhance the value of the CSF and put it on more equal footing with the RMF, which by nature offers a governance function by controlling which systems are authorized for use based on risk posture.
The most recent updates to the CSF – such as this increased focus on governance – make it a more complete and credible cyber risk management framework that supports enterprise risk management objectives. Such changes further distinguish the CSF from the RMF and gives each framework its own distinct purpose and identity.
Conclusion
The NIST CSF and the RMF are recognized and highly respected cyber risk management frameworks. Cyber risk management is an increasingly complex business as threat landscapes and technology (e.g., cloud, AI, etc.) constantly evolve. For this reason, frameworks like the NIST CSF and the RMF are critical for ensuring completeness, consistency, and accuracy. It’s refreshing to see that NIST continues to review and enhance these frameworks to ensure they meet the needs of their respective constituent groups (i.e., government, critical infrastructure, commercial) over time. As technology and corresponding threats continue to evolve, such frameworks will become increasingly important for organizations of all types to manage cyber risk.