Where did the NIST Cybersecurity Framework come from?
Created after President Obama signed Executive Order 13636 in February 2013 ("Improving Critical Infrastructure Cybersecurity"). NIST was tasked with producing a voluntary framework to protect critical infrastructure (energy, finance, water, transport).
* From the 2013 executive order to CSF 2.0: each release widens scope, and v2.0 adds the Govern function. *
Timeline:
- 2013-02 — Executive Order 13636 signed.
- 2014 — CSF v1.0 published.
- 2018 — CSF v1.1 (minor update).
- 2024 — CSF v2.0 released, adding the Govern function and broadening scope from critical-infrastructure to all organisations.
The original brief was: define principles and Schlüsselmassnahmen (controls) that government and private operators can use to protect kritische Infrastrukturen. The voluntary nature is intentional — Congress didn't want to mandate, but federal procurement contracts now often require CSF alignment.
Tip: CSF was deliberately written to be vendor-neutral, risk-based, and scalable — a tiny company can apply it conceptually, and so can a Fortune 500. That generality is also its weakness: you can't be "CSF compliant" because there's nothing concrete to comply with.
Go deeper:
Executive Order 13636 — Improving Critical Infrastructure Cybersecurity (Feb 2013) — the source order; section 7 literally tasks NIST with leading the framework.
The NIST Cybersecurity Framework (CSF) 2.0 — CSWP 29 — the 2024 v2.0 publication that added Govern and widened scope to all organisations.
NIST Cybersecurity Framework (Wikipedia) — timeline overview from 2014 v1.0 through v1.1 (2018) to v2.0 (2024).