“One of the most important aspects of the recent cybersecurity executive order is also the aspect causing the most confusion.
When President Donald Trump signed the executive order in May, it included the requirement federal agencies use the NIST Cybersecurity Framework to manage their cybersecurity risk. However, some have confused the NIST CSF with the NIST Risk Management Framework, which all federal agencies have been required to follow since its 2010 introduction.
To put it succinctly, they are two different frameworks. As industry and government work together to execute this order, it is very important for everyone to fully understand the two frameworks, and how they differ.
NIST CSF Overview
The NIST CSF was released in February 2014 in response to a 2013 executive order that called for a voluntary framework of industry standards and best practices to help organizations manage cybersecurity risk.
The CSF was created as a result of collaboration between government and the private sector. It “uses a common language to address and manage cybersecurity risk in a cost-effective way based on business needs without placing additional regulatory requirements on businesses.”
The heart of the NIST CSF is the Framework Core, which consists of five functions: identify, protect, detect, respond and recover. The functions and their components aren’t a checklist of actions to be performed in order. Rather, they are concurrent and continuous activities that “provide a high-level, strategic view of the life cycle of an organization’s management of cybersecurity risk.”