WASHINGTON, D.C.ā TheĀ U.S. Commerce DepartmentĀ National Institute of Standards and TechnologyĀ (NIST) just released the draftĀ Baldrige Cybersecurity Excellence Builder, a self-assessment tool to help organizations better understand the effectiveness of their cybersecurity risk management efforts.
NIST is requesting public comments on the draft document, which blends the best of two globally recognized and widely used NIST resources: the organizational performance evaluation strategies from theĀ Baldrige Performance Excellence ProgramĀ and the risk management mechanisms of theĀ Cybersecurity Framework.
Deputy Secretary of Commerce Bruce Andrews announced the release of the draft document today during his remarks at theĀ Internet Security Allianceās 15th Anniversary Conference in Washington, D.C.
āThe Baldrige Cybersecurity Excellence Builder answers a call from many organizations to provide a way for them to measure how effectively they are using the Cybersecurity Framework,ā Andrews said. āThe Builder will strengthen the already powerful Cybersecurity Framework so that organizations can better manage their cybersecurity risks.ā
Using the Builder, organizations of all sizes and types can:
- determine cybersecurity-related activities that are important to business strategy and the delivery of critical services;
- prioritize investments in managing cybersecurity risk;Ā
- assess the effectiveness and efficiency of using cybersecurity standards, guidelines, and practices;Ā
- assess their cybersecurity results; and
- identify priorities for improvement.
The Cybersecurity Framework, released in February 2014, was developed by NIST through a collaborative process involving industry, academia and government agencies. NIST was directed by an executive orderĀ to create the framework specifically for managing cybersecurity risks related to critical infrastructure, but a broad array of public and private sector organizations now use it. The framework provides a risk-based approach to cybersecurity through five core functionsāidentify, protect, detect, respond and recovery.Ā
According to a report by the information technology research company Gartner, the framework is currentlyĀ used by 30 percent of U.S. organizations, a number expected to rise to 50 percent by 2020.
The Baldrige Performance Excellence Program, through itsĀ Baldrige Excellence Framework, has helped thousands or organizations worldwide guide their operations, improve performance and get sustainable results for nearly 30 years. It encourages a proven systems thinking approach to achieving organization-wide excellence, driving process improvement and performance management into all key aspects of the organization.Ā
A 2011 economicĀ reportĀ estimated the benefit-to-cost ratio of the Baldrige Program to the U.S. economy at 820 to 1.Ā
The Cybersecurity Framework gives order and structure to todayās multiple approaches for cybersecurity management by assembling standards, guidelines, and practices that are working effectively in many organizations. Applying Baldrige principles enables organizations to maximize the frameworkās value and manage all areas affected by cybersecurity as a unified whole.Ā
Ā Like the Cybersecurity Framework, the Baldrige Cybersecurity Excellence Builder is not a āone-size-fits-allā tool for dealing with cybersecurity risks. It is adaptable to meet an organizationās specific needs, goals, capabilities, and environments.
The Builder guides users through a process that details their organizationās distinctive characteristics and strategic situations related to cybersecurity. Then, a series of questions helps define the organizationās current approaches to cybersecurity in the areas of leadership, strategy, customers, workforce, and operations, as well as the results achieved with them.Ā
Finally, an assessment rubric lets users determine their organizationās cybersecurity maturity levelāclassified as āreactive,ā āearly,ā āmature,ā or ārole model.ā The completed evaluation can then lead to an action plan to upgrade cybersecurity practices and management, implement those improvements, and measure the progress and effectiveness of the process. Designed to be a key part of an organizationās continuous improvement efforts, the Builder should be used periodically to maintain the highest possible level of cybersecurity readiness.Ā
The draft Baldrige Cybersecurity Excellence Builder was developed through a collaboration between NIST and theĀ Office of Management and BudgetāsĀ Office of Electronic Government and Information Technology, with input from private sector representatives.
Public comments on the draft will be accepted until Thursday, Dec. 15, 2016, via e-mail to[email protected](link sends e-mail).
As a non-regulatory agency of theĀ Commerce Department, NIST promotes U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life. For more information, visitwww.nist.gov.
