Introduction

The National Institute for Standards and Technology (NIST) is a U.S.-based organization that was tasked by the U.S. government with creating an inclusive framework that would encompass all aspects of cybersecurity, from threat assessments to best practices.

There are currently two different frameworks that govern how cybersecurity is maintained and utilized within government agencies and the private sector, the NIST Cybersecurity Framework (CSF) and the NIST Risk Management Framework (RMF). This has led many people to ask what the difference is between the two frameworks and in what way they are similar.

What is the NIST Cybersecurity Framework (CSF)?

The NIST CSF was released in early 2014 as a direct response to Executive Order 13636. The framework was intended to be used as a collaborative guideline between the public and private sector. As a result, it uses easy-to-understand language and is intended to be used as an easy-to-implement cybersecurity and risk management framework that can yield excellent results without adding too much red tape.

On May 11, 2017, Executive Order 13800 was issued and federal agency heads were given 90 days to provide a risk management report as well as an action plan to implement the NIST CSF. Federal agencies have been required to follow the NIST RMF since it was introduced in 2010; however, the NIST CSF introduced more recommended guidelines for departments and agencies to comply with. The recommendations in this framework are not only for government agencies as the the framework is also aimed at private companies.

7 Steps to the NIST CSF

The NIST CSF has a Framework Core that it is based upon seven steps used to achieve its objectives. There are some similarities that can be noted when comparing these key steps with the NIST RMF. The 7 steps are:

  1. Prioritize and scope: This as akin to an organization’s main priorities
  2. Orient: Identify all assets within the organization in line with the department’s regulatory prescribed values
  3. Current profile: Assess and find out how the current environment compares to the NIST CSF
  4. Risk assessment: All risks associated with the current operations within the department must be measured and assessed as per the framework guidelines
  5. Target profile: These are the desired outcomes that need to be achieved by following up on the risks that were identified in the risk assessment that was performed on the current profile of the department
  6. Prioritize gaps: This sets up the prioritization hierarchy and identifies which issues need to be targeted on your timeline
  7. Action plan: This addresses the issues picked up in previous steps and is used to guide the organization into the target profile

These functions must be continuously carried out as part of the framework. This means that there must be an infinite loop of activity to ensure that the organization is able to keep running effectively and safely. That is why you will often hear the process being referred to as a living document. The way that the framework is structured allows for the organization to describe their environment as it relates to cybersecurity at any given time, and what their current vulnerabilities are as a target for cybercriminals. This helps decision-makers identify and set a plan in action that will make improvements possible as part of an on-going action plan.

Communication is essential in achieving this goal, so it is important for stakeholders to make information available to one another so that they can readily and continuously assess their current progress towards their desired state.

It is worth noting at this point that the NIST CSF does not replace existing organizational risk management processes and programs, but instead is used in conjunction with these systems. This is especially useful to know if you already have a risk assessment system in place, such as the NIST RMF.

What is the NIST Risk Management Framework (RMF)?

The NIST RMF has always been a governmental framework. This is unlike the NIST CSF, which sees mixed use between the public and private sector. The NIST RMF is also more of an assessment tool when compared to the NIST CSF, which is more of a security framework.

6 Steps to the NIST RMF

The NIST RMF is comprised of six assessment steps that aid departments with keeping their environments locked down and secure. These six steps are:

  1. Categorize: This concerns categorizing the storing, transmission and processing of information based on an impact analysis and risk assessment
  2. Select: This is the initial baseline of security controls selected based on the categorization
  3. Implement: Security controls are implemented in this step, and it explains what steps must be taken in order to implement the directives given by the previous steps
  4. Assess: This step requires that the previous implementations are looked at and a determination must be made as to whether or not all of the recommendations from previous steps have been implemented properly
  5. Authorize: The implementation of the system must be found to operate as intended and have no ill effect on the department in which it is run or on the country in general
  6. Monitor: The information systems are constantly monitored to determine if the operation is functioning successfully and that it is in compliance with all of the other regulatory frameworks that work in conjunction with the NIST RMF

It is clear that the NIST CSF and the NIST RMF have some similarities but that their operations are quite suited to be used in conjunction with one another. Where a single framework must be chosen, it is important for those implementing the system to understand the functional differences in how the two frameworks operate and where one framework might be more useful than the other.

Origin of NIST CSF: Background and History

The NIST CSF was set in motion on February 12, 2013, by Executive Order 13636. This brought forward new collaborative efforts for inter-departmental intelligence sharing relating to cybersecurity threats. The framework was to be developed and built from other successful existing frameworks, bringing only the best elements into the project. The end goal was to create a framework that would assist in the reduction of risk to data systems and information infrastructure. The Executive Order set the wheels of development in motion, and thus, NIST was tasked with this undertaking.

The following requirements were set out in the Executive Order:

  • Find and identify the most relevant security standards, procedures and guidelines that apply to the most important aspects of communications infrastructure
  • Provide a system that is both cost effective and that can be reproduced while performing at a high standard with flexibility and adaptability at its core
  • Assist decision makers, owners and users with the assessment, identification and management of cybersecurity risks.
  • Empower technical innovators while enforcing accountability for organizational differences
  • Provide guidance in a non-biased manner and allow industry players to leverage the competitive nature of the sector in a mutually beneficial manner
  • Create performance measurement tools that will allow organizations to see how well their cybersecurity implementations are operating
  • Highlight and identify areas that could benefit from future collaboration and partnerships between industry sectors and standards-development organizations.

These resulted in the tabling of Bill S.1353, also known as the Cybersecurity Enhancement Act of 2014, which was developed to:

“… provide for an ongoing, voluntary public-private partnership to improve cybersecurity, and to strengthen cybersecurity research and development, workforce development and education, and public awareness and preparedness, and for other purposes”

What effect does NIST Interagency Publication 8170 have on CSF?

Federal agencies are now required to apply the NIST CSF to their information systems, as per the May 2017 Executive Order. The requirements are set out in NIST Interagency Publication 8170, in which steps are given to help agencies integrate their existing risk management and compliance efforts, as well as how to structure consistent communication for both teams and leadership.

Once the revised draft of NIST Interagency Report 8170 is complete, it will provide federal agencies with guidance on how to implement the Cybersecurity Framework while integrating their pre-existing risk management practices. The report also highlights eight private sector uses of the NIST CSF, as well as its use in federal agencies.

Why was NIST selected for this task?

NIST was chosen to develop the CSF because they are a non-regulatory agency, and they are a part of the U.S. Department of Commerce. NIST acts as an unbiased scientific source of data and best practices. NIST seeks to promote innovation and industrial competitiveness of U.S.-based organizations, sectors and industries, which is beneficial to the country as a whole. NIST has a historical record of being a critical national resource for solving issues in industry, academia and government agencies. This experience of collaboration between stakeholders is key to the successful development of this framework.

CRISC Instant Pricing- InfoSec

Framework Creation Process

The development of the NIST CSF is ongoing and will continue to change and evolve over time. All stakeholders from government, industry and academia are actively engaged in the framework’s continued development and are constantly working on reviewing and revising the system. The initial development of the CSF was undertaken over the course of just one year. This was possible thanks to the three-pronged approach that NIST took to solving the issue:

  • They identified the existing cybersecurity standards, guidelines and frameworks, as well as best practices and selected the most relevant areas into their framework. This increased the security of critical infrastructure sectors and other interested parties in the process.
  • They specified the highest priority gaps in the existing standards and frameworks that needed to be addressed, opening up areas of redevelopment for the new framework.
  • All action plans were developed collaboratively involving many different interested parties, which led to a more inclusive action plan that was able to address the identified shortcomings in other systems and frameworks.

Continued Evolution

Since the framework’s initial development and creation, it has undergone many changes, updates and revisions under the open public review and comment processes. The NIST CSF has been developed and revised in line with the original goals of creating a framework that would promote U.S innovation and industrial competitiveness, and it has been watched intently by industry players that continue to participate in the framework’s creation. The below graphic shows key milestones and highlights the way in which the development and creation of this framework has progressed up until present day.

Sources

US-CERT: https://www.us-cert.gov/eo13800

Bill S.1353 (PDF): https://www.gpo.gov/fdsys/pkg/BILLS-113s1353es/pdf/BILLS-113s1353es.pdf

NIST: https://www.nist.gov/cyberframework/evolution