By Kathryn Daily, CISSP, CGRC, RDRP
I know it’s a catchy headline, but it’s the wrong question to ask. NIST RMF and CSF are two totally different animals with a different purpose. NIST RMF is primarily focused on managing overall organizational risk, providing a structured approach for identifying, assessing, and mitigating risks associated with information systems and obtaining government approval through an Authority to Operate. Conversely, the NIST CSF is focused on helping organizations manage and reduce cybersecurity risks in a more general sense by providing a framework for improving cybersecurity resilience across critical infrastructure. The NIST RMF can be compared to the ISO 30001 while the NIST CSF is more similar to COBIT, ISO 27001, and CIS.
The NIST Risk Management Framework is a requirement for Federal agencies and DoD agencies and mandated via the Federal Information Security Modernization Act (FISMA). The NIST CSF is a voluntary framework that can be used in both the public and private sectors, however, Executive Order 13800 mandates that federal agencies use the NIST CSF in addition to the NIST RMF.
Both frameworks share a common focus on managing and mitigating cybersecurity risk, with RMF providing a systematic process for risk management and CSF offering a flexible structure to improve resilience. Organizations can benefit from implementing both frameworks, as the RMF provides a detailed process for risk management, while the CSF offers a broader perspective on improving overall cybersecurity posture. The iterative nature of the RMF aligns well with the continuous improvement aspects of the CSF. Together, they support a dynamic and adaptive approach to managing cybersecurity risk.
In fact, when NIST updated the NIST SP 800-37 to Rev. 2, they incorporated CSF references to demonstrate how the two can work together. One example of the CSF complementing the RMF is with the Control Selection (Task S-1). In the discussion, NIST states, “Similarly, organizations can use the NIST CSF to develop Cybersecurity Framework Profiles representing a set of organization-specific security and privacy requirements—and thus, guiding and informing control selection from SP 800-53.”
Currently, NIST is updating the CSF with an expected publication date in January 2024. One of the major changes in CSF 2.0 is the addition of a Govern function. If you look at the sub categories within the function, they pretty closely align with the tasks in the Prepare Step that NIST RMF introduced with the 800-37, Rev 2. Pretty neat, huh?
To further aid in incorporating both frameworks for federal agencies, NIST published IR 8170 in March 2020 entitled, “Approaches for Federal Agencies to Use the Cybersecurity Framework”. They included 8 approaches for review, to wit:
- Integrate enterprise and cybersecurity risk management
- Mandate cybersecurity requirements
- Integrate and align cybersecurity and acquisition processes
- Evaluate organizational cybersecurity
- Manage the cybersecurity program
- Maintain a comprehensive understanding of cybersecurity risk
- Report cybersecurity risks
- Inform the tailoring process
The goal for IR 8170 is to promote more effective risk management and to encourage dialogue within and among federal agencies to increase cybersecurity awareness and resilience.
In summary, the implementation of the NIST Risk Management Framework and the NIST Cybersecurity Framework provides government organizations with a structured, adaptable, and comprehensive approach to managing cybersecurity risks. These frameworks not only ensure compliance with federal regulations but also contribute to the overall resilience and security of government systems and critical information.