Using the Cybersecurity Framework

Protecting the cybersecurity of our critical infrastructure is a top priority for the Nation. In February 2013, President Obama signed Executive Order (EO) 13636: Improving Critical Infrastructure Cybersecurity. One of the major components of the E.O. is the development of the National Institute of Standards and Technology (NIST) Cybersecurity Framework (the Framework) to help critical infrastructure sectors and organizations reduce and manage their cyber risk regardless of size or cybersecurity sophistication. An additional component of the EO was the creation of the Critical Infrastructure Cyber Community (C³, pronounced “C-Cubed”) Voluntary Program, an innovative public-private partnership led by DHS, helps align critical infrastructure owners and operators with existing resources to assist in using the Framework to manage their cyber risks.

The Framework can be used to align cybersecurity decisions to mission objectives; organize security requirements originating from legislation, regulation, policy, and industry best practice; communicate cybersecurity requirements with stakeholders, including partners and suppliers; integrate privacy and civil liberties risk management into cybersecurity activities; measure current state and express desired state; prioritize cybersecurity resources and activities; and analyze trade-offs between expenditure and risk.

The Framework is a living document and will continue to be updated and improved as industry provides feedback on implementation. As the Framework is put into practice, lessons learned will be integrated into future versions. This will ensure it is meeting the needs of critical infrastructure owners and operators in a dynamic and challenging environment of new threats, risks, and solutions.

Drivers for Critical Infrastructure Cyber Resilience

The public and private sectors have a shared interest in ensuring the viability of critical infrastructure, and the provision of essential services, under all conditions. Executive Order (EO) 13636, signed February 2013, directs the Departments of Homeland Security, Commerce, and Treasury to provide recommendations to the President on cybersecurity incentives to reinforce use of the NIST Cybersecurity Framework and participation in the C³ Voluntary Program.

Effective incentives can help the private sector justify the costs of improved cybersecurity by balancing the short-term costs of additional investment with similarly near-term benefits. DHS recognizes the importance of market-based incentives in promoting change in business practices.

To support participation in the C³ Voluntary Program and reinforce the NIST Cybersecurity Framework, DHS will provide technical assistance; programs and resources are accessible through the C³ Voluntary Program US-CERT Gateway.

DHS will continue to serve as the lead Federal Government interface for public discussion on incentives, and leads the outreach and partnership with the critical infrastructure community for the Administration effort to conduct further analysis on incentives. Engagement with industry and the critical infrastructure community is critical and will inform the process.

Although some of the potential incentive areas identified may be linked to the C³ Voluntary Program, such as technical assistance, others may not be directly linked or are beyond the scope of the C³ Voluntary Program.

Learn more about DHS's role in implementing Executive Order (EO) 13636 and Presidential Policy Directive (PPD)-21.

Read the White House blog about incentives by Michael Daniel, Special Assistant to the President and Cybersecurity Coordinator.

Read the DHS Incentives Report, which analyzes potential economic incentives that could be used to promote use of the Cybersecurity Framework.

Read the Department of Commerce’s Incentive Recommendations.

Read the Department of Treasury’s Report on Cybersecurity Initiatives.

Access program resources at the C³ Voluntary Program US-CERT Gateway.

Last Updated Date: August 22, 2018

Was this document helpful?  Yes  |  Somewhat  |  No