Framework for Improving Critical Infrastructure Cybersecurity



To better address these risks, the Cybersecurity Enhancement Act of 20141 (CEA) updated the role of the National Institute of Standards and Technology (NIST) to include identifying and developing cybersecurity risk frameworks for voluntary use by critical infrastructure owners and operators.


Critical infrastructure is defined in the U.S. Patriot Act of 20015 as “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.”


The Framework provides a common language for understanding, managing, and expressing cybersecurity risk to internal and external stakeholders.

The Framework complements, and does not replace, an organization’s risk management process and cybersecurity program.

Framework Components

The Framework is a risk-based approach to managing cybersecurity risk, and is composed of three parts:
  • the Framework Core,
  • the Framework Implementation Tiers, and
  • the Framework Profiles.

The Framework Core provides a set of activities to achieve specific cybersecurity outcomes, and references examples of guidance to achieve those outcomes.

The Framework Implementation Tiers (“Tiers”) provide context on how an organization views cybersecurity risk and the processes in place to manage that risk.

The Framework Profile (“Profile”) is the alignment of the Functions, Categories, and Subcategories with the business requirements, risk tolerance, and resources of the organization.

Leave a Reply