Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Framework Development Archive

NIST developed the voluntary Framework in a manner consistent with its mission to promote U.S. innovation and industrial competitiveness. The Framework has been developed and promoted through ongoing engagement with, and input from, stakeholders in government, industry, and academia. That includes an open public review and comment process, workshops and other means of engagement.

For additional narrative about the Framework’s development and key milestones up to the release of Framework v1.0, see History and Development of the Cybersecurity Framework v1.0.

The graphic below highlights key milestones of the development and continued advancement of the Cybersecurity Framework. Following the graphic, is an illustrative list of all key and intermediary dates and events in chronological order.


Timeline For CSF

Framework Update Process

2018 Cybersecurity Risk Management Conference
November 7-9, 2018




Cybersecurity Framework Version 1.1 - Released
April 16, 2018

The Framework has evolved to be even more informative, useful, and inclusive for all kinds of organizations. Version 1.1 is fully compatible with Version 1.0 and remains flexible, voluntary, and cost-effective. Among other refinements and enhancements, this version provides a more comprehensive treatment of identity management and additional description of how to manage supply chain cybersecurity.


RFC - Cybersecurity Framework Version 1.1 Draft 2
December 5, 2017

Draft 2 – Framework Version 1.1 - Released
December 5, 2017

NIST published the second draft of the proposed update to the Framework. This second draft update aims to clarify, refine, and enhance the Cybersecurity Framework, amplifying its value and making it easier to use. This latest draft reflects comments received to date, including those from a public review process launched in January 2017 and a workshop in May 2017.

8th Cybersecurity Framework Workshop 2017
May 16-17, 2017

RFC - Proposed Update to the Framework for Improving Critical Infrastructure Cybersecurity
January 25, 2017

Draft 1 – Framework Version 1.1 - Released
January 10, 2017

NIST issued a draft update to the Framework providing new details on managing cyber supply chain risks, clarifying key terms, and introducing measurement methods for cybersecurity. The updated Framework aimed to further develop NIST’s voluntary guidance to organizations on reducing cybersecurity risks.

7th Cybersecurity Framework Workshop 2016
April 6-7, 2016


Framework Adoption / Implementation 


RFI - Views on the Framework for Improving Critical Infrastructure Cybersecurity
December 11, 2015




This Act amended the National Institute of Standards and Technology Act (15 U.S.C. 272(c)) to say: “…on an ongoing basis, facilitate and support the development of a voluntary, consensus-based, industry-led set of standards, guidelines, best practices, methodologies, procedures, and processes to cost-effectively reduce cyber risks to critical infrastructure”


6th Cybersecurity Framework Workshop
October 29-30, 2014

2nd Privacy Engineering Workshop
September 15-16, 2014

RFI - Experience with the Framework for Improving Critical Infrastructure Cybersecurity
August 26, 2014

1st Privacy Engineering Workshop
April 9-10, 2014


Framework development





Cybersecurity Framework Version 1.0 - Released
February 12, 2014

To help organizations charged with providing the nation's financial, energy, health care and other critical systems better protect their information and physical assets from cyber attack, the Commerce Department's National Institute of Standards and Technology (NIST) released a Framework for Improving Critical Infrastructure Cybersecurity. The framework provides a structure that organizations, regulators and customers can use to create, guide, assess or improve comprehensive cybersecurity programs.


5th Cybersecurity Framework Workshop
November 14-15, 2013

4th Cybersecurity Framework Workshop
September 11-13, 2013

3rd Cybersecurity Framework Workshop
July 10-12, 2013





Preliminary Cybersecurity Framework - Released
July 1, 2013

The Preliminary Framework was developed by NIST using information collected through the Request for Information (RFI) that was published in the Federal Register on February 26, 2013 and a series of open public workshops. The Preliminary Framework was developed in response to Executive Order 13636, "Improving Critical Infrastructure Cybersecurity" ("Executive Order"). Under the Executive Order, the Secretary of Commerce is tasked to direct the Director of NIST to work with stakeholders to develop a framework to reduce cyber risks to critical infrastructure.


2nd Cybersecurity Framework Workshop
May 29-31, 2013

1st Cybersecurity Framework Workshop
April 3, 2013


RFI - Developing a Framework To Improve Critical Infrastructure Cybersecurity
February 26, 2013





Executive Order 13636
February 12, 2013

EO 13636 outlined responsibilities for Federal Departments and Agencies to aid in Improving Critical Infrastructure Cybersecurity. It assigned these responsibilities and established the policy that, "It is the policy of the United States to enhance the security and resilience of the Nation's critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties."



Created February 7, 2018, Updated April 21, 2023