By Lon J. Berman, CISSP, RDRP
Just when folks were beginning to get somewhat comfortable … or, at least, familiar … with the Risk Management Framework (RMF), along come our friends at the National Institute of Standards and Technology (NIST) throwing another framework our way! The Cybersecurity Framework (CSF) has actually been in development since 2013 and was originally intended as a voluntary set of guidelines for managing information security in Critical Infrastructure (CI) industries such as energy, transportation and health care. In recent years, CSF has begun cropping up in a variety of places beyond the CI industries, including, perhaps surprisingly, Federal and DoD agencies.
Now you may be wondering what exactly is going on. Is CSF considered relevant to Federal/DoD organizations at all? Is CSF intended to eventually replace RMF?
First of all, CSF is absolutely relevant to Federal/DoD organizations as well as private industry. CSF is a methodology for managing organizational IT risk, which is applicable to all organizations, large or small. For example, a recent DoD CIO memo on the topic of “DoD Cyber Hygiene Scorecard” states that “…a rollout of new and updated metrics will occur over the coming weeks and months in order to move the Department into additional functional elements of the Cybersecurity Framework. The focus has been mainly on the Identify function, and will now move toward the Protect, Detect, Respond and Recover functions”. Evidently DoD is at the early stages of CSF implementation as a tool in their development of cybersecurity capabilities at the departmental level.
Secondly, CSF is definitely not viewed as a replacement for RMF in DoD/Federal agencies … probably a good thing, given the time and energy your organization has probably invested in RMF already and plans to invest in the near future. CSF and RMF differ fundamentally in their approaches to the cybersecurity risk management effort. CSF tends to operate at an organizational level, while RMF operates primarily at the information system level. That said, however, it is expected that CSF and RMF will be complementary within DoD/Federal organizations.
How exactly can CSF and RMF “play together”? NIST Interagency Report (NISTIR) 8170, currently in DRAFT form, attempts to answer that question by providing eight scenarios (“use cases”) to illustrate some of the ways that CSF can be leveraged in the DoD/ Federal space and support RMF efforts within the organization, to wit:
- Integrating enterprise and cybersecurity risk management
- Managing cybersecurity requirements
- Integrating and aligning cybersecurity and acquisition processes
- Evaluating organizational cybersecurity
- Managing the cybersecurity program
- Maintaining a comprehensive understanding of cybersecurity risk
- Reporting cybersecurity risks
- Informing the tailoring process For example, this is NIST’s take on item 5, above, “Managing Cybersecurity Risk”:
If you or your organization is interested in CSF training, we can help! Check out out CSF course description here.