Main Nav

NIST Releases Final Framework for Improving Critical Infrastructure Cybersecurity

The National Institute of Standards and Technology (NIST) released the initial version of its Framework for Improving Critical Infrastructure Cybersecurity on Wednesday, February 12. The Framework provides owners of critical infrastructure and others with voluntary guidance on how to best protect information and assets from cyber attacks. The final Framework closely follows the Preliminary Framework NIST released in November 2013.

Broken down into three main elements—Core, Tiers, and Profiles—the Framework sets forth the best-practices commonly used throughout the critical infrastructure industries and sectors. The Core is broken down into five functions: identify, protect, detect, respond, and recover. Used together, these functions are designed to help organizations understand and mold their cybersecurity program into a more functional and efficient system. The Tiers allow organizations to analyze the degree to which their system meets goals set forth in the Framework. The Profiles help organizations reach a higher level of cybersecurity sophistication.

As previously reported the Framework was created in response to Executive Order 13636: Improving Critical Infrastructure Cybersecurity, mandated in February 2013, in which the President called for NIST to develop a “set of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks” to critical infrastructure. The Department of Homeland Security has identified sixteen different industry sectors as part of critical infrastructure, including defense, communications, food and agriculture, healthcare, communications and, of course, information technology.

Labeled as Version 1.0, the Agency acknowledges the Framework must be dynamic to match the constantly evolving technology and demands of cybersecurity. Accordingly, NIST also released the NIST Roadmap for Improving Critical Infrastructure Cybersecurity, which provides the future path for updating and improving the Framework. As it develops new versions of the Framework, NIST hopes to remain at the center of the collaboration between industry and government agencies to help owners of critical infrastructure understand, implement, and improve the Framework.

As mentioned earlier, the Framework is entirely voluntary. The Departments of Homeland Security, Commerce, and Treasury are currently reviewing ways to create incentives that will encourage organizations to implement the guidance.

EDUCAUSE has been following the development of the framework since the Executive Order was issued (see our earlier blog posts herehere, and here) and submitted comments in response to NIST’s request for information.  While EDUCAUSE will continue to follow this issue and keep you posted on developments, campus cybersecurity professionals are encouraged to work with their general counsel’s office to assess what the framework may mean for the institution’s cybersecurity practices and responsibilities. 


Connect: San Antonio
April 22–24
Register Now

Events for all Levels and Interests

Whether you're looking for a conference to attend face-to-face to connect with peers, or for an online event for team professional development, see what's upcoming.


Digital Badges
Member recognition effort
Earn yours >

Career Center

Leadership and Management Programs

EDUCAUSE Institute
Project Management



Jump Start Your Career Growth

Explore EDUCAUSE professional development opportunities that match your career aspirations and desired level of time investment through our interactive online guide.


EDUCAUSE organizes its efforts around three IT Focus Areas



Join These Programs If Your Focus Is


Get on the Higher Ed IT Map

Employees of EDUCAUSE member institutions and organizations are invited to create individual profiles.



2015 Strategic Priorities

  • Building the Profession
  • IT as a Game Changer
  • Foundations

Learn More >

Uncommon Thinking for the Common Good™

EDUCAUSE is the foremost community of higher education IT leaders and professionals.