In February 2013, President Obama signed an executive order requiring, among other things, the Secretary of Commerce to direct the National Institute of Standards and Technology (NIST) to develop “a framework to reduce cyber risks to critical infrastructure.” The voluntary framework was to include standards and methodologies to help manage cyber risks.
NIST released its Framework for Improving Critical Infrastructure Cyber Security in February 2014. The framework “provides a common language to address and manage cyber risk in a cost-effective way based on business needs, without placing additional regulatory requirements on businesses.” NIST intends that the framework will be a “living document,” that can adapt to respond to changes in cyber threats as well as evolve as institutions gain experience in its use.
"The framework provides a consensus description of what's needed for a comprehensive cybersecurity program," said Under Secretary of Commerce for Standards and Technology and NIST Director Patrick D. Gallagher. "It reflects the efforts of a broad range of industries that see the value of and need for improving cybersecurity and lowering risk. It will help companies prove to themselves and their stakeholders that good cybersecurity is good business."