/ Projects / About the Critical Infrastructure Cyber Community C³ Voluntary Program

About the Critical Infrastructure Cyber Community C³ Voluntary Program

Matt Ball on February 16, 2014 - in Projects, Security

The United States depends on critical infrastructure every day to provide energy, water, transportation, financial services, and other capabilities that support our needs and way of life. Over the years, improvements in technology have allowed these capabilities to evolve and run more efficiently.

With this increased reliance on cyber-dependent systems, come increased threats and vulnerabilities. Protecting the cybersecurity of our critical infrastructure is a top priority for the nation, and in February 2013 the President signed Executive Order (EO) 13636: Improving Critical Infrastructure Cybersecurity and released Presidential Policy Directive (PPD)-21: Critical Infrastructure Security and Resilience, which aims to increase the overall resilience of U.S. critical infrastructure. One of the major components of the EO is the development of the Cybersecurity Framework (the Framework) by the National Institute of Standards and Technology (NIST) to help critical infrastructure sectors and organizations reduce and manage their cyber risk.

Because cybersecurity and physical security are increasingly interconnected, the Department of Homeland Security (DHS) is partnering with the critical infrastructure community to establish a voluntary program to encourage use of the Framework to strengthen critical infrastructure cybersecurity. The Critical Infrastructure Cyber Community C³ (pronounced “C Cubed”) Voluntary Program is the coordination point within the Federal Government for critical infrastructure owners and operators interested in improving their cyber risk management processes. The C³ Voluntary Program aims to: 1) support industry in increasing its cyber resilience; 2) increase awareness and use of the Framework; and 3) encourage organizations to manage cybersecurity as part of an all hazards approach to enterprise risk management.

The C³ Voluntary Program’s launch in February 2014 coincides with the release of the final Framework. The C³ Voluntary Program’s focus during the first year will be engagement with Sector-Specific Agencies (SSAs) and organizations using the Framework to develop guidance on how to implement the Framework. Later phases of the C³ Voluntary Program will broaden the program’s reach to all critical infrastructure and businesses of all sizes that are interested in using the Framework.

C³ Voluntary Program Activities

The C³ Voluntary Program focuses on three major activities:

Supporting Use

The C³ Voluntary Program will assist stakeholders with understanding use of the Framework and other cyber risk management efforts, and support development of general and sector-specific guidance for Framework implementation. The C³ Voluntary Program will also work with the 16 critical infrastructure sectors to develop sector-specific guidance, as needed, for using the Framework.

Outreach and Communications

The C³ Voluntary Program will serve as a point of contact and customer relationship manager to assist organizations with Framework use, and guide interested organizations and sectors to DHS and other public and private sector resources to support use of the Cybersecurity Framework.


The C³ Voluntary Program encourages feedback from stakeholder organizations about their experience using C³ Voluntary Program resources to implement the Framework. The C³ Voluntary Program works with organizations to understand how they are using the Framework, and to receive feedback on how the Framework and the C³ Voluntary Program can be improved to better serve organizations. Feedback about the Framework will also be shared with NIST, to help guide the development of the next version of the Framework and similar efforts..

C³ Voluntary Program Engagement Channels

The C³ Voluntary Program and organizations can interact through the following engagement channels:

  • Regionally located DHS personnel from the Cyber Security Advisor (CSA) and Protective Security Advisor (PSA) programs. These personnel interact directly with organizations in their regions about cybersecurity and critical infrastructure protection.
  • The Critical Infrastructure Partnership Advisory Council (CIPAC) Framework, a partnership between government and critical infrastructure sector owners and operators that enables a broad spectrum of activities to support and coordinate on critical infrastructure protection.
  • Direct engagement between the C³ Voluntary Program and interested organizations. Organizations may access the C³ Voluntary Program website or contact the C³ Voluntary Program at [email protected].
  • Requests for Information (RFI), which create opportunities for the general public to provide input on cybersecurity solutions and policies.

Access program resources at the C3 Voluntary Program US-CERT Gateway.

Comments are disabled