By P. Devon Schall, CISSP, RDRP
I was reading an article recently about Cybersecurity Framework (CSF) and the continued confusion with Risk Management Framework (RMF). In the research, the consensus was the majority of government IT professionals don’t fully understand CSF or RMF and find it easy to confuse the two. As a follow up to my previous CSF article, I hope the top 10 list below can continue to clear up the differences in the frameworks.
10. RMF automated tools do not support CSF. Numerous tools have been developed (such as DoD eMASS) to streamline RMF process workflow. There are no known plans for any of these tools to provide CSF support.
9. RMF is much more prescriptive than CSF. RMF’s audience is the entire federal government and CSF was initially developed for critical infrastructure. CSF has also been recommended for use in organizations regardless of size, degree of cybersecurity risk, or cybersecurity sophistication including industry. Bottom line: RMF has a very prescriptive process including formal Authorization to Operate (ATO) whereas CSF is still in initial stages of implementation with recommended voluntary usage.
8. RMF is much more extensively documented than CSF. The document outlining CSF titled “The Framework for Improving Critical Infrastructure” is 41 pages. “The Guide for Applying the Risk Management Framework to Federal Information Systems” is 102 pages and is supported by numerous NIST Special Publications (SPs). It is very easy to start reading RMF documentation and get “stuck in the weeds”. One of my favorite aspects of CSF is approachable documentation.
7. CSF is aimed at private industry. The National Institute of Standards and Technology (NIST) encourages CSF use in private industry, particularly those supporting “critical infrastructure” (e.g., transportation, public utilities). A great example can be seen in the Intel Corp. case study “An Intel Use case for the Cybersecurity Framework in Action”. RMF is aimed primarily at government and is only rarely used in the private sector.
6. The steps in the RMF and CSF process are different. The RMF process has six steps. These steps are: Categorize, Select, Implement, Assess, Authorize, and Monitor. The CSF process has seven-steps. CSF steps are: Prioritize and Scope, Orient, Create a Current Profile, Conduct a Risk Assessment, Create a Target Profile, Determine, Analyze, and Prioritize Gaps, and Implement Action Plan.
5. RMF controls can be used with CSF, but CSF does not have its own set of security controls. CSF maps to a variety of functions titled: Identify, Protect, Detect, Respond, and Recovery. Each of these functions ties to categories that can be satisfied via a variety of controls families such as COBIT 5, NIST SP 800-53, and ISO/IEC 27001.
4. CSF does not have Authorizing Officials (AOs) or an Authority to Operate (ATO). RMF involves ATOs with determined authorization periods requiring approval by an Authorizing Official (AO). In contrast, CSF is a voluntary framework intended to strengthen cybersecurity posturing. CSF does not have an AO function or finite ATO’s.
3. RMF generally requires the participation of a variety of government entities. For example, Joe Contractor cannot go through the complete RMF process alone. The involvement of government officials is required in achieving an ATO. CSF can be implemented without government assistance.
2. NIST has recommended that CSF be used to strengthen RMF. Elements of CSF can be used to make RMF more robust. Personally, I don’t know who has the time to make RMF more complicated than it is, but with unlimited time to implement cybersecurity frameworks anything is possible.
1. CSF is not intended to replace RMF. CSF is NOT a “rip and replace” of RMF. The sweat and tears we have gone through in learning RMF are not in vain. NIST has suggested we may see some CSF language in new releases of NIST SPs, but overall the goals of the two frameworks are very different.