How to Know Which NIST Framework to Use

Richard P. Tracy is the chief security officer of Telos.

One of the most important aspects of the recent cybersecurity executive order is also the aspect causing the most confusion.

When President Donald Trump signed the executive order in May, it included the requirement federal agencies use the NIST Cybersecurity Framework to manage their cybersecurity risk. However, some have confused the NIST CSF with the NIST Risk Management Framework, which all federal agencies have been required to follow since its 2010 introduction.

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

To put it succinctly, they are two different frameworks. As industry and government work together to execute this order, it is very important for everyone to fully understand the two frameworks, and how they differ.

NIST CSF Overview

The NIST CSF was released in February 2014 in response to a 2013 executive order that called for a voluntary framework of industry standards and best practices to help organizations manage cybersecurity risk.

The CSF was created as a result of collaboration between government and the private sector. It “uses a common language to address and manage cybersecurity risk in a cost-effective way based on business needs without placing additional regulatory requirements on businesses.”

The heart of the NIST CSF is the Framework Core, which consists of five functions: identify, protect, detect, respond and recover. The functions and their components aren’t a checklist of actions to be performed in order. Rather, they are concurrent and continuous activities that “provide a high-level, strategic view of the life cycle of an organization’s management of cybersecurity risk.”

Notably, “the organization can use its current processes and leverage the Framework to identify opportunities to strengthen and communicate its management of cybersecurity risk…”

Thus, the CSF is not intended to replace the RMF. A risk management process, like the RMF, is still necessary.

NIST RMF Overview

In contrast to the NIST CSF—originally aimed at critical infrastructure and commercial organizations—the NIST RMF has always been mandatory for use by federal agencies and organizations that handle federal data and information. The RMF prescribes a six-step process: 

Step 1: Categorize. Define environment, and confidentiality, integrity and availability value, etc.

Step 2: Select. What controls and overlays are appropriate.

Step 3: Implement. Define how controls are implemented.

Step 4: Assess. Test to determine if controls are effective, identify risks, create plans of actions and milestones.

Step 5: Authorize. Risk-based decision to authorize system for use, or not.

Step 6: Monitor. Monitor for ongoing compliance and progress toward POA&M remediation.

Similarly, the CSF suggests a seven-step use case that illustrates how an organization can use the framework to create a new cybersecurity program or improve an existing program:

Step 1: Prioritize and scope. Organizational priorities (similar to RMF step 1).

Step 2: Orient. Identify assets and regulatory requirements (similar to RMF step 1 and 2).

Step 3: Current profile. Assess to determine how current operation compares to CSF framework core (similar to RMF step 4).

Step 4: Risk assessment. This is where RMF likely comes into play (similar to RMF step 4).

Step 5: Target profile. Define desired outcomes based on determined risks associated with current profile (similar to RMF steps 1 and 2).

Step 6:  Prioritize gaps. What do you focus on and when based on risks (similar to RMF step 4… identify risk elements and define POA&Ms).

Step 7:  Action plan: Address issues in attempt to close gap and achieve target profile (similar to RMF step 6, monitor ongoing compliance status and progress with regard to POA&Ms).

The CSF use case has no steps comparable to RMF Steps 3 and 5.

Comparing and Contrasting the Frameworks

There are some similarities between the RMF and CSF. Some of the differences are the result of the RMF being a mandate for federal agencies and the CSF having originated as a voluntary commercial framework. NIST is working to offer guidelines on how federal agencies can—and must, based on the new executive order—use the NIST CSF and RMF together.  

I had hoped the executive order would clarify the confusion between the CSF and RMF; though, it actually seems to have exacerbated the problem. 

My hope is as industry and government discover the differences, it will guide them down the correct path for improving cybersecurity through the use of these frameworks. And if someone needs a crash course on the frameworks, please send them this article.