Using the Cybersecurity Framework


Protecting the cybersecurity of our critical infrastructure is a top priority for the Nation. In February 2013, Executive Order (EO) 13636: Improving Critical Infrastructure Cybersecurity charged the National Institute of Standards and Technology (NIST) to create a framework for reducing risk to critical infrastructure, and the Department of Homeland Security (DHS) to help critical infrastructure use and understand the framework. One year later, NIST released the Cybersecurity Framework to help critical infrastructure sectors and organizations reduce and manage their cyber risk regardless of size or cybersecurity sophistication. DHS then launched an innovative public-private partnership to help align critical infrastructure owners and operators with existing resources to assist in using the Framework to manage their cyber risks.

The Framework can be used to:

  • Align cybersecurity decisions to mission objectives;
  • Organize security requirements originating from legislation, regulation, policy, and industry best practices;
  • Communicate cybersecurity requirements with stakeholders, including partners and suppliers;
  • Integrate privacy and civil liberties risk management into cybersecurity activities;
  • Measure current state and express desired state;
  • Prioritize cybersecurity resources and activities; and
  • Analyze trade-offs between expenditure and risk.

The Framework is a living document and will continue to be updated and improved as industry provides feedback on implementation. As the Framework is put into practice, future versions will integrate these lessons learned. This will ensure the Framework is meeting the needs of critical infrastructure owners and operators in a dynamic and challenging environment of new threats, risks, and solutions.

Drivers for Critical Infrastructure Cyber Resilience

The public and private sectors have a shared interest in ensuring the viability of critical infrastructure, and the provision of essential services, under all conditions. EO 13636 also directs the Departments of Homeland Security, Commerce, and Treasury to provide recommendations to the President on cybersecurity incentives to reinforce use of the Framework.

Effective incentives can help the private sector justify the costs of improved cybersecurity by balancing the short-term costs of additional investment with near-term benefits. DHS recognizes the importance of market-based incentives in promoting change in business practices.

DHS serves as the lead Federal Government interface for public discussion on cybersecurity incentives, and leads the outreach and partnership with the critical infrastructure community for the Administration's effort to conduct further analysis on incentives. Engagement with industry and the critical infrastructure community is critical and will inform the process.

Learn more about DHS's role in implementing EO 13636 and Presidential Policy Directive (PPD)-21.

Read the White House blog about incentives to support adoption of the Framework.

Read the DHS Incentives Report, which analyzes potential economic incentives that could be used to promote use of the Framework.

Read the Department of Commerce’s Incentive Recommendations.

Read the Department of Treasury’s Report on Cybersecurity Initiatives.

Last Updated Date: August 28, 2020

Was this document helpful?  Yes  |  Somewhat  |  No