NIST developed the voluntary Framework in a manner consistent with its mission to promote U.S. innovation and industrial competitiveness. The Framework has been developed and promoted through ongoing engagement with, and input from, stakeholders in government, industry, and academia. That includes an open public review and comment process, workshops and other means of engagement.
For additional narrative about the Framework’s development and key milestones up to the release of Framework v1.0, see History and Development of the Cybersecurity Framework v1.0.
The graphic below highlights key milestones of the development and continued advancement of the Cybersecurity Framework. Following the graphic, is an illustrative list of all key and intermediary dates and events in chronological order.
The Framework has evolved to be even more informative, useful, and inclusive for all kinds of organizations. Version 1.1 is fully compatible with Version 1.0 and remains flexible, voluntary, and cost-effective. Among other refinements and enhancements, this version provides a more comprehensive treatment of identity management and additional description of how to manage supply chain cybersecurity.
NIST published the second draft of the proposed update to the Framework. This second draft update aims to clarify, refine, and enhance the Cybersecurity Framework, amplifying its value and making it easier to use. This latest draft reflects comments received to date, including those from a public review process launched in January 2017 and a workshop in May 2017.
NIST issued a draft update to the Framework providing new details on managing cyber supply chain risks, clarifying key terms, and introducing measurement methods for cybersecurity. The updated Framework aimed to further develop NIST’s voluntary guidance to organizations on reducing cybersecurity risks.
This Act amended the National Institute of Standards and Technology Act (15 U.S.C. 272(c)) to say: “…on an ongoing basis, facilitate and support the development of a voluntary, consensus-based, industry-led set of standards, guidelines, best practices, methodologies, procedures, and processes to cost-effectively reduce cyber risks to critical infrastructure”
To help organizations charged with providing the nation's financial, energy, health care and other critical systems better protect their information and physical assets from cyber attack, the Commerce Department's National Institute of Standards and Technology (NIST) released a Framework for Improving Critical Infrastructure Cybersecurity. The framework provides a structure that organizations, regulators and customers can use to create, guide, assess or improve comprehensive cybersecurity programs.
The Preliminary Framework was developed by NIST using information collected through the Request for Information (RFI) that was published in the Federal Register on February 26, 2013 and a series of open public workshops. The Preliminary Framework was developed in response to Executive Order 13636, "Improving Critical Infrastructure Cybersecurity" ("Executive Order"). Under the Executive Order, the Secretary of Commerce is tasked to direct the Director of NIST to work with stakeholders to develop a framework to reduce cyber risks to critical infrastructure.
EO 13636 outlined responsibilities for Federal Departments and Agencies to aid in Improving Critical Infrastructure Cybersecurity. It assigned these responsibilities and established the policy that, "It is the policy of the United States to enhance the security and resilience of the Nation's critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties."