Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Cybersecurity Framework Supporting Documents

Cybersecurity Framework - Supporting Documents

Discussion Draft of the Preliminary Cybersecurity Framework

A Discussion Draft of the Preliminary Cybersecurity Framework for improving critical infrastructure cybersecurity is now available for review. This draft is provided by the National Institute of Standards and Technology (NIST) in advance of the Fourth Cybersecurity Framework workshop on September 11-13, 2013, at the University of Texas at Dallas. In addition, NIST is providing a draft Executive Overview and Illustrative Examples for review.

Participants are asked to review these discussion draft materials in advance of the workshop. The workshop is designed to allow participants to offer substantive input on these versions, as well as on related topics -- including implementation and governance of the Framework.

Comments from the public also can be provided via email to cyberframework [at] (cyberframework[at]nist[dot]gov)

Discussion Draft – Preliminary Cybersecurity Framework, August 28, 2013

Discussion Draft – Executive Overview, August, 28, 2013

Discussion Draft – Illustrative Examples, Threat Mitigation, August 28, 2013

Discussion Draft - Illustrative Example, ICS Profile for the Electricity Subsector, August 30, 2013

DRAFT Outline - Preliminary Cybersecurity Framework, July 1, 2013
The purpose of this document is to define the overall Framework and provide guidance on its usage. The primary audiences for the document and intended users of the Framework are critical infrastructure owners and operators and their partners. However, it is expected that many organizations facing cybersecurity challenges may benefit from adopting the Framework. The Framework is being designed to be relevant for organizations of nearly every size and composition. It is also expected that many organizations that already are productively and successfully using appropriate cybersecurity standards, guidelines, and practices – including those who contributed suggestions for inclusion in this document – will continue to benefit by using those tools.

DRAFT - Framework Core
The Framework Core offers a way to take a high-level, overarching view of an organization's management of cybersecurity risk by focusing on key functions of an organization's approach to this security. These are then broken down further into categories. The Framework's core structure consists of:

  • Five major cybersecurity functions and their categories and subcategories
  • Three Framework Implementation Levels associated with an organization's cybersecurity functions and how well that organization implements the framework.

Preliminary Framework CompendiumThe Framework's core also includes the compendium of informative references, existing standards, guidelines, and practices to assist with specific implementation.

The compendium of informative references that included standards, guidelines and best practices is provided as an initial data set to map specifics to sub-categories, categories and functions. The Framework's compendium points to many standards – including performance and process-based standards. These are intended to be illustrative and to assist organizations in identifying and selecting standards for their own use and for use to map into the core Framework. The compendium also offers practices and guidelines, including practical implementation guides.

Return to Cybersecurity Framework Home Page

Created October 28, 2013, Updated December 16, 2013