NIST logo

Cybersecurity Framework - Archived Documents

Preliminary Cybersecurity Framework

The Preliminary Framework was developed by NIST using information collected through the Request for Information (RFI) that was published in the Federal Register on February 26, 2013 and a series of open public workshops. The Preliminary Framework was developed in response to Executive Order 13636, "Improving Critical Infrastructure Cybersecurity" ("Executive Order"). Under the Executive Order, the Secretary of Commerce is tasked to direct the Director of NIST to work with stakeholders to develop a framework to reduce cyber risks to critical infrastructure.

On October 29, 2013, NIST announced a 45-day public comment period on the preliminary Framework in the Federal Register. This public comment period closed on Friday, December 13, 2013 at 5:00pm EST. All comments have been posted at http://csrc.nist.gov/cyberframework/preliminary_framework_comments.html without change or redaction.

Request for Comments on the Preliminary Cybersecurity Framework
Preliminary Cybersecurity Framework (PDF)
Preliminary Cybersecurity Framework (EPUB)
Preliminary Cybersecurity Framework Comments Template (Excel)
Preliminary Cybersecurity Framework Comments

Discussion Draft of the Preliminary Cybersecurity Framework

A Discussion Draft of the Preliminary Cybersecurity Framework for improving critical infrastructure cybersecurity is now available for review. This draft is provided by the National Institute of Standards and Technology (NIST) in advance of the Fourth Cybersecurity Framework workshop on September 11-13, 2013, at the University of Texas at Dallas. In addition, NIST is providing a draft Executive Overview and Illustrative Examples for review.

Participants are asked to review these discussion draft materials in advance of the workshop. The workshop is designed to allow participants to offer substantive input on these versions, as well as on related topics -- including implementation and governance of the Framework.

Comments from the public also can be provided via email to cyberframework@nist.gov

Discussion Draft – Preliminary Cybersecurity Framework, August 28, 2013

Discussion Draft – Executive Overview, August, 28, 2013

Discussion Draft – Illustrative Examples, Threat Mitigation, August 28, 2013

Discussion Draft - Illustrative Example, ICS Profile for the Electricity Subsector, August 30, 2013

DRAFT Outline - Preliminary Cybersecurity Framework, July 1, 2013
The purpose of this document is to define the overall Framework and provide guidance on its usage. The primary audiences for the document and intended users of the Framework are critical infrastructure owners and operators and their partners. However, it is expected that many organizations facing cybersecurity challenges may benefit from adopting the Framework. The Framework is being designed to be relevant for organizations of nearly every size and composition. It is also expected that many organizations that already are productively and successfully using appropriate cybersecurity standards, guidelines, and practices – including those who contributed suggestions for inclusion in this document – will continue to benefit by using those tools.

DRAFT - Framework Core
The Framework Core offers a way to take a high-level, overarching view of an organization’s management of cybersecurity risk by focusing on key functions of an organization’s approach to this security. These are then broken down further into categories. The Framework’s core structure consists of:

  • Five major cybersecurity functions and their categories and subcategories
  • Three Framework Implementation Levels associated with an organization’s cybersecurity functions and how well that organization implements the framework.

Preliminary Framework Compendium
The Framework’s core also includes the compendium of informative references, existing standards, guidelines, and practices to assist with specific implementation.

The compendium of informative references that included standards, guidelines and best practices is provided as an initial data set to map specifics to sub-categories, categories and functions. The Framework’s compendium points to many standards – including performance and process-based standards. These are intended to be illustrative and to assist organizations in identifying and selecting standards for their own use and for use to map into the core Framework. The compendium also offers practices and guidelines, including practical implementation guides.