You are here

Reducing Cyber Risk to Critical Infrastructure: NIST Framework

Recognizing that the national and economic security of the United States depends on the reliable functioning of critical infrastructure, the President under Executive Order (EO) 13636 “Improving Critical Infrastructure Cybersecurity” of February 2013 directed the National Institute of Standards and Technology (NIST) to work with stakeholders to develop a voluntary Framework for reducing cyber risks to critical infrastructure. The Framework aims to be flexible and repeatable, while helping asset owner and operators manage cybersecurity risk. Additionally, the Administration will create a voluntary program to help encourage critical infrastructure companies to adopt the NIST Cybersecurity Framework.

The Preliminary Framework was developed by NIST using information collected through a Request for Information (RFI) published in the Federal Register on February 26, 2013 and a series of open public workshops. On October 29, 2013, NIST announced a 45-day public comment period on the preliminary Framework in the Federal Register. This public comment period closed on Friday, December 13, 2013. All comments are being posted online.

The Energy Department is coordinating with the energy sector on implementation of the NIST Cybersecurity Framework through the electricity and oil and natural gas sector coordinating councils. The Department will provide updates as consensus is reached on energy sector implementation guidance for the Framework.

The Department also plans to leverage the Cybersecurity Capability Maturity Model (C2M2), to further facilitate the energy sector’s implementation of the NIST Cybersecurity Framework.