Executive Order 13636 directed the National Institute of Standards and Technology (NIST) to develop a framework for improving critical infrastructure cyber-security. What are the advantages and limitations of a voluntary approach to protect private sector critical infrastructure?