In February 2013, President Obama issued Executive Order 13636—Improving Critical Infrastructure Cybersecurity, which calls for the National Institute of Standards and Technology (NIST) to develop a Cybersecurity Framework that critical infrastructure owners and operators can adopt on a voluntary basis, in a manner that is "prioritized, flexible, repeatable, performance-based, and cost-effective." In response, after taking public comment for several months, NIST issued a preliminary Cybersecurity Framework last fall outlining the steps that critical infrastructure owners and operators can take to measure and evaluate their progress towards identifying and mitigating against cybersecurity risks. The preliminary Framework provides the structure for a fairly high-level risk assessment and categorization process that can be adopted across a variety of different critical infrastructure categories. It is also intended to provide a "high-level, strategic view of an organization’s management of cybersecurity risk," which an organization can then use to profile its cybersecurity footprint against industry standards and best practices.
In the Executive Order, the Department of Homeland Security (DHS) was tasked with establishing a voluntary program to support adoption of the framework, including the establishment of an incentives program to promote participation. Federal agencies responsible for critical infrastructure sectors, including EPA, will work with sector coordinating councils to further review the framework and develop implementation guidance as necessary. In addition, each agency is responsible for evaluating its existing authorities for establishing regulatory (i.e., non-voluntary) requirements reflecting the final Framework’s requirements.
NIST is scheduled to release the final Cybersecurity Framework, which is not expected to vary significantly from the preliminary version, in February 2014. Additional information on NIST’s cybersecurity efforts, including links to Executive Order 13636, the preliminary Cybersecurity Framework and all supporting documentation can be found on NIST’s Cybersecurity Framework webpage.