The National Institute of Standards and Technology (NIST) has released a draft of the Baldrige Cybersecurity Excellence Builder, a self-assessment tool to help organizations understand the effectiveness of their cybersecurity risk management efforts.
NIST is requesting public comments on the draft, which combines two globally recognized NIST resources and includes: the organizational performance evaluation strategies from the Baldrige Performance Excellence Program and the risk management mechanisms of the Cybersecurity Framework.
Deputy Secretary of Commerce Bruce Andrews announced the release of the draft during his remarks at the Internet Security Alliance’s 15th Anniversary Conference in Washington, D.C., in September.
“The Baldrige Cybersecurity Excellence Builder answers a call from many organizations to provide a way for them to measure how effectively they are using the Cybersecurity Framework,” Andrews said. “The builder will strengthen the already powerful Cybersecurity Framework so that organizations can better manage their cybersecurity risks.”
Using the builder, organizations of all types and sizes can:
- Determine cybersecurity-related activities that are important to business strategy and the delivery of critical services
- Prioritize investments in managing cybersecurity risk
- Assess the effectiveness and efficiency of using cybersecurity standards, guidelines, and practices
- Assess their cybersecurity results; and
- Identify priorities for improvement.
The Cybersecurity Framework provides a risk-based approach for cybersecurity through five core functions—identify, protect, detect, respond, and recovery. The framework gives order and structure to today’s multiple approaches for cybersecurity management by assembling standards, guidelines, and practices that are working effectively in many organizations. Applying Baldrige principles enables organizations to maximize the framework’s value and manage all areas affected by cybersecurity as a unified whole.
Like the Cybersecurity Framework, the Baldrige Cybersecurity Excellence Builder is not a “one-size-fits-all” tool for dealing with cybersecurity risks, and is adaptable to meet an organization’s specific needs, goals, capabilities, and environments.
The builder guides users through a process that details their organization’s distinctive characteristics and strategic situations related to cybersecurity. A series of questions helps to define current approaches to cybersecurity in areas of leadership, strategy, customers, workforce, and operations, as well as the results achieved with them.
An assessment rubric also allows users to determine their organization’s cybersecurity maturity level—classified as “reactive,” “early,” “mature,” or “role model.” The completed evaluation can lead to an action plan to upgrade cybersecurity practices and management, implement those improvements, and measure the progress and effectiveness of the process. Designed to be a key part of an organization’s continuous improvement efforts, the builder should be used periodically to maintain a high level of cybersecurity readiness.
The draft Baldrige Cybersecurity Excellence Builder was developed through a collaboration between NIST and the Office of Management and Budget’s Office of Electronic Government and Information Technology, with input from private sector representatives.
Public comments on the draft will be accepted until December 15, and can be submitted via email at baldrigecybersecurity@nist.gov.