The National Institute for Standards and Technology (NIST) is a U.S.-based organization that was tasked by the U.S. government with creating an inclusive framework that would encompass all aspects of cybersecurity, from threat assessments to best practices.
There are currently two different frameworks that govern how cybersecurity is maintained and utilized within government agencies and the private sector, the NIST Cybersecurity Framework (CSF) and the NIST Risk Management Framework (RMF). This has led many people to ask what the difference is between the two frameworks and in what way they are similar.
What is the NIST Cybersecurity Framework (CSF)?
The NIST CSF was released in early 2014 as a direct response to Executive Order 13636. The framework was intended to be used as a collaborative guideline between the public and private sector. As a result, it uses easy-to-understand language and is intended to be used as an easy-to-implement cybersecurity and risk management framework that can yield excellent results without adding too much red tape.
On May 11, 2017, Executive Order 13800 was issued and federal agency heads were given 90 days to provide a risk management report as well as an action plan to implement the NIST CSF. Federal agencies have been required to follow the NIST RMF since it was introduced in 2010; however, the NIST CSF introduced more recommended guidelines for departments and agencies to comply with. The recommendations in this framework are not only for government agencies as the the framework is also aimed at private companies.
7 Steps to the NIST CSF
The NIST CSF has a Framework Core that it is based upon seven steps used to achieve its objectives. There are some similarities that can be noted when comparing these key steps with the NIST RMF. The 7 steps are:
*** This is a Security Bloggers Network syndicated blog from InfoSec Resources authored by Graeme Messina. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/DSHkZ6_AzFY/