LOGBOOK

HELP

Quiz Entry - updated: 2026.07.05

Where did the NIST Cybersecurity Framework come from?

Created after President Obama signed Executive Order 13636 in February 2013 ("Improving Critical Infrastructure Cybersecurity"). NIST was tasked with producing a voluntary framework to protect critical infrastructure (energy, finance, water, transport).

Timeline from 2013 Executive Order 13636 to CSF v1.0 (2014), v1.1 (2018) and v2.0 (2024) adding Govern

* From the 2013 executive order to CSF 2.0: each release widens scope, and v2.0 adds the Govern function. *

Timeline:

  • 2013-02 — Executive Order 13636 signed.
  • 2014CSF v1.0 published.
  • 2018 — CSF v1.1 (minor update).
  • 2024CSF v2.0 released, adding the Govern function and broadening scope from critical-infrastructure to all organisations.

The original brief was: define principles and Schlüsselmassnahmen (controls) that government and private operators can use to protect kritische Infrastrukturen. The voluntary nature is intentional — Congress didn't want to mandate, but federal procurement contracts now often require CSF alignment.

Tip: CSF was deliberately written to be vendor-neutral, risk-based, and scalable — a tiny company can apply it conceptually, and so can a Fortune 500. That generality is also its weakness: you can't be "CSF compliant" because there's nothing concrete to comply with.

Go deeper:

From Quiz: ISF / ISMS & Security Standards (ISO 27k, NIST, BSI) | Updated: Jul 05, 2026