Baldrige Supports Cybersecurity
The Commerce Department’s National Institute of Standards and Technology (NIST) released today the draft Baldrige Cybersecurity Excellence Builder, a self-assessment tool to help organizations better understand the effectiveness of their cybersecurity risk management efforts. Learn more…
Baldrige Cybersecurity Excellence Builder Feedback Submission - CLOSED
The period for providing feedback on the Baldrige Cybersecurity Excellence Builder (BCEB) has closed. We thank everyone who provided feedback and/or made inquiries regarding the BCEB. The input received is being reviewed and analyzed and the updated version of the BCEB will be released by the end of March 2017.
This collection of information contains Paperwork Reduction Act (PRA) requirements approved by the Office of Management and Budget (OMB). Notwithstanding any other provisions of the law, no person is required to respond to, nor shall any person be subject to a penalty for failure to comply with, a collection of information subject to the requirements of the PRA unless that collection of information displays a currently valid OMB control number. Public reporting burden for this collection is estimated to be 20 minutes per response, including the time for reviewing instructions, searching existing data sources, gathering and maintaining the data needed and completing and reviewing the collection of information. Send comments regarding this burden estimate or any aspect of this collection of information, including suggestions for reducing this burden, to the National Institute of Standards and Technology, Attn: Robert Fangmeyer.
OMB Control No. 0693-0033
Expiration Date: 06/30/2019
The Baldrige Program teamed up with NIST's Applied Cybersecurity Division responsible for the NIST Cybersecurity Framework, to develop a self-assessment tool integrating Baldrige concepts and the Cybersecurity Framework. Using a phased approach and input from numerous industry sources, work began with the development of assessment criteria aligned closely with the Cybersecurity Framework. The criteria enable organizations to better understand the effectiveness of their cybersecurity efforts and identify opportunities for improvement based on the organization's cybersecurity goals and objectives.
Interested users may download the Baldrige Cybersecurity Excellence Builder from this site. We encourage you to review the assessment tool and use it to evaluate your cybersecurity risk management system.
Depending on private sector response and enthusiasm about the Phase I results, the Baldrige cybersecurity efforts could then proceed to voluntary assessments by independent experts, sharing of best practices, and voluntary recognition for exceptional performance.
The details of this phase are yet to be determined and funding will be one important consideration. The Baldrige Performance Excellence Program is funded through user fees and by the Foundation for the Malcolm Baldrige National Quality Award.
What is the Baldrige Cybersecurity Excellence Builder?
The Baldrige Cybersecurity Excellence Builder is a voluntary self-assessment tool that enables organizations to better understand and improve the effectiveness of their cybersecurity risk management efforts. It helps leaders of organizations to identify opportunities for improvement based on their cybersecurity risks, needs, and objectives, as well as their larger organizational environment, relationships, and outcomes.
Does the Baldrige Cybersecurity Excellence Builder prescribe cybersecurity best practices or standards?
No. Use of the Baldrige Cybersecurity Excellence Builder is completely voluntary. Like the Framework for Improving Critical Infrastructure Cybersecurity PDF(Cybersecurity Framework) and the Baldrige Excellence Framework, it is not a one-size-fits-all approach. It is adaptable and scalable to an organization’s needs, goals, capabilities, and environment. It does not prescribe how an organization should structure its cybersecurity policies and operations.
What is the relationship between the Baldrige Cybersecurity Excellence Builder and the Framework for Improving Critical Infrastructure Cybersecurity?
The Baldrige Cybersecurity Excellence Builder blends the systems perspective and business practices of the Baldrige Excellence Framework with the concepts of the Cybersecurity Framework. More specifically, the Cybersecurity Framework aligns organizational objectives, strategy, and policy landscapes into a cohesive cybersecurity program that easily integrates with organizational enterprise risk governance. These Cybersecurity Framework objectives are significantly advanced by the addition of the time-tested and trusted systems perspective and business practices of the Baldrige Excellence Framework. The builder responds to requests from many organizations to provide a way for them to measure how effectively they are managing cybersecurity risk.
Must my organization use the Cybersecurity Framework to benefit from the self-assessment in the Baldrige Cybersecurity Excellence Builder?
No. While the principles and concepts of the Cybersecurity Framework are used in the Cybersecurity Excellence Builder, organizations with defined cybersecurity practices will be able to assess their maturity level, regardless of the basis of those practices.
Why should my organization use the Baldrige Cybersecurity Excellence Builder?
Using this self-assessment, your organization can
- determine cybersecurity-related activities that are important to your business strategy and critical service delivery;
- prioritize your investments in managing cybersecurity risk;
- determine how best to enable your workforce, customers, suppliers, partners, and collaborators to be risk conscious and security aware, and to fulfill their cybersecurity roles and responsibilities;
- assess the effectiveness and efficiency of your use of cybersecurity standards, guidelines, and practices;
- assess the cybersecurity results you achieve; and
- identify priorities for improvement.
Who in my organization should use the Baldrige Cybersecurity Excellence Builder?
The Baldrige Cybersecurity Excellence Builder is intended for use by the people in your organization who are concerned with and responsible for mission-driven, cybersecurity-related policy and operations. These people include board and executive management, chief security officers, chief information officers, and risk management personnel, among others.
How can my organization use the Baldrige Cybersecurity Excellence Builder?
Start by completing the Organizational Context. This section asks you to define the organizational environment that informs your cybersecurity risk management program. Discussing the answers to the Organizational Context questions might be your organization’s first self-assessment.
For a comprehensive self-assessment, your organization might follow these steps:
- Complete the Organizational Context.
- Answer the process questions in categories 1-6.
- Answer the results questions in category 7.
- Apply the assessment rubric to your responses.
- Prioritize your actions.
- Develop an action plan and implement it.
- Measure and evaluate your progress.
When will the final Version 1 of the Baldrige Cybersecurity Excellence Builder be available?
After public comments are received, considered and incorporated, the draft of the builder will be revised, and a final version will be ready in March 2017. NIST expects to consider further updates after organizations use, gain experience with, and provide feedback about the builder. Future changes also will be aligned with any updates to the Cybersecurity Framework to ensure consistency.
How do the Baldrige Excellence Framework and its Criteria for Performance Excellence currently address cybersecurity?
The Baldrige Criteria for Performance Excellence reflect the leading edge of validated leadership performance practice in all critical aspects of an organization. In the Criteria, cybersecurity is included within the requirements in item 6.2, Operational Effectiveness.
Does NIST plan a Baldrige-based recognition award program for cybersecurity?
Any future Baldrige-related cybersecurity activities will depend upon users’ experience with and feedback about the builder.
BLOGRIGE: THE OFFICIAL BALDRIGE BLOG
Today, there is another threat to the long-term success and sustainability of nearly every organization in the United States: ensuring appropriate cybersecurity. In our increasingly connected data-driven world, protecting data, information, and systems has become a basic necessity for organizations of all kinds and a critical national priority. Learn how the Baldrige Program and the Baldrige Excellence Framework are helping with this initiative?