Executive Order 13636, issued in February 2013, established U.S. policy for maintaining a cyber environment that encourages "efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties." It directed NIST to work with stakeholders to develop a voluntary framework – based on existing standards, guidelines, and practices - for reducing cyber risks to critical infrastructure.
The framework is intended to be a set of industry standards and best practices to help organizations manage cybersecurity risks.
Some have criticized the Framework guidance as too "loose," with no information on how an organization can begin implementing it.
In particular, the core section of the framework provides controls based on general situations but not threats that may be specific to an organization, industry or sector.
Enterprises can use the framework as part of their processes for identifying, assessing and managing cybersecurity risk. An organization can overlay its current process onto the framework to find "gaps in its current cybersecurity risk approach and to develop a roadmap to improvement."
NIST CYbersecurity Framework Web Site
Framework Document
Back to CyberWest page