The Cybersecurity Framework is voluntary guidance, based on existing standards, guidelines, and practices, for critical infrastructure organizations to better manage and reduce cybersecurity risk.
In addition to helping organizations manage and reduce risks, it was designed to foster risk and cybersecurity management communications amongst both internal and external organizational stakeholders.
*Federal agencies do have requirements to implement the Cybersecurity Framework; see the U.S. Federal Agency Use FAQs
for more information.
For complete content, see: Cybersecurity Framework homepage | FAQs | Newsroom | Events
Version 1.0 of the Framework, Framework for Improving Critical Infrastructure Cybersecurity, was developed in response to Presidential Executive Order (EO) 13636, Improving Critical Infrastructure Cybersecurity, which was issued in 2013. Among other things, the EO directed NIST to work with industry leaders to develop the Framework.
The Framework was developed in a year-long, collaborative process in which NIST served as a convener for industry, academia, and government stakeholders. That took place via workshops, extensive outreach and consultation, and a public comment process. NIST's future Framework role is reinforced by the Cybersecurity Enhancement Act of 2014 (Public Law 113-274), which calls on NIST to facilitate and support the development of voluntary, industry-led cybersecurity standards and best practices for critical infrastructure. This collaboration continues as NIST works with stakeholders from across the country and around the world to raise awareness and encourage use of the Framework.
Visit the Cybersecurity Framework homepage.