National Institute of Standards and Technology, Framework for Improving Critical Infrastructure Cybersecurity , January 2016. Unclassified.
National Security Archive
From Snowden to ransomware, the 2016 NIST Cybersecurity Framework turned a crisis‑driven executive order into a voluntary, market‑friendly playbook that still guides critical‑infrastructure security today.
Source: National Institute of Standards and Technology, Framework for Improving Critical Infrastructure Cybersecurity , January 2016. Unclassified. Date: Jan 1, 2016 Archive: National Institute of Standards and Technology Collection: Cyber Vault: First Responders Targeted Sep 13, 2017
Editorial Analysis
Original analysis by the DriftSeas editorial desk. The complete primary-source document, transcribed from the National Security Archive scan, appears in full below.
A Blueprint Born of a Cyber Crisis
In the wake of the 2013 Snowden disclosures and a spate of high‑profile hacks on utilities, the Obama administration pressed the federal government to articulate a coherent, market‑friendly response to the growing vulnerability of the nation’s critical infrastructure. Executive Order 13636, signed on 12 February 2013, tasked the Department of Commerce’s National Institute of Standards and Technology (NIST) with drafting a voluntary framework that would translate the often‑arcane language of cybersecurity standards into a set of actionable, business‑oriented practices. The document presented here—NIST’s Framework for Improving Critical Infrastructure Cybersecurity, released in January 2016—is the culmination of that mandate.
From Executive Order to Industry Playbook
The EO explicitly framed cybersecurity as a matter of national security, economic prosperity, and civil liberties, a triad that forced policymakers to balance strong protection with the free‑flow of information essential to innovation. NIST’s response was to adopt a “risk‑management” posture rather than a prescriptive checklist, thereby sidestepping the regulatory backlash that a top‑down mandate would have provoked. The framework’s five‑function core—Identify, Protect, Detect, Respond, Recover—mirrors the life‑cycle of a cyber incident and offers a common language for executives, engineers, and regulators alike.
Who Shaped the Language?
The primary actors were NIST’s cyber‑policy team, led by the then‑acting director of the Information Technology Laboratory, and a broad coalition of private‑sector stakeholders ranging from energy firms to financial institutions. Their influence is evident in the extensive cross‑references to existing standards—COBIT, ISO/IEC 27001, ISA 62443, and NIST SP 800‑53—showing a deliberate effort to align the new framework with the tools already in use. The document’s emphasis on “flexibility” and “maturity models” reflects industry pressure for a non‑prescriptive approach that could be scaled to organizations of any size, from a municipal water utility to a multinational oil conglomerate.
Reading Between the Lines
While the text is overtly voluntary, the surrounding policy context hints at an implicit coercion: federal agencies began requiring vendors to demonstrate alignment with the framework as a condition of contracts, and sector‑specific guidance (e.g., the Department of Energy’s implementation guide) effectively made the framework the de‑facto standard for critical‑infrastructure operators. The tiered implementation model—Partial to Adaptive—functions as a soft‑mandate, encouraging firms to self‑assess and publicly disclose their maturity level, thereby creating market pressure for continual improvement.
Why the Framework Still Matters
Since its 2016 release, the NIST Cybersecurity Framework has become the lingua franca of cyber risk management worldwide. Its modular design has enabled adaptations for state and local governments, small businesses, and even non‑U.S. entities seeking a credible baseline. Moreover, the framework’s emphasis on communication—through the concept of a “Profile” that aligns risk appetite with business objectives—has reshaped board‑level discussions about cyber investment. Critics argue that its voluntary nature leaves the most vulnerable operators without sufficient incentive to adopt it, but the framework’s endurance suggests that voluntary, market‑driven standards can achieve a degree of cohesion that hard‑law approaches have struggled to attain.
Legacy and the Road Ahead
The 2016 document marks a turning point in U.S. cyber policy: it shifted the narrative from punitive regulation to collaborative risk management. As ransomware attacks on pipelines and hospitals demonstrate, the stakes have only risen. Future revisions will likely grapple with integrating supply‑chain risk management and emerging technologies such as AI‑driven threat detection, but the core architecture—five functions, tiered maturity, and sector‑specific profiles—remains a durable scaffold for the nation’s cyber resilience strategy.
# Framework for Improving Critical Infrastructure Cybersecurity
January 2016
cyberframework@nist.gov
NIST
National Institute of Standards and Technology
U.S. Department of Commerce
Improving Critical Infrastructure Cybersecurity
“It is the policy of the United States to enhance the security and resilience of the Nation’s critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties”
President Barack Obama Executive Order 13636, 12 February 2013
Cybersecurity Framework Components
Aligns industry standards and best practices to the Framework Core in a particular implementation scenario
Supports prioritization and measurement while factoring in business needs
Framework Profile
Framework Core
Cybersecurity activities and informative references, organized around particular outcomes
Enables communication of cyber risk across an organization
Framework Implementation Tiers
Describes how cybersecurity risk is managed by an organization and degree the risk management practices exhibit key characteristics
4
# Implementation Tiers
Cybersecurity Framework Component
Risk
Informed
Partial
Repeatable
None
Adaptive
* Allow for flexibility in implementation and bring in concepts of maturity models
* Reflect how an organization implements the Framework Core functions and manages its risk
* Progressive, ranging from Partial (Tier 1) to Adaptive (Tier 4), with each Tier building on the previous Tier
* Characteristics are defined at the organizational level and are applied to the Framework Core to determine how a category is implemented.
5
Core
Cybersecurity Framework Component
| Function | Category | ID |
|---|---|---|
| Identify | Asset Management | ID.AM |
| Business Environment | ID.BE | |
| Governance | ID.GV | |
| Risk Assessment | ID.RA | |
| Risk Management Strategy | ID.RM | |
| Protect | Access Control | PR.AC |
| Awareness and Training | PR.AT | |
| Data Security | PR.DS | |
| Information Protection Processes & Procedures | PR.IP | |
| Maintenance | PR.MA | |
| Protective Technology | PR.PT | |
| Detect | Anomalies and Events | DE.AE |
| Security Continuous Monitoring | DE.CM | |
| Detection Processes | DE.DP | |
| Respond | Response Planning | RS.RP |
| Communications | RS.CO | |
| Analysis | RS.AN | |
| Mitigation | RS.MI | |
| Improvements | RS.IM | |
| Recover | Recovery Planning | RC.RP |
| Improvements | RC.IM | |
| Communications | RC.CO |
| Subcategory | Informative References |
|---|---|
| ID.BE-1: The organization’s role in the supply chain is identified and communicated | COBIT 5 APO01.02, DSS06.03 ISA 62443-2-1:2009 4.3.2.3.3 ISO/IEC 27001:2013 A.6.1.1 NIST SP 800-53 Rev. 4 CP-2, PS-7, PM-11 |
| ID.BE-2: The organization’s place in critical infrastructure and its industry sector is identified and communicated | COBIT 5 APO08.04, APO08.05, APO10.03, APO10.04, APO10.05 ISO/IEC 27001:2013 A.15.1.3, A.15.2.1, A.15.2.2 NIST SP 800-53 Rev. 4 CP-2, SA-12 |
| ID.BE-3: Priorities for organizational mission, objectives, and activities are established and communicated | COBIT 5 APO02.06, APO03.01 NIST SP 800-53 Rev. 4 PM-8 |
| ID.BE-4: Dependencies and critical functions for delivery of critical services are established | COBIT 5 APO02.01, APO02.06, APO03.01 ISA 62443-2-1:2009 4.2.2.1, 4.2.3.6 NIST SP 800-53 Rev. 4 PM-11, SA-14 |
| ID.BE-5: Resilience requirements to support delivery of critical services are established | ISO/IEC 27001:2013 A.11.2.2, A.11.2.3, A.12.1.3 NIST SP 800-53 Rev. 4 CP-8, PE-9, PE-11, PM-8, SA-14 |
6
Profile
Cybersecurity Framework Component
Ways to think about a Profile:
- A customization of the Core for a given sector, subsector, or organization
- A fusion of business/mission logic and cybersecurity outcomes
- An alignment of cybersecurity requirements with operational methodologies
- A basis for assessment and expressing target state
- A decision support tool for cybersecurity risk management
Identify Protect Detect Respond Recover
7
Using Profiles to Communicate Priorities
Risk Management
Senior Executive Level Focus: Organizational Risk Actions: Risk Decision and Priorities
Changes in Current and Future Risk
Business/Process Level Focus: Critical Infrastructure Risk Management Actions: Selects Profile, Allocates Budget
Mission Priority and Risk Appetite and Budget
Framework Profile
Implementation Progress Changes in Assets, Vulnerability and Threat
Implementation/Operations Level Focus: Securing Critical Infrastructure Actions: Implements Profile
Implementation
8
Building a Profile
A Profile Can be Created in Three Steps
1
| Mission | |
|---|---|
| Priority | Objective |
| 1 | A |
| 2 | B |
| 3 | C |
2 Cybersecurity Requirements Legislation Regulation Internal & External Policy Best Practice
| Subcategory |
|---|
| 1 |
| 2 |
| 3 |
| ... |
| 98 |
3 Operating Methodologies Guidance and methodology on implementing, managing, and monitoring
9
# Resource and Budget Decisioning
*What Can You Do with a CSF Profile*
As-Is
Year 1 To-Be
Year 2 To-Be
| Sub-category | Priority | Gaps | Year 1 Activities | Year 2 Activities |
| :--- | :--- | :--- | :--- | :--- |
| 1 | moderate | small | | X |
| 2 | high | large | X | |
| 3 | moderate | medium | X | |
| ... | ... | ... | | |
| 98 | moderate | none | | reassess |
...and supports on-going operational decisions too
10
# Examples of Industry Resources
**intel**
Look Inside.™
[The Cybersecurity Framework in Action: An Intel Use Case](#)
[Cybersecurity Guidance for Small Firms](#)
**sifma**
*Invested in America*
**DEPARTMENT OF ENERGY**
**UNITED STATES OF AMERICA**
[Energy Sector Cybersecurity Framework Implementation Guidance](#)
[Cybersecurity Risk Management and Best Practices Working Group 4: Final Report](#)
**CSRIC**
Communications Security, Reliability and Interoperability Council
11
Examples of State & Local Use
DIR Texas, Department of Information Resources
- Aligned Agency Security Plans with Framework
- Aligned Product and Service Vendor Requirements with Framework
North Dakota, Information Technology Department ITD
- Allocated Roles & Responsibilities using Framework
- Adopted the Framework into their Security Operation Strategy
GREATER HOUSTON PARTNERSHIP Making Houston Greater. Houston, Greater Houston Partnership
- Integrated Framework into their Cybersecurity Guide
- Offer On-Line Framework Self-Assessment
National Association of State CIOs NASCIO Representing Chief Information Officers of the states
- 2 out of 3 CIOs from the 2015 NASCIO Awards cited Framework as a part of their award-winning strategy
New Jersey
- Developed a cybersecurity framework that aligns controls and procedures with Framework
12
Framework Roadmap Items
Authentication Automated Indicator Sharing Conformity Assessment Cybersecurity Workforce Data Analytics Federal Agency Cybersecurity Alignment International Aspects, Impacts, and Alignment Supply Chain Risk Management Technical Privacy Standards
13
Ways CSF Can Support RMF
Draft Use Cases
- Use case 1: Supporting SP 800-39 Frame activities with CSF Categories
- Use case 2: Supporting the RMF Categorize step with CSF Business Environment Materials
- Use case 3: Supporting the RMF Select step with a CSF Profile
- Use case 4: Supporting RMF Assess and SP 800-30 Assess with a CSF Profile
- Use case 5: Assessing the State of FISMA-Based Risk Management Practices
14
Supporting the RMF Categorize Step
Use Case #2 for FISMA-Cybersecurity Framework Combined Use
Architecture Description Architecture Reference Models Segment and Solution Architectures Mission and Business Processes Information System Boundaries
PROCESS OVERVIEW Starting Point
Organizational Inputs Laws, Directives, Policy Guidance Strategic Goals and Objectives Priorities and Resource Availability Supply Chain Considerations
Repeat as necessary
Step 1 CATEGORIZE Information System FIPS 199/SP 800-60
Step 2 SELECT Security Controls FIPS 200/SP 800-53
RISK MANAGEMENT FRAMEWORK
Step 3 IMPLEMENT Security Controls Many SPs
Step 4 ASSESS Security Controls SP 800-53A
Step 5 AUTHORIZE Information System SP 800-37
Step 6 MONITOR Security Controls SP 800-137/SP 800-53A
Supporting the RMF Categorize Step
ned Use
Profile A sector, subsector, or organization’s customization of the Core for their purposes. Aligns, identifies conflicts in organizational inputs, and prioritizes cyber objectives commensurate with mission objectives
Organizational Inputs Laws, Directives, Policy Guidance Strategic Goals and Objectives Priorities and Resource Availability Supply Chain Considerations
Repeat as necessary
Step 1 CATEGORIZE Information System FIPS 199/SP 800-60
RISK MANAGEMENT FRAMEWORK
Step 2 SELECT Security Controls FIPS 200/SP 800-53
Step 6 MONITOR Security Controls SP 800-137/SP 800-53A
Step 3 IMPLEMENT Security Controls Many SPs
Step 5 AUTHORIZE Information System SP 800-37
Step 4 ASSESS Security Controls SP 800-53A
Supporting the RMF Categorize Step
Use Case #2 for FISMA-Cybersecurity
Architecture Description Architecture Reference Models Segment and Solution Architectures [Mission and Business Processes] Information System Boundaries
Category Business Environment (ID.BE) The organization’s mission, objectives, stakeholders, and activities are understood and prioritized; this information is used to inform cybersecurity roles, responsibilities, and risk management decisions.
Repeat as necessary
Step 1 CATEGORIZE Information System FIPS 199/SP 800-60
Step 2 SELECT Security Controls FIPS 200/SP 800-53
Step 3 IMPLEMENT Security Controls Many SPs
Step 4 ASSESS Security Controls SP 800-53A
Step 5 AUTHORIZE Information System SP 800-37
Step 6 MONITOR Security Controls SP 800-137/SP 800-53A
RISK MANAGEMENT FRAMEWORK
# Tailoring SP 800-53 Security Controls
Use Case #3 for Risk Management Framework & Cybersecurity Framework
CSF Core
customize
CSF Profile
Tailoring Guidance
* Identifying and Designating Common Controls
* Applying Scoping Considerations
* Selecting Compensating Controls
* Assigning Security Control Parameter Values
* Supplementing Baseline Security Controls
* Providing Additional Specification Information for Implementation
INITIAL
SECURITY
CONTROL
BASELINE
(Low, Mod, High)
Before Tailoring
Creating Overlays
TAILORED
SECURITY
CONTROL
BASELINE
(Low, Mod, High)
After Tailoring
Assessment of Organizational Risk
DOCUMENT SECURITY CONTROL DECISIONS
Rationale that the agreed-upon set of security controls for the information system provide adequate protection of organizational operations and assets, individuals, other organizations, and the Nation.
18
Industry Dialog
Will it soon be time for a Framework update?
What governance models do you believe will work for future Framework maintenance and evolution?
If you have an opinion on these questions (and more), consider responding to our Request for Information - https://www.federalregister.gov/articles/2015/12/11/2015-31217/views-on-the-framework-for-improving-critical-infrastructure-cybersecurity
Responses due by 9 February at 5PM ET
Resources
Where to Learn More and Stay Current
The National Institute of Standards and Technology Web site is available at http://www.nist.gov
NIST Computer Security Division Computer Security Resource Center is available at http://csrc.nist.gov/
The Framework for Improving Critical Infrastructure Cybersecurity and related news and information are available at www.nist.gov/cyberframework
For additional Framework info and help cyberframework@nist.gov
NATIONAL SECURITY ARCHIVE
National Security Archive, Suite 701, Gelman Library, The George Washington University, 2130 H Street, NW, Washington, D.C., 20037, Phone: 202/994-7000, Fax: 202/994-7005, nsarchiv@gwu.edu
Keywords
Sources & References
- [1]National Institute of Standards and Technology, Framework for Improving Critical Infrastructure Cybersecurity , January 2016. Unclassified.
- [2]https://www.federalregister.gov/articles/2015/12/11/2015-31217/views-on-the-framework-for-improving-critical-infrastructure-cybersecurity
- [3]http://www.nist.gov
- [4]http://csrc.nist.gov/
- [5]www.nist.gov/cyberframework