Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Cybersecurity Framework Archived Documents

Cybersecurity Framework - Archived Documents

Preliminary Cybersecurity Framework

The Preliminary Framework was developed by NIST using information collected through the Request for Information (RFI) that was published in the Federal Register on February 26, 2013 and a series of open public workshops. The Preliminary Framework was developed in response to Executive Order 13636, "Improving Critical Infrastructure Cybersecurity" ("Executive Order"). Under the Executive Order, the Secretary of Commerce is tasked to direct the Director of NIST to work with stakeholders to develop a framework to reduce cyber risks to critical infrastructure.

On October 29, 2013, NIST announced a 45-day public comment period on the preliminary Framework in the Federal Register. This public comment period closed on Friday, December 13, 2013 at 5:00pm EST. All comments have been posted at without change or redaction.

Request for Comments on the Preliminary Cybersecurity Framework
Preliminary Cybersecurity Framework (PDF)
Preliminary Cybersecurity Framework (EPUB)
Preliminary Cybersecurity Framework Comments Template (Excel)
Preliminary Cybersecurity Framework Comments

Discussion Draft of the Preliminary Cybersecurity Framework

A Discussion Draft of the Preliminary Cybersecurity Framework for improving critical infrastructure cybersecurity is now available for review. This draft is provided by the National Institute of Standards and Technology (NIST) in advance of the Fourth Cybersecurity Framework workshop on September 11-13, 2013, at the University of Texas at Dallas. In addition, NIST is providing a draft Executive Overview and Illustrative Examples for review.

Participants are asked to review these discussion draft materials in advance of the workshop. The workshop is designed to allow participants to offer substantive input on these versions, as well as on related topics -- including implementation and governance of the Framework.

Comments from the public also can be provided via email to cyberframework [at] (cyberframework[at]nist[dot]gov)

Discussion Draft – Preliminary Cybersecurity Framework, August 28, 2013

Discussion Draft – Executive Overview, August, 28, 2013

Discussion Draft – Illustrative Examples, Threat Mitigation, August 28, 2013

Discussion Draft - Illustrative Example, ICS Profile for the Electricity Subsector, August 30, 2013

DRAFT Outline - Preliminary Cybersecurity Framework, July 1, 2013
The purpose of this document is to define the overall Framework and provide guidance on its usage. The primary audiences for the document and intended users of the Framework are critical infrastructure owners and operators and their partners. However, it is expected that many organizations facing cybersecurity challenges may benefit from adopting the Framework. The Framework is being designed to be relevant for organizations of nearly every size and composition. It is also expected that many organizations that already are productively and successfully using appropriate cybersecurity standards, guidelines, and practices – including those who contributed suggestions for inclusion in this document – will continue to benefit by using those tools.

DRAFT - Framework Core
The Framework Core offers a way to take a high-level, overarching view of an organization's management of cybersecurity risk by focusing on key functions of an organization's approach to this security. These are then broken down further into categories. The Framework's core structure consists of:

  • Five major cybersecurity functions and their categories and subcategories
  • Three Framework Implementation Levels associated with an organization's cybersecurity functions and how well that organization implements the framework.

Preliminary Framework Compendium
The Framework's core also includes the compendium of informative references, existing standards, guidelines, and practices to assist with specific implementation.

The compendium of informative references that included standards, guidelines and best practices is provided as an initial data set to map specifics to sub-categories, categories and functions. The Framework's compendium points to many standards – including performance and process-based standards. These are intended to be illustrative and to assist organizations in identifying and selecting standards for their own use and for use to map into the core Framework. The compendium also offers practices and guidelines, including practical implementation guides.

Notice of Inquiry (NOI)
The Department of Commerce has issued a Notice of Inquiry (NOI) in the Federal Register to gather comments from the private sector on a broad set of incentives that could help to promote the adoption of proven efforts to address cybersecurity vulnerabilities.

January 2017
As published on January 10, 2017:

April 2017
Feedback and comments as directed to cyberframework [at] (cyberframework[at]nist[dot]gov(link sends e-mail)) by April 10th, 2017.

December 2017
As published on December 5, 2017:

January 2018
Feedback and comments as directed to cyberframework [at] (cyberframework[at]nist[dot]gov(link sends e-mail)) by January 19th, 2018

Created December 12, 2013, Updated April 16, 2018