April 16, 2018 Cybersecurity Framework Version 1.1
This publication is available free of charge from: https://doi.org/10.6028/NIST.CSWP.04162018
1.0 Framework Introduction
The United States depends on the reliable functioning of its critical infrastructure. Cybersecurity
threats exploit the increased complexity and connectivity of critical infrastructure systems,
placing the Nation’s security, economy, and public safety and health at risk. Similar to financial
and reputational risks, cybersecurity risk affects a company’s bottom line. It can drive up costs
and affect revenue. It can harm an organization’s ability to innovate and to gain and maintain
customers. Cybersecurity can be an important and amplifying component of an organization’s
overall risk management.
To strengthen the resilience of this infrastructure, the Cybersecurity Enhancement Act of 2014
(CEA) updated the role of the National Institute of Standards and Technology (NIST) to
“facilitate and support the development of” cybersecurity risk frameworks. Through CEA, NIST
must identify “a prioritized, flexible, repeatable, performance-based, and cost-effective approach,
including information security measures and controls that may be voluntarily adopted by owners
and operators of critical infrastructure to help them identify, assess, and manage cyber risks.”
This formalized NIST’s previous work developing Framework Version 1.0 under Executive
Order 13636, “Improving Critical Infrastructure Cybersecurity,” issued in February 2013
, and
provided guidance for future Framework evolution.
Critical infrastructure
is defined in the U.S. Patriot Act of 2001
as “systems and assets, whether
physical or virtual, so vital to the United States that the incapacity or destruction of such systems
and assets would have a debilitating impact on security, national economic security, national
public health or safety, or any combination of those matters.” Due to the increasing pressures
from external and internal threats, organizations responsible for critical infrastructure need to
have a consistent and iterative approach to identifying, assessing, and managing cybersecurity
risk. This approach is necessary regardless of an organization’s size, threat exposure, or
cybersecurity sophistication today.
The critical infrastructure community includes public and private owners and operators, and
other entities with a role in securing the Nation’s infrastructure. Members of each critical
infrastructure sector perform functions that are supported by the broad category of technology,
including information technology (IT), industrial control systems (ICS), cyber-physical systems
(CPS), and connected devices more generally, including the Internet of Things (IoT). This
reliance on technology, communication, and interconnectivity has changed and expanded the
potential vulnerabilities and increased potential risk to operations. For example, as technology
and the data it produces and processes are increasingly used to deliver critical services and
support business/mission decisions, the potential impacts of a cybersecurity incident on an
See 15 U.S.C. § 272(e)(1)(A)(i). The Cybersecurity Enhancement Act of 2014 (S.1353) became public law 113-
274 on December 18, 2014 and may be found at: https://www.congress.gov/bill/113th-congress/senate-
bill/1353/text.
Executive Order no. 13636, Improving Critical Infrastructure Cybersecurity, DCPD-201300091, February 12,
2013. https://www.gpo.gov/fdsys/pkg/CFR-2014-title3-vol1/pdf/CFR-2014-title3-vol1-eo13636.pdf
The Department of Homeland Security (DHS) Critical Infrastructure program provides a listing of the sectors and
their associated critical functions and value chains. http://www.dhs.gov/critical-infrastructure-sectors
See 42 U.S.C. § 5195c(e)). The U.S. Patriot Act of 2001 (H.R.3162) became public law 107-56 on October 26,
2001 and may be found at: https://www.congress.gov/bill/107th-congress/house-bill/3162