Baldrige Supports Cybersecurity
The Commerce Department’s National Institute of Standards and Technology (NIST) is releasing the Baldrige Cybersecurity Excellence Builder, Version 1.0, a self-assessment tool to help organizations better understand the effectiveness of their cybersecurity risk management efforts and identity improvement opportunities in the context of their overall organizational performance. This self-assessment tool blends organizational assessment approaches from the Baldrige Performance Excellence Program (BPEP) with the concepts and principles of the Cybersecurity Framework developed by NIST’s Applied Cybersecurity Division (ACD).
The Baldrige Program teamed up with NIST's Applied Cybersecurity Division responsible for the NIST Cybersecurity Framework, to develop a self-assessment tool integrating Baldrige concepts and the Cybersecurity Framework. Using a phased approach and input from numerous industry sources, work began with the development of assessment criteria aligned closely with the Cybersecurity Framework. The criteria enable organizations to better understand the effectiveness of their cybersecurity efforts and identify opportunities for improvement based on the organization's cybersecurity goals and objectives. Phase I was successful.
In Phase II, the Baldrige cybersecurity efforts could proceed to voluntary assessments by independent experts, sharing of best practices, and voluntary recognition for exceptional performance.
The details of this phase are yet to be determined and funding will be one important consideration. The Baldrige Performance Excellence Program is funded through user fees and by the Foundation for the Malcolm Baldrige National Quality Award.
What is the Baldrige Cybersecurity Excellence Builder?
The Baldrige Cybersecurity Excellence Builder is a voluntary self-assessment tool that enables organizations to better understand and improve the effectiveness of their cybersecurity risk management efforts. It helps leaders of organizations to identify opportunities for improvement based on their cybersecurity risks, needs, and objectives, as well as their larger organizational environment, relationships, and outcomes.
Does the Baldrige Cybersecurity Excellence Builder prescribe cybersecurity best practices or standards?
No. Use of the Baldrige Cybersecurity Excellence Builder is completely voluntary. Like the Framework for Improving Critical Infrastructure Cybersecurity PDF(Cybersecurity Framework) and the Baldrige Excellence Framework, it is not a one-size-fits-all approach. It is adaptable and scalable to an organization’s needs, goals, capabilities, and environment. It does not prescribe how an organization should structure its cybersecurity policies and operations.
What is the relationship between the Baldrige Cybersecurity Excellence Builder and the Framework for Improving Critical Infrastructure Cybersecurity?
The Baldrige Cybersecurity Excellence Builder blends the systems perspective and business practices of the Baldrige Excellence Framework with the concepts of the Cybersecurity Framework. More specifically, the Cybersecurity Framework aligns organizational objectives, strategy, and policy landscapes into a cohesive cybersecurity program that easily integrates with organizational enterprise risk governance. These Cybersecurity Framework objectives are significantly advanced by the addition of the time-tested and trusted systems perspective and business practices of the Baldrige Excellence Framework. The builder responds to requests from many organizations to provide a way for them to measure how effectively they are managing cybersecurity risk.
Must my organization use the Cybersecurity Framework to benefit from the self-assessment in the Baldrige Cybersecurity Excellence Builder?
No. While the principles and concepts of the Cybersecurity Framework are used in the Cybersecurity Excellence Builder, organizations with defined cybersecurity practices will be able to assess their maturity level, regardless of the basis of those practices.
Why should my organization use the Baldrige Cybersecurity Excellence Builder?
Using this self-assessment, your organization can
- determine cybersecurity-related activities that are important to your business strategy and critical service delivery;
- prioritize your investments in managing cybersecurity risk;
- determine how best to enable your workforce, customers, suppliers, partners, and collaborators to be risk conscious and security aware, and to fulfill their cybersecurity roles and responsibilities;
- assess the effectiveness and efficiency of your use of cybersecurity standards, guidelines, and practices;
- assess the cybersecurity results you achieve; and
- identify priorities for improvement.
Who in my organization should use the Baldrige Cybersecurity Excellence Builder?
The Baldrige Cybersecurity Excellence Builder is intended for use by the people in your organization who are concerned with and responsible for mission-driven, cybersecurity-related policy and operations. These people include board and executive management, chief security officers, chief information officers, and risk management personnel, among others.
How can my organization use the Baldrige Cybersecurity Excellence Builder?
Start by completing the Organizational Context. This section asks you to define the organizational environment that informs your cybersecurity risk management program. Discussing the answers to the Organizational Context questions might be your organization’s first self-assessment.
For a comprehensive self-assessment, your organization might follow these steps:
- Complete the Organizational Context.
- Answer the process questions in categories 1-6.
- Answer the results questions in category 7.
- Apply the assessment rubric to your responses.
- Prioritize your actions.
- Develop an action plan and implement it.
- Measure and evaluate your progress.
How do the Baldrige Excellence Framework and its Criteria for Performance Excellence currently address cybersecurity?
The Baldrige Criteria for Performance Excellence reflect the leading edge of validated leadership performance practice in all critical aspects of an organization. In the Criteria, cybersecurity is included within the requirements in item 6.2, Operational Effectiveness.
Does NIST plan a Baldrige-based recognition award program for cybersecurity?
Any future Baldrige-related cybersecurity activities will depend upon users’ experience with and feedback about the builder.
BLOGRIGE: THE OFFICIAL BALDRIGE BLOG
Today, there is another threat to the long-term success and sustainability of nearly every organization in the United States: ensuring appropriate cybersecurity. In our increasingly connected data-driven world, protecting data, information, and systems has become a basic necessity for organizations of all kinds and a critical national priority. Learn how the Baldrige Program and the Baldrige Excellence Framework are helping with this initiative?