On Feb. 12, 2014, following a year-long development process, the Commerce Department's National Institute of Standards and Technology (NIST) released a framework for improving critical infrastructure cybersecurity. Although aimed in particular at providers of energy, financial, health care, communications, and other critical systems and services, the framework provides a standard model for the creation of new cybersecurity programs and the evaluation and improvement of existing programs that can be used by organizations of any size and in any industry.
The framework has its genesis in Executive Order 13636, Improving Critical Infrastructure Cybersecurity. Issued by President Obama in February 2013, the order called for stakeholders in the private and public sectors to collaborate in the development of voluntary, industry-specific standards to help organizations improve the security of critical infrastructure and reduce the risks posed by cyber-attacks. In the year since the order was issued, NIST sought input from individuals and organizations on how cyber-risk can be managed in a cost-effective manner without imposing an additional regulatory burden on businesses.