This online learning module provides readers with insight into how the NIST Framework for Improving Critical Infrastructure Cybersecurity ("The Framework") was created, describes some of the major milestones during creation, and explains the goals for creating the Framework.
Improving Critical Infrastructure Cybersecurity
The Framework development process initiated with Executive Order 13636, which was released on February 12, 2013. The Executive Order introduced efforts on the sharing of cybersecurity threat information, and on building a set of current and successful approaches, a framework, for reducing risks to critical infrastructure. Through this Executive Order, NIST was tasked with the development of a "Cybersecurity Framework"
Executive Order 13636
February 12, 2013
“It is the policy of the United States to enhance the security and resilience of the Nation’s critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties"
The Executive Order established the following requirements for the Framework that NIST used as design criteria:
- Identify security standards and guidelines applicable across sectors of critical infrastructure
- Provide a prioritized, flexible, repeatable, performance-based, and cost-effective approach
- Help owners and operators of critical infrastructure identify, assess, and manage cyber risk
- Enable technical innovation and account for organizational differences
- Provide guidance that is technology neutral and enables critical infrastructure sectors to benefit from a competitive market for products and services
- Include guidance for measuring the performance of implementing the Cybersecurity Framework
- Identify areas for improvement that should be addressed through future collaboration with particular sectors and standards-developing organizations
NIST was selected for the task of developing the Framework because they are a non-regulatory federal agency that acts as an unbiased source of scientific data and practices, including cybersecurity practices. NIST’s mission is to promote U.S. innovation and industrial competitiveness. NIST has a long history of successfully addressing critical national issues through partnerships with industry, academia, and other government agencies. This kind of collaboration would be critical for the Framework to be successful.
Creating the Framework
The Framework was, and continues to be, developed and promoted through ongoing engagement with, and input from, stakeholders in government, industry, and academia. To develop the Framework, over the course of a year, NIST used a Request for Information (RFI) and Request for Comment (RFC), as well as extensive outreach and five workshops around the country to: (i) identify existing cybersecurity standards, guidelines, frameworks, and best practices that were applicable to increase the security of critical infrastructure sectors and other interested entities; (ii) specify high-priority gaps for which new or revised standards were needed; and (iii) collaboratively develop action plans by which these gaps could be addressed.
Framework Creation Events & Timeline
Below are a some of the major milestones in the public-private partnership which led to the creation of the Framework.
Executive Order 13636 - Feb 12, 2013
Executive Order 13636 was signed by President Obama on February 12, 2013. As described above, the Executive Order outlined several objectives for establishing a cybersecurity framework to help protect the nations critical infrastructure. The Executive Order also requested the framework be developed with support from industry and academia and published within one-year of the Executive Order's signing.
RFI - Developing a Framework to Improve Critical Infrastructure Cybersecurity - February 26, 2013
Shortly after the release of Executive Order 13636, NIST released the first in a series of Requests for Information (RFIs) on February 26, 2013. The primary objectives for the initial RFI was to collect lessons learned from industry by understanding which standards were being used, and how effective these standards were in improving cybersecurity across industries. During the comment period ending on April 8, 2013, NIST received over 270 responses to the RFI and analyzed them to develop the agenda for the 2nd Cybersecurity Framework workshop.
1st Cybersecurity Framework Workshop - April 3, 2013
The First Framework Workshop was held as an online-only broadcast from the Department of Commerce in Washington D.C. The purpose of this workshop was primarily to gather industry interest, raise awareness of the Framework endeavor, and to provide insight into the collaborative Framework development process that was just getting started. At this Workshop, the primary topics included discussions about the Executive Order 13636, the goals in the development of the Framework, and to reaffirm the collaborative process that would be used to create the Framework. At this event, NIST announced a series of collaborative, in-person, workshops all across the country.
2nd Cybersecurity Framework Workshop - May 29-31, 2013
This workshop, along with the following workshops that led up to the Framework's release, were strategically held in locations around the US to help promote attendance by as many participants across as many critical infrastructure sectors as possible. Each of these workshops were also webcast live, and recorded, to allow remote attendees to view and participate. This workshop was held at Carnegie Mellon University in Pittsburg, PA. The agenda for the workshop was developed based on the analysis of the first RFI, with the goal to further refine and clarify information received. The workshop was held across three days and included several simultaneous tracks on specific topics uncovered during the RFI to facilitate the data collection activities. NIST facilitated the workshops to encourage dialogue and debate across a wide range of security topics. Through these discussions, NIST was able to gain a clearer understanding from industry of what was working well, where additional guidance was needed, and which topics should be avoided in the Framework. Following the workshops, NIST analyzed the information presented and developed summary papers describing their take-away from the workshops. The summaries were then shared back with industry and used to create the Preliminary Cybersecurity Framework draft.
Preliminary Cybersecurity Framework Released - July 1, 2013
The Preliminary Cybersecurity Framework captured the information received from the initial RFI and the previous workshop. It presented the information in a standardized format to allow NIST to clearly articulate to industry how they were capturing their thoughts and comments. NIST released the preliminary draft on July 1, 2013 in preparation for the third workshop held on July 10 -12, 2013.
3rd Cybersecurity Framework Workshop - July 10-12, 2013
The Third Framework Workshop was held at the University of California in San Diego, CA on July 10-12, 2013. At this workshop, the agenda heavily focused on working sessions to discuss the Preliminary Cybersecurity Framework and what should be included moving forward. NIST received a great deal of input on what participants wanted to see included in the Categories and Subcategories of the Framework, how levels of Framework implementation should be determined, and how Informative References should be included in the Core. NIST analyzed this information, shared the key take-aways with participants, and used it to create the next iteration of the Draft Framework.
Discussion Draft of Preliminary Cybersecurity Framework Released - August 28, 2013
NIST greatly expanded upon the material that was included in the 1st Preliminary Framework Draft by folding in the comments and information gathered in the previous workshop. The Draft Framework grew from being an annotated outline, to being a fully drafted document. NIST included a 5-step process for implementation and fleshed out the Framework core with a number of Categories, Subcategories, and Informative References.
4th Cybersecurity Framework Workshop - September 11-13, 2013
The Fourth Workshop was held at the University of Texas at Dallas in Richardson, TX on September 11-13, 2013. Before this workshop, participants were asked to have reviewed the latest draft of the Framework, as it was the focus of the agenda. Again, this workshop heavily concentrated on working sessions that split the participants into small groups to discuss their feedback about the Discussion Draft of the Framework. NIST received feedback that included the need for additional clarification around the Framework Core, Tier, and Profile integration, expressing the Core in terms of outcomes, and a variety of other areas of the Draft Framework that needed improvements.
RFC - Comments on the Preliminary Cybersecurity Framework - October 29, 2013
On October 29, 2013 NIST released an RFC seeking comments on the latest version of the Preliminary Framework Draft. Over the 45-day comment period, ending on December 13, 2013, NIST received over 200 comments. These comments, along with those received during the 5th Framework Workshop, heavily influenced the version 1.0 Framework publication.
5th Cybersecurity Framework Workshop - November 14-15, 2013
The Fifth Workshop was held at North Carolina State University in Raleigh, NC on November 14-15, 2013. During this Workshop, specific breakout sessions were held for small and medium business, how the Framework could be used, and a voluntary critical infrastructure cybersecurity program. These breakout sessions, as well as others held during the workshop, allowed participants to openly discuss the preliminary draft and provide recommendations for enhancements that should be considered before NIST published the Framework. As with all preceding workshops, NIST summarized the key points collected during the workshop as closing remarks to the workshop and then took the information collected during the workshop, along with comments received through the RFC, to finalize version 1.0 of the Framework.
Framework 1.0 Publication - February 12, 2014
One year after the release of Executive Order 13636, on February 12, 2014, NIST released version 1.0 of the Framework for Improving Critical Infrastructure Cybersecurity. The Framework was released as voluntary guidance, based on existing standards, guidelines, and practices, for critical infrastructure organizations to better manage and reduce cybersecurity risk. The Framework captured key points received from the RFIs and workshops held during its collaborative development process. The Framework incorporates comments from over 3,000 workshop attendees and 15,000 comments received during its development. While the release of Framework v1.0 was a significant milestone, NIST did not stop coordinating with industry following its release. NIST, to this day, continues community outreach activities as well as active dialogue with industry though industry workshops and continued Framework workshops.
For additional details regarding these milestones and the progress that has been made since the Framework's initial release, including Framework v1.1, see The Evolution of the Framework.