NIST (the National Institute of Standards and Technology) is a US federal institution that does research and forms national standards. As it relates to cybersecurity frameworks, NIST has created several frameworks and special publications (SPs) that describe best-practices for certain processes and problems. Some SPs are broad (like the NIST SP 800-37 (RMF) or 800-53R5), where others are extremely narrow in their focus (like the NIST SP 800-60)

This is a brief orientation document to help you understand how some of the major docs relate to each other.

• NIST SP 800-53
  • A catalog of controls and linked supporting documents that can be used to protect the confidentiality, integrity, and availability of a system.
• NIST SP 800-37 - Risk Management Framework (RMF)
  • The RMF is a guiding prescriptive framework designed for use with federal regulations (like FISMA).
  • It outlines requirements and supporting documents for systems seeking compliance with federal documents, drawing security controls from NIST SP 800-53.
  • Designed around selecting controls based on the risk and privacy categorization (Low/Medium/High) of the system.
• NIST Cybersecurity Framework (CSF)
  • The CSF is an elective framework designed for use by private organizations.
  • It is highly flexible and helps organizations to evaluate their security posture and plan improvements.
  • Is designed around accomplishing security objectives using whatever list of security controls your organization is using, like the ISO 27001, 800-53, etc.

RMF

^[1]

CSF

^[2]

Resources

A Tale of Two Frameworks: The NIST CSF and NIST RMF Are Not the Same - Telos Corporation