Cybersecurity Framework (CSF) as it relates to Risk Management Framework (RMF)

Article Written By P. Devon Schall, CISSP, of BAI Information Security.

I recently attended the Cybersecurity Framework (CSF) Workshop on May 16-17 at NIST in Gaithersburg, Maryland. The workshop proved to be informative in relation to how government and industry are implementing the guidance issued by President Obama in Executive Order 13636 outlining the responsibilities of Federal Departments and Agencies in Improving Critical Infrastructure Cybersecurity. President Trump’s executive order issued on May 11, 2017 titled, Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure reinforced EO 13636 and directly referenced CSF. CSF is a complicated framework, the scope of this article will be to outline concerns about CSF as it relates to RMF.

1. What the heck is CSF? I am just now learning how to do RMF, why is NIST throwing another three-letter framework acronym at me?

Rest assured, I had similar concerns. At a very basic level, CSF is not the same as RMF, and it is not a “rip and replace” of RMF. The writers of CSF assured me that RMF is not going by the wayside and it is a separate framework than RMF. CSF is voluntary guidance based on existing cybersecurity practices to help organize and manage risks. CSF is holistic and targeted toward federal agencies as well as the private sector. Similarities to RMF are a multi-step security lifecycle as well as common language. Additional technical information about CSF can be found in NIST Cybersecurity Framework Draft 1.1.

2. How will CSF change RMF?

I asked this exact question to the folks at NIST. They indicated that those already doing RMF could voluntarily use aspects of CSF to strengthen their RMF activities, and we may see some aspects of CSF implemented in future updates to RMF. The future integration was described to me as “RMF with a CSF flair”. I do not anticipate CSF to immediately impact RMF, but I do think we’ll see CSF language in NIST SP 800-53 Rev. 5.

3. How will CSF impact my ATO?

At this point, RMF activities and current ATO’s will not be impacted by CSF. CSF is a framework targeted at strengthening cybersecurity posturing for organizations and has many overlaps with RMF, but it is not going to change your current pursuit of an ATO.

Overall, CSF is an interesting framework, and it is great to see the Trump administration recommending its usage. The framework is appealing as being holistic and applicable to businesses of any size. The initial draft is an approachable government document which I highly recommend reading.