From the Introduction: "The National Institute of Standards and Technology (NIST) released the voluntary 'Framework for Improving Critical Infrastructure Cybersecurity' (NIST, 2014; hereafter called the 'Framework') in February 2014 to provide a common language organizations can use to assess and manage cybersecurity risk. Developed in response to Executive Order (EO) 13636 'Improving Critical Infrastructure Cybersecurity' of February 2013, the Framework recommends risk management processes that enable organizations to inform and prioritize decisions regarding cybersecurity based on business needs, without additional regulatory requirements. It enables organizations - regardless of sector, size, degree of cybersecurity risk, or cybersecurity sophistication - to apply the principles and effective practices of risk management to improve the security and resilience of critical infrastructure. The Framework is designed to complement, and not replace or limit, an organization's risk management process and cybersecurity program. Each sector and individual organization can use the Framework in a tailored manner to address its cybersecurity objectives. Energy sector organizations have a strong track record of working together to develop cybersecurity standards, tools, and processes that ensure uninterrupted service. The U.S. Department of Energy (DOE), as the Energy Sector-Specific Agency, worked with the Electricity Subsector and Oil & Natural Gas Subsector Coordinating Councils along with other Sector -Specific Agencies to develop this Framework Implementation Guidance specifically for energy sector owners and operators. It is tailored to the energy sector's risk environment and existing cybersecurity and risk management tools and processes that organizations can use to implement the Framework."
Department of Energy: http://energy.gov/