Reducing Cyber Risk to Critical Infrastructure: NIST Framework

Office of Electricity

You are here

Recognizing that the national and economic security of the United States depends on the reliable functioning of critical infrastructure, the President under Executive Order (EO) 13636 “Improving Critical Infrastructure Cybersecurity” of February 2013 directed the National Institute of Standards and Technology (NIST) to work with stakeholders to develop a voluntary Framework for reducing cyber risks to critical infrastructure. The Framework aims to be flexible and repeatable, while helping asset owner and operators manage cybersecurity risk.

On January 8, 2015, the Office of Cybersecurity, Energy Security, and Emergency Response (CESER) released guidance to help the energy sector establish or align existing cybersecurity risk management programs to meet the objectives of the Cybersecurity Framework released by NIST in February 2014.  The Energy Sector Cybersecurity Framework Implementation Guidance discusses in detail how the Cybersecurity Capability Maturity Model (C2M2), which helps organizations evaluate, prioritize, and improve their own cybersecurity capabilities, maps to the framework. The guidance also recognizes that there are a number of other risk management tools, processes, standards, and guidelines already widely used by energy sector organizations that align well with the Cybersecurity Framework. In developing this guidance, CESER collaborated with private sector stakeholders through the Electricity Subsector Coordinating Council and the Oil & Natural Gas Subsector Coordinating Council, and with other Sector Specific Agency representatives and interested government stakeholders.