How NIST CSF and NIST RMF Can Work Together

On May 11th 2017, a new presidential executive order, EO 13800 , entitled Strengthening The Cybersecurity Of Federal Networks And Critical Infrastructure, was signed by President Trump.

The executive order (EO) is broadly divided into three sections:

  • Section 1 – Cybersecurity of Federal Networks
  • Section 2 – Cybersecurity of Critical Infrastructure
  • Section 3 – Cybersecurity for the Nation

This post is about Section 1 (c)(i) of the EO which states that:

Effective immediately, each agency head shall use The Framework for Improving Critical Infrastructure Cybersecurity (the Framework) developed by the National Institute of Standards and Technology, or any successor document, to manage the agency’s cybersecurity risk.

First, a quick overview of the NIST Risk Management Framework (RMF) for those who are unfamiliar with the framework. The Federal Information Security Management Act of 2002 (FISMA) defined a framework for managing information security that must be followed for all information systems used or operated by a U.S. federal government agency in the executive or legislative branches, or by a contractor or other organization on behalf of a federal agency in those branches. This framework is further defined by the standards and guidelines developed by NIST.

The NIST FISMA Implementation Project was established in January 2003 to produce the security standards and guidelines required by FISMA. These publications include FIPS 199, FIPS 200, SP 800-53, SP 800-59, and SP 800-60. Additional security guidance documents were developed in support of the project including SP 800-37, SP 800-39, SP 800-171, and SP 800-53A.

These publications all support the NIST Risk Management Framework (RMF) which is a 6-step process that integrates security and risk management activities into the system development life cycle (SDLC.) as shown in the diagram above and below.

In 2014, the DoD, after extensive document alignment work by the Joint Task Force Transformation Initiative Interagency Working Group, mandated adoption of the NIST RMF by all DoD component agencies.

Turning now to the NIST Cybersecurity Framework (CSF). An EO 13636 (Improving Critical Infrastructure Cybersecurity) was issued in February 2013 mandating the development of what is now known as the CSF. The first workshop was help in April 2013. Version 1.0 was published in February 2014. Version 1.1 has just completed the public comment stage. The CSF is based on a number of other respected and established risk management frameworks.

The CSF provides a policy framework of computer security guidance for how organizations can assess and improve their ability to prevent, detect, and respond to cyber attacks. It also provides a high level taxonomy of cybersecurity outcomes and a methodology to assess and manage those outcomes.

The CSF was designed with the intent that organizations use an assessment of the risks they face to guide their use of the Framework in a cost-effective way. The Framework is divided into three parts, i.e Framework Core, Framework Implementation Tiers and Framework Profiles.

The Framework Core contains an array of activities, outcomes and references which detail approaches to aspects of cyber security. It specifies 5 Functions, i.e. Identity, Protect, Respond, and Recover, and a number of categories and subcategories within each Function. The diagram below shows the CSF as a 5-step continuous improvement process with Identity as the starting point.

The Framework Implementation Tiers are used by an organization to clarify for itself and its partners how it views cybersecurity risk and the degree of sophistication of its management approach. There are 4 Implementation Tiers: Partial, Risk Informed, Repeatable, and Adaptive.

Finally, a Framework Profile is a list of desired outcomes that an organization has chosen from the categories and subcategories, based on its business needs and individual risk assessments.

As you can see, there are some similarities between CSF and RMF but there are also some fundamental differences between the two frameworks. And, no, RMF has not been replaced by CSF as some people seen to think!

OMB Circular A-130 (Managing Information as a Strategic Resource) Appendix I, Section 5.q discusses the issue:

The [Cybersecurity] Framework is not intended to duplicate the current information security and risk management practices in place within the Federal Government. However, in the course of managing information security risk using the established NIST Risk Management Framework and associated security standards and guidelines required by FISMA, agencies can leverage the Cybersecurity Framework to complement their current information security programs.

Draft NISTIR 8170 (Cybersecurity Framework Implementation Guidance for Federal Agencies), issued May 2017, also provides some guidance on how CSF and RMF can work together.

The following diagram from the draft NISTIR depicts cybersecurity risk management needs (middle column) superimposed on the three-tier pyramid used in SP 800-39. Most of the uses addressed in the draft NISTIR fit in Tier 2 (Mission/Business Processes). Only one use case is provided for Tier 1 (Organization) and for Tier 3 (System). The right column, depicts the most applicable Cybersecurity Framework component, i.e. Core, Profile, or Implementation Tier, for a given use case.

Note that the draft NISTIR uses the term Level instead of Tier.

The term “Tiers” cited in NIST Special Publication 800-39, Managing Information Security Risk: Organization, Mission, and Information System View, will be referred to as “Levels” in this report to avoid confusion with Cybersecurity Framework Implementation Tiers.

And so the above diagram, which was copied from the draft NISTIR, uses the term Level instead of Tier.

The Tier 3 use case, entitled Inform the Tailoring Process, appears to be the only use case which directly interacts withe the NIST RMF 6-step process. This is what the draft NISTIR says about this particular use case:

The Cybersecurity Framework offers a mechanism for reconciling mission objectives and cybersecurity requirements into Profiles, making them an important work product using a top-down approach to inform the tailoring. In developing a Profile, organizations can align and de-conflict all mission objectives and cybersecurity requirements into a singular structure according to the taxonomy of the Core. That allows organizations to easily prioritize the cybersecurity outcomes of the Subcategories. Since Profiles can be a reconciliation of cybersecurity requirements and associated priorities from many sources, Profiles can be used as a concise and important artifact for consideration when tailoring SP 800-53 initial control baselines to final control baselines. Specifically, considering organizational Subcategory priorities and knowing the associated SP 800-53 controls may lead to precise adjustments to the initial controls baseline in ways that best support the organizational mission.

Note that the draft states, in the Executive Summary, that SP 800-53 will be revised to take account of the CSF. I have not seen any draft of a new revision of SP-800-53 so I have no idea how extensive the changes will be but I suspect that as far as baseline control selection is concerned there will be no actual change. However, I do suspect that the sections discussing tailoring of controls, and possibly scoping of controls, will be modified to explicitly detail the role of the CSF in Information System (IS) risk mitigation.

Another area where changes in NIST RMF guidance documents is likely to occur are those guidance documents relating to the development and contents of the Risk Assessment Report (RAR) which is typically developed at Step 1 of the RMF.

NIST have developed an Excel spreadsheet mapping SP 800-53 controls to CSF Categories and Subcategories, and visa-versa. I would not be surprised to see a requirement to include such a mapping in the System Security Plan (SSP) between the final set of tailored security controls and the CSF Categories and Subcategories for traceability purposes.

An area of possible confusion is the fact that EO 13800 mandated that agency heads are required to manage risk commensurate with the magnitude of harm that would result from unauthorized access, use, disclosure, disruption, modification, or destruction of a Federal information system or Federal information. Currently, under NIST RMF, risk to an information system (IS) is the responsibility of one of more federal employees within an agency called an Authorizing Official (AO.) I expect that the agency heads will still delegate IS risk management to AOs (essentially Tier 3 risk) but take a more active role in managing risk at Tier 2 and Tier 1.

In summary, I expect little or no change to the actual RMF process.

Comments are closed.