1 1 00:00:00,540 --> 00:00:02,520 Some people wonder about the relationship 2 2 00:00:02,520 --> 00:00:06,930 between RMF and the NIST cybersecurity framework. 3 3 00:00:06,930 --> 00:00:08,610 There's all kinds of questions. 4 4 00:00:08,610 --> 00:00:09,960 Are they the same? 5 5 00:00:09,960 --> 00:00:14,070 Is one just a newer version of the other? 6 6 00:00:14,070 --> 00:00:17,040 Maybe they're competing with each other 7 7 00:00:17,040 --> 00:00:19,980 or are they mutually exclusive? 8 8 00:00:19,980 --> 00:00:22,230 Maybe they cooperate somehow. 9 9 00:00:22,230 --> 00:00:24,660 Well, first of all, they are different 10 10 00:00:24,660 --> 00:00:27,990 so let's explore how they're different. 11 11 00:00:27,990 --> 00:00:31,050 As we've seen, RMF is required 12 12 00:00:31,050 --> 00:00:33,420 for federal government organizations 13 13 00:00:33,420 --> 00:00:36,960 and it's hardly ever used in the private sector. 14 14 00:00:36,960 --> 00:00:41,040 In contrast, the cybersecurity framework is voluntary 15 15 00:00:41,040 --> 00:00:44,430 and it's aimed towards organizations 16 16 00:00:44,430 --> 00:00:47,460 in critical infrastructure industries, 17 17 00:00:47,460 --> 00:00:50,760 although it's useful and available to any member 18 18 00:00:50,760 --> 00:00:53,700 of the private sector or the government sector. 19 19 00:00:53,700 --> 00:00:55,440 Here's another difference. 20 20 00:00:55,440 --> 00:00:58,740 RMF requires far more documentation 21 21 00:00:58,740 --> 00:01:00,750 and is much more complicated 22 22 00:01:00,750 --> 00:01:03,270 than the cybersecurity framework. 23 23 00:01:03,270 --> 00:01:04,500 Because of this, 24 24 00:01:04,500 --> 00:01:07,920 the cybersecurity framework is much more approachable 25 25 00:01:07,920 --> 00:01:10,530 and easier to implement. 26 26 00:01:10,530 --> 00:01:11,670 Furthermore, 27 27 00:01:11,670 --> 00:01:15,870 implementing the RMF requires formal authorization 28 28 00:01:15,870 --> 00:01:18,150 to operate or ATO 29 29 00:01:18,150 --> 00:01:21,150 while the cybersecurity framework does not require 30 30 00:01:21,150 --> 00:01:23,970 such government involvement in order to implement 31 31 00:01:23,970 --> 00:01:25,410 and use it. 32 32 00:01:25,410 --> 00:01:27,000 Here's another difference. 33 33 00:01:27,000 --> 00:01:30,810 RMF is organized around the software development life cycle 34 34 00:01:30,810 --> 00:01:33,210 while the cybersecurity framework is organized 35 35 00:01:33,210 --> 00:01:36,510 around the life cycle of a security incident. 36 36 00:01:36,510 --> 00:01:41,340 As you know by now, that means RMF has a seven step process 37 37 00:01:41,340 --> 00:01:45,270 for building and monitoring secure systems. 38 38 00:01:45,270 --> 00:01:47,160 You prepare to use RMF. 39 39 00:01:47,160 --> 00:01:49,170 Next, you categorize the system 40 40 00:01:49,170 --> 00:01:51,240 and the information related to it. 41 41 00:01:51,240 --> 00:01:53,340 The third step is to select an initial set 42 42 00:01:53,340 --> 00:01:55,290 of controls for the system. 43 43 00:01:55,290 --> 00:01:58,590 The fourth step is to implement and document the controls. 44 44 00:01:58,590 --> 00:02:01,260 Step number five is to assess the controls. 45 45 00:02:01,260 --> 00:02:03,900 The sixth thing you do is you request authorization 46 46 00:02:03,900 --> 00:02:05,550 to operate the system. 47 47 00:02:05,550 --> 00:02:09,630 And then finally, step number seven is to monitor the system 48 48 00:02:09,630 --> 00:02:12,960 and the controls on an ongoing basis. 49 49 00:02:12,960 --> 00:02:16,380 In contrast, the cybersecurity framework consists 50 50 00:02:16,380 --> 00:02:21,380 of five concurrent and continuous functions 51 51 00:02:21,600 --> 00:02:26,010 that are meant to manage security incidents. 52 52 00:02:26,010 --> 00:02:28,710 You identify risks and assets. 53 53 00:02:28,710 --> 00:02:33,300 You protect those assets using controls and safeguards. 54 54 00:02:33,300 --> 00:02:36,840 You detect incidents, you respond to incidents 55 55 00:02:36,840 --> 00:02:40,230 and then you recover from any incidents. 56 56 00:02:40,230 --> 00:02:44,220 The last thing I want to tell you is that CSF was created 57 57 00:02:44,220 --> 00:02:48,720 by private industry through the facilitation of NIST 58 58 00:02:48,720 --> 00:02:53,130 whereas RMF was created by the federal government itself. 59 59 00:02:53,130 --> 00:02:55,230 In fact, RMF was developed 60 60 00:02:55,230 --> 00:02:59,550 by the Joint Task Force, interagency working group. 61 61 00:02:59,550 --> 00:03:03,144 That group includes representatives from the civil, 62 62 00:03:03,144 --> 00:03:07,200 the defense, and the intelligence communities 63 63 00:03:07,200 --> 00:03:11,790 and specifically the Department of Commerce and Defense, 64 64 00:03:11,790 --> 00:03:15,510 the office of the Director of National Intelligence 65 65 00:03:15,510 --> 00:03:19,230 and the Committee of National Security Systems. 66 66 00:03:19,230 --> 00:03:22,830 As a result of all this, RMF has a much different look 67 67 00:03:22,830 --> 00:03:25,470 and feel than CSF does. 68 68 00:03:25,470 --> 00:03:27,134 Okay, 69 69 00:03:27,134 --> 00:03:29,730 so now how can RMF 70 70 00:03:29,730 --> 00:03:32,700 and the cybersecurity framework be used together? 71 71 00:03:32,700 --> 00:03:34,560 Well, NIST has recommended 72 72 00:03:34,560 --> 00:03:39,180 that you use CSF to strengthen RMF. 73 73 00:03:39,180 --> 00:03:40,740 Specifically, there are elements 74 74 00:03:40,740 --> 00:03:43,470 in the cybersecurity framework that can be used 75 75 00:03:43,470 --> 00:03:47,070 to make RMF more robust and here's one example. 76 76 00:03:47,070 --> 00:03:52,070 In step seven of RMF, you must conduct monitoring, 77 77 00:03:52,110 --> 00:03:55,290 which as it turns out is what three 78 78 00:03:55,290 --> 00:04:00,290 of the five CSF functions are great at, detect, respond, 79 79 00:04:00,630 --> 00:04:01,503 and recover.