Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Taking Measure

Just a Standard Blog

A Framework for Protecting Our Critical Infrastructure

graphic illustrating different aspects of critical infrastructure, including power transmission, nuclear plants, and factories
Credit: stoker-13/shutterstock.com

There’s no disputing the importance of a reliable and well-functioning critical infrastructure when it comes to our daily lives—in fact, our national and economic security depend on it. Because our critical infrastructure systems are becoming increasingly complex and connected, we need to understand the real risk of cybersecurity threats and how these threats can impact the nation’s economy, security, public safety and overall health. Cybersecurity threats can also impact companies, reputations and the ability to innovate.

Basically, it’s kind of a big deal!

NIST developed the Cybersecurity Framework to enhance the security and resilience of the nation’s critical infrastructure. The voluntary risk-based Framework integrates a set of industry standards and best practices to help organizations manage cybersecurity risks. NIST worked alongside other government agencies and the private sector to establish the resulting Framework, which uses a common language to address and manage cybersecurity risk. The process of engaging the private and public sectors in developing the Framework went so well that Congress added that responsibility to NIST’s role through the Cybersecurity Enhancement Act of 2014.

What else do we need to know?

We will soon be releasing a second draft of the Framework (version 1.1) for public comment. With a large part of the update process behind us, we anticipate this draft will be finalized in a relatively short time. Why are we doing an update? Well, to keep pace with trends in threats and technology, we believe the Framework must be a living document. NIST works with stakeholders to determine which best practices that apply to specific sectors or communities—such as the legal and insurance sectors and cloud communities—might also apply to all Framework users.  NIST gathers that input from its stakeholders via request-for-information (RFI) responses, as well as conversations at meetings and workshops.

Through our years of work on the Framework at NIST—and through our collaborative efforts with cybersecurity stakeholders around the globe—we have come across a lot of best practices and work products that have both helped guide our way and inspired us to keep doing what we do. You can find lots of great examples, including the ones below, on our website.

So, without further ado and in honor of the conculsion of National Cybersecurity Awareness Month, we present you a select list of critical infrastructure resources that describe sector best practices,* which we have grouped and sorted alphabetically by area or sector for ease of use.

Communications

Energy

Financial Services

Healthcare

Manufacturing

Transportation

As we finalize Version 1.1 of the Framework and work on future versions in collaboration with our stakeholders, we will continue the conversation about which best practices are best suited for inclusion in the Framework. And if you have sector and community resources you think should be considered, cyberframework [at] nist.gov (please send them to us).

In the future, check out our Framework website for updates and news about what we’re up to. We look forward to more sharing, communicating and collaborating.

*This list of resources is not exhaustive. Please see the Framework "Industry Resources" website for a complete list. If you have a resource you would like to be listed on the website, please send an cyberframework [at] nist.gov (e-mail) to discuss next steps.

Disclaimer: Certain commercial entities, equipment or materials may be identified or linked on this site to support the Framework’s understanding and use. Such identification is neither intended to imply recommendation or endorsement by NIST nor is it intended to imply that the entities, materials, or equipment are necessarily the best available for the purpose.

About the author

Matt Barrett

Matt Barrett has spent the last 20+ years of his career serving as an executive, a Fortune 100 consultant, and a federal employee. He is currently the Program Manager for the NIST Cybersecurity Framework, or simply the “Framework.” He leads this program through planning, team oversight and coordination, and outreach to industry and federal organizations. Matt works through those relationships to provide perspective and guidance, as well as gather input on the use and evolution of the Framework.

Related posts

Cybersecurity Careers Go Beyond Coding

You don’t have to be a coder or have a technical background to work in cybersecurity. Learn about the career stories of three of our NIST cybersecurity

Comments

Concrete and really axis(cyber security) for the world economy where will depends to get roots to growth l wishe more nations could work on it.

Great BLOG, Matt! Have there been any discussions for adding an industry benchmarking component to the CSF? Our 70k+ Members would love to roll this out with you.

Phil Wilson,
The GRC Sphere

Add new comment

CAPTCHA
Image CAPTCHA
Enter the characters shown in the image.
This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.
Please be respectful when posting comments. We will post all comments without editing as long as they are appropriate for a public, family friendly website, are on topic and do not contain profanity, personal attacks, misleading or false information/accusations or promote specific commercial products, services or organizations. Comments that violate our comment policy or include links to non-government organizations/web pages will not be posted.