The Cybersecurity Framework can help federal agencies to integrate existing risk management and compliance efforts and structure consistent communication, both across teams and with leadership. That is why on May 11, 2017, the President issued an Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure requiring federal agencies to use the Framework.
NIST has been updating its suite of cybersecurity and privacy risk management publications to provide additional guidance on how to integrate the implementation of the Cybersecurity Framework. NIST Interagency Report (IR) 8170 Approaches for Federal Agencies to Use the Cybersecurity Framework summarized eight approaches that may be useful for federal agencies and others. The NISTIR 8170 discusses how the CSF can be valuable in managing federal information and information systems according to:
Conversely, the RMF incorporates key Cybersecurity Framework, privacy risk management, and systems security engineering concepts. Among other things, the CSF Core can help agencies to:
Consistent with OMB Memorandum M-17-25, federal implementation of the Cybersecurity Framework fully supports the use of and is consistent with the risk management processes and approaches defined in SP 800-39 and SP 800-37. This allows agencies to meet their concurrent obligations to comply with the requirements of FISMA and E.O. 13800.
Each task in the RMF includes references to specific sections in the Cybersecurity Framework. For example:
For more information on the NIST Risk Management Framework, see: https://csrc.nist.gov/projects/risk-management/risk-management-framework-(rmf)-overview