NIST developed the voluntary Framework in a manner consistent with its mission to promote U.S. innovation and industrial competitiveness. The Framework has been developed and promoted through ongoing engagement with, and input from, stakeholders in government, industry, and academia. That includes an open public review and comment process, workshops and other means of engagement.
For additional narrative about the Framework’s development and key milestones up to the release of Framework v1.0, see History and Development of the Framework.
The graphic below highlights key milestones of the development and continued advancement of the Cybersecurity Framework. Following the graphic, is an illustrative list of all key and intermediary dates and events in chronological order.
Framework Update Process
2018 Cybersecurity Risk Management Conference
November 7-9, 2018
Cybersecurity Framework Version 1.1 - Released
April 16, 2018
The Framework has evolved to be even more informative, useful, and inclusive for all kinds of organizations. Version 1.1 is fully compatible with Version 1.0 and remains flexible, voluntary, and cost-effective. Among other refinements and enhancements, this version provides a more comprehensive treatment of identity management and additional description of how to manage supply chain cybersecurity.
RFC - Cybersecurity Framework Version 1.1 Draft 2
December 5, 2017
Draft 2 – Framework Version 1.1 - Released
December 5, 2017
NIST published the second draft of the proposed update to the Framework. This second draft update aims to clarify, refine, and enhance the Cybersecurity Framework, amplifying its value and making it easier to use. This latest draft reflects comments received to date, including those from a public review process launched in January 2017 and a workshop in May 2017.
8th Cybersecurity Framework Workshop 2017
May 16-17, 2017
Draft 1 – Framework Version 1.1 - Released
January 10, 2017
NIST issued a draft update to the Framework providing new details on managing cyber supply chain risks, clarifying key terms, and introducing measurement methods for cybersecurity. The updated Framework aimed to further develop NIST’s voluntary guidance to organizations on reducing cybersecurity risks.
7th Cybersecurity Framework Workshop 2016
April 6-7, 2016
Framework Adoption / Implementation
Cybersecurity Enhancement Act of 2014
December 18, 2014
This Act amended the National Institute of Standards and Technology Act (15 U.S.C. 272(c)) to say: “…on an ongoing basis, facilitate and support the development of a voluntary, consensus-based, industry-led set of standards, guidelines, best practices, methodologies, procedures, and processes to cost-effectively reduce cyber risks to critical infrastructure”
6th Cybersecurity Framework Workshop
October 29-30, 2014
2nd Privacy Engineering Workshop
September 15-16, 2014
1st Privacy Engineering Workshop
April 9-10, 2014
Cybersecurity Framework Version 1.0 - Released
February 12, 2014
To help organizations charged with providing the nation's financial, energy, health care and other critical systems better protect their information and physical assets from cyber attack, the Commerce Department's National Institute of Standards and Technology (NIST) released a Framework for Improving Critical Infrastructure Cybersecurity. The framework provides a structure that organizations, regulators and customers can use to create, guide, assess or improve comprehensive cybersecurity programs.
5th Cybersecurity Framework Workshop
November 14-15, 2013
4th Cybersecurity Framework Workshop
September 11-13, 2013
3rd Cybersecurity Framework Workshop
July 10-12, 2013
Preliminary Cybersecurity Framework - Released
July 1, 2013
The Preliminary Framework was developed by NIST using information collected through the Request for Information (RFI) that was published in the Federal Register on February 26, 2013 and a series of open public workshops. The Preliminary Framework was developed in response to Executive Order 13636, "Improving Critical Infrastructure Cybersecurity" ("Executive Order"). Under the Executive Order, the Secretary of Commerce is tasked to direct the Director of NIST to work with stakeholders to develop a framework to reduce cyber risks to critical infrastructure.
2nd Cybersecurity Framework Workshop
May 29-31, 2013
1st Cybersecurity Framework Workshop
April 3, 2013
Executive Order 13636
February 12, 2013
EO 13636 outlined responsibilities for Federal Departments and Agencies to aid in Improving Critical Infrastructure Cybersecurity. It assigned these responsibilities and established the policy that, "It is the policy of the United States to enhance the security and resilience of the Nation's critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties."