NIST logo
cyberframework image

Executive Order 13636: Cybersecurity Framework

Executive Order 13636: Cybersecurity Framework


Recognizing that the national and economic security of the United States depends on the reliable functioning of critical infrastructure, the President issued Executive Order 13636, Improving Critical Infrastructure Cybersecurity, in February 2013. It directed NIST to work with stakeholders to develop a voluntary framework – based on existing standards, guidelines, and practices - for reducing cyber risks to critical infrastructure.

Latest Update to Industry - July 1, 2015

Since releasing the Framework in February 2014, NIST has been educating a broad audience about the Framework's use and value. The Framework is being employed across the country, in a host of sectors, and by organizations ranging from multinationals to small businesses. The proposed value of Framework has been validated through a large volume and breadth of interactions between NIST and industry.

Recently, NIST has focused outreach efforts on the international, regulator, and small and medium business (SMB) communities. In all of these interactions, NIST continues to communicate the merits of the Framework as an organizational and communication tool to better manage cybersecurity risk.

Additionally, NIST has begun a campaign to clarify and highlight how the FISMA suite of guidelines and standards can be used in concert with the Framework. This effort has started as a dialog with users of FISMA guidance at various meetings and speaking events, and will culminate in a NIST publication.

To read more about any of the above topics, please visit our latest Framework newsletter.

Framework for Improving Critical Infrastructure Cybersecurity

The Framework, created through collaboration between industry and government, consists of standards, guidelines, and practices to promote the protection of critical infrastructure. The prioritized, flexible, repeatable, and cost-effective approach of the Framework helps owners and operators of critical infrastructure to manage cybersecurity-related risk.

NIST released the first version of the Framework for Improving Critical Infrastructure Cybersecurity (PDF EPUB EPUB Help) on February 12, 2014. The Framework Core, an important component of the Framework, and Informative Requirements thereof are available as separate downloads in three formats: spreadsheet (Excel), alternate view (PDF), and database (FileMaker Pro).  NIST is also pleased to issue a companion Roadmap that discusses NIST's next steps with the Framework and identifies key areas of cybersecurity development, alignment, and collaboration.

The Department of Homeland Security's Critical Infrastructure Cyber Community C³ Voluntary Program helps align critical infrastructure owners and operators with existing resources that will assist their efforts to adopt the Cybersecurity Framework and manage their cyber risks. Learn more about the C³ Voluntary Program by visiting the C3 Web site.

In the interest of continuous improvement, NIST will continue to receive and consider informal feedback about the Framework and Roadmap. As has been the case throughout the process, organizations and individuals may contribute observations, suggestions, and lessons learned to