"This had to be a product of industry," Gallagher said on a conference call with reporters.
The framework divides its recommendations into five categories: helping companies to identify, protect, detect, respond and recover from cyber attacks.
The document urges companies to provide proper training to their employees, protect against data leaks, control access to systems and manage backed-up information, among other steps.
The framework includes a lengthy appendix devoted to protecting privacy and civil liberties—an emphasis of the executive order. Companies are urged to minimize the use and disclosure of personal information of their employees and customers.
President Obama issued the executive order after Congress failed to pass his preferred cybersecurity bill last year.
Republicans argued that his approach would have imposed burdensome regulations on critical infrastructure companies, but Democrats worry that without mandatory regulations—or at least strong incentives—vital computer systems will be vulnerable to attack.
They worry that hackers could disrupt a bank, shutdown a power grid or cause trains to collide.
Gallagher acknowledged Tuesday that NIST has no power to force companies to comply with the cybersecurity standards. But he argued that in many cases, it will be in a company's interest to follow the guidelines.
"We believe cybersecurity is good business, and we hope that this new framework will be a flexible tool that companies will voluntarily use because it both improves their cybersecurity and improves their bottom line," Gallagher said.
He said Congress has a "role to play," but that the framework can still be useful even without congressional action.