cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Until_then
Contributor I

NIST SP 800-37 Rev 2: Integration of CSF into RMF

So let me get this straight: Cybersecurity Framework (CSF) are just enhancement features to existing RMF procedures, correct?

 

If you look at the blue summary tables of each RMF step in 800-37 Rev 2, you will see CSF codes integrated into the subcategories of these steps, e.g. ID.AM-5 in Prepare task "P-12". By looking at each of these subcategories, a lot of these CSF features seem to be redundant to what we are already doing within the old RMF.

4 Replies
tmekelburg1
Community Champion

Good question. I found some more information here that may answer why they updated the RMF and mapped it to the CSF.

 

NIST Updates Risk Management Framework to Incorporate Privacy Considerations 

 

I pulled this out if of the linked article.

 

"Until now, federal agencies had been using the RMF and CSF separately,” said NIST’s Ron Ross, one of the publication’s authors. “The update provides cross-references so that organizations using the RMF can see where and how the CSF aligns with the current steps in the RMF. Conversely, if you’re using the CSF, you can bring in the RMF and give your organization a robust methodology to manage security and privacy risks."

Until_then
Contributor I

Thanks for the reply. I think part of this strategy is continued transparency between different sets of ideas for continual improvement of risk mitigating procedures. 

 

A downside of any type of procedure or protocol is having too much detail which can eventually make processes too cumbersome.

tmekelburg1
Community Champion

I'm sure some really smart people at NIST could combine the two documents as the RMF being the overarching framework. When most people hear Cybersecurity, they automatically think IT should handle it. Risk on the other hand conveys it's an enterprise issue with stakeholders from each department getting involved in the process. 

Until_then
Contributor I

Correct. And, that is the intention of CSF. CSF, as stated in training videos and in official documentation, is meant to complement existing procedures or to provide ideas for agencies/organizations to jumpstart new procedures for info system risk management. CSF isn't a procedure by itself, nor it is a checklist or "one size fits all" for a particular info system. 

 

NIST RMF made good use of NIST CSF processes by incorporating CSF functions by aligning them with all RMF steps.