Guest Post – A Tale of Two Frameworks: The NIST CSF and NIST RMF Are Not the Same

As you are studying for the CISSP, CASP+, or Security+, you will come across these two important NIST frameworks.  They seem the same, but they are not.

If you are deploying one or both of these frameworks in your organization, understanding the difference between them is even more important.

Today we are republishing an article by Rick Tracy.  Rick Tracy is the senior vice president and chief security officer at Telos Corporation. Follow him on Twitter: @rick_tracy See full bio…

Untangling the confusion around the NIST CSF and NIST RMF

One of the most important aspects of the new Cybersecurity Executive Order (EO) is also the aspect of the order causing the most confusion.

When President Trump signed the EO on Thursday, it included the requirement that federal agencies use the NIST Cybersecurity Framework (CSF) to manage their cybersecurity risk.  However, some have confused the NIST CSF with the NIST Risk Management Framework (RMF), which all federal agencies have been required to follow since its introduction in 2010.

To put it succinctly – they are two different frameworks. As industry and government work together to execute this order, it is very important for everyone to fully understand the two frameworks, and how they differ.

NIST CSF Overview

The NIST CSF was released in February 2014 in response to Executive Order 13636, “Improving Critical Infrastructure Cybersecurity,” issued a year earlier.  That EO called for a voluntary framework of industry standards and best practices to help organizations — particularly those in critical infrastructure — manage cybersecurity risk.

The CSF was created as a result of collaboration between government and the private sector.  It “uses a common language to address and manage cybersecurity risk in a cost-effective way based on business needs without placing additional regulatory requirements on businesses.”

The heart of the NIST CSF is the Framework Core, which consists of five functions—Identify, Protect, Detect, Respond, and Recover. The functions and their components aren’t a checklist of actions to be performed in a certain order.  Rather, they are concurrent and continuous activities that “provide a high-level, strategic view of the lifecycle of an organization’s management of cybersecurity risk.”

Building on accepted standards and guidelines for IT security and risk management, the Framework provides a common taxonomy and mechanism for organizations to:

  • Describe their current cybersecurity posture.
  • Describe their target state for cybersecurity.
  • Identify and prioritize opportunities for improvement within the context of a continuous and repeatable process.
  • Assess progress toward the target state.
  • Communicate among internal and external stakeholders about cybersecurity risk.

Notably, “The Framework complements, and does not replace, an organization’s risk management process and cybersecurity program. The organization can use its current processes and leverage the Framework to identify opportunities to strengthen and communicate its management of cybersecurity risk…”

Thus, the CSF is not intended to replace the RMF.  A risk management process, like the RMF, is still necessary.

NIST RMF Overview

In contrast to the NIST CSF — originally aimed at critical infrastructure and commercial organizations — the NIST RMF has always been mandatory for use by federal agencies and organizations that handle federal data and information. The RMF prescribes a six-step process:

Step 1: Categorize – Define environment, CIA value, etc.

Step 2: Select – What controls and overlays are appropriate.

Step 3: Implement – Define how controls are implemented.

Step 4: Assess – Test to determine if controls are effective, identify risks, create POA&Ms.

Step 5: Authorize – Risk-based decision to authorize system for use, or not.

Step 6: Monitor – Monitor for on-going compliance and progress toward POA&M remediation.

Similarly, the CSF suggests a seven-step use case that illustrates how an organization can use the Framework to create a new cybersecurity program or improve an existing program:

Step 1: Prioritize and Scope – Organizational priorities (similar to RMF step 1)

Step 2: Orient – Identify assets and regulatory requirements (similar to RMF step 1 and 2)

Step 3: Current Profile – Assess to determine how current operation compares to CSF framework Core (similar to RMF step 4)

Step 4: Risk Assessment – This is where RMF likely comes into play (Similar to RMF step 4)

Step 5:  Target Profile – Define desired outcomes based on determined risks associated with Current Profile (similar to RMF steps 1 and 2)

Step 6:  Prioritize Gaps:  What do you focus on and when based on risks (Similar to RMF step 4… identify Risk Elements and define POAMs)

Step 7:  Action Plan:  Address issues in attempt to close Gap and achieve Target Profile (Similar to RMF step 6, monitor on going compliance status and progress with regard to POAMs)

The CSF use case has no steps comparable to RMF Steps 3 and 5.

Comparing and Contrasting the Frameworks

There are some similarities between the RMF and CSF. Some of the differences are the result of the RMF being a mandate for federal agencies and the CSF having originated as a voluntary commercial framework (e.g., no Authorization step with CSF, the CSF does not assume there is a Designated Approving Authority, etc.).

NIST is working to offer guidelines on how federal agencies can – and must, based on the new EO – use the NIST CSF and RMF together.

I had hoped that the new Cybersecurity Executive Order would have helped clarify the confusion between the CSF and RMF; though, it actually seems to have exacerbated the problem.

My hope is that as industry and government discover the differences, it will help to guide them down the correct path for improving cybersecurity through the proper use of these frameworks. And if someone needs a crash course on the frameworks, please send them this article.

Richard Tracy

Richard Tracy joined the Telos in October 1986 and held a number of management positions within the company’s New Jersey operation. In February 1996, he was promoted to vice president of the Telos information security group and in this capacity established a formidable information security consulting practice. In February 2000, Rick was promoted to senior vice president for operations. Since that time, Rick has pioneered the development of innovative and highly scalable enterprise risk management technologies that have become industry-leading solutions within the federal government and the financial services verticals. He is the principal inventor listed on four patents and seven patents pending for Xacta IA Manager. He assumed the role of chief security officer in 2004.


About the Author:

I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.