NIST logo
cyberframework image

Executive Order 13636: Cybersecurity Framework

Executive Order 13636: Cybersecurity Framework


Recognizing that the national and economic security of the United States depends on the reliable functioning of critical infrastructure, the President issued Executive Order (EO) 13636, Improving Critical Infrastructure Cybersecurity, in February 2013. The Order directed NIST to work with stakeholders to develop a voluntary framework – based on existing standards, guidelines, and practices - for reducing cyber risks to critical infrastructure.

Latest Update to Industry

23 February 2016 is the new deadline for request for information (RFI) responses to "Views on the Framework for Improving Critical Infrastructure Cybersecurity."  A Federal Register announcement scheduled for 12 February 2016 will confirm NIST is receiving RFI responses in the period of time between the previous deadline (2/9/16) and the new deadline, 5PM Eastern Time on 23 February 2016. 

In the Request for Information (RFI) issued on December 11, 2015, NIST is seeking information on:

  • ways in which the Framework is being used to improve cybersecurity risk management,
  • how best practices for using the Framework are being shared, 
  • the relative value of different parts of the Framework, 
  • the possible need for an update of the Framework, and 
  • options for long-term governance of the Framework 

Respondents may organize their RFI submissions using the RFI Response Template. Use of this template is not required, but will assist NIST with expeditious processing of RFI submissions.All responses that comply with the requirements listed in the RFI will be considered whether or not the template is used.

Responses to this RFI will inform NIST's decision-making about how to further advance the Framework so the Nation's critical infrastructure is more secure.

Information provided also will assist in developing the agenda for a workshop on the Framework being planned for April 6- 7, 2016, in Gaithersburg, Maryland. Specifics will be announced at a later date.

Background: Framework for Improving Critical Infrastructure Cybersecurity

Created through collaboration between industry and government, the Framework consists of standards, guidelines, and practices to promote the protection of critical infrastructure. The prioritized, flexible, repeatable, and cost-effective approach of the Framework helps owners and operators of critical infrastructure to manage cybersecurity-related risk.

The Framework Core and Informative Requirements are available as separate downloads in three formats: spreadsheet (Excel)alternate view (PDF), and database (FileMaker Pro). A companion Roadmap discusses future steps and identifies key areas of cybersecurity development, alignment, and collaboration.

The Department of Homeland Security's Critical Infrastructure Cyber Community C³ Voluntary Program helps critical infrastructure owners and operators align with existing resources to assist them in using the Cybersecurity Framework and managing their cyber risks.

In addition to encouraging responses to the RFI, NIST welcomes informal feedback about the Framework and Roadmap. Organizations and individuals may contribute observations, suggestions, and examples of use and lessons learned to