Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.


The Official Baldrige Blog

Why Try the Baldrige Cybersecurity Excellence Builder?

Baldrige Cybersecurity Excellence Builder cover art

Which cybersecurity-related activities are most important to your business strategy and critical service delivery? How do you assess the effectiveness and efficiency of your use of cybersecurity standards, guidelines, and practices? To answer these questions and build excellence in your cybersecurity risk management system, consider a self-assessment with a new tool called the Baldrige Cybersecurity Excellence Builder.

Organizations of all types are becoming more vulnerable to cyber threats due to their increasing dependence on computers, networks, programs and applications, social media, and data. Security breaches can negatively impact organizations and their workforce, customers, and other stakeholders, with both financial and reputational damage potentially lasting many years. Balancing the conflicting demands of connectivity and accessibility with security, reliability, and confidentiality means that risk management and measuring the effectiveness of cybersecurity practices is critical.

And the situation is only going to get worse as the Internet of Things is becoming more critical for business owners to understand--and act on--than ever before. "The Internet of Things is the encapsulation of the next-generation technologies that will touch nearly all facets of our day-to-day lives," says Chester Kennedy, CEO of the International Consortium for Advanced Manufacturing Research. "The arrival of the sensor era is happening at a frenetic pace."1

The Baldrige Cybersecurity Excellence Builder tool enables organizations to better understand and improve the effectiveness of their cybersecurity risk management efforts in light of these new vulnerabilities. This voluntary self-assessment tool is based on the detailed Framework for Improving Critical Infrastructure Cybersecurity (Cybersecurity Framework), managed by the National Institute of Standards and Technology (NIST) Information Technology Laboratory, Applied Cybersecurity Division, and the Baldrige Excellence Framework, developed by the Baldrige Performance Excellence Program.

What makes the Builder different from various other self-assessment tools? By combining concepts in the Cybersecurity Framework and the Baldrige Framework, the Builder

  • Focuses on how your management of cybersecurity risk affects and is affected by every part of your organization—your leaders and their actions, your strategy, your customers, and your workforce, as well as your cybersecurity operations. Thus, your organization is encouraged to develop integrated cyber-related approaches that are aligned with its needs in all these areas.
  • Focuses on (a) measuring the effectiveness and efficiency of your cybersecurity-related approaches in all areas of your organization and (b) evaluating the results they achieve. This helps you to recognize the cause-effect linkages between your approaches and your cybersecurity-related results.
  • Serves as a “door” to the comprehensive standards, guidelines, practices, and references in the Cybersecurity Framework, and helps you assess how effectively you are using it.
  • Is adaptable and scalable. It can be used whether your organization is small or large; is involved in service, manufacturing, government or nonprofit activities, health care, or education; or has one office or multiple sites across the globe. It is most valuable as a voluntary assessment of an entire organization’s cybersecurity risk management program, but it is also useful in assessing a subunit, multiple subunits, or parts of an organization.

The Builder includes an Organizational Context section and six interrelated process categories and a results category:

  • Leadership
  • Strategy
  • Customers
  • Measurement, Analysis, and Knowledge Management
  • Workforce
  • Operations
  • Results

By challenging yourself with the questions that make up the Builder, you explore how you are accomplishing what is important to your organization’s cybersecurity risk management system. Use the Builder to achieve the following:

  • Improve communication. The Builder can help by creating a common language for assessment and improvement of your cybersecurity risk management system.
  • Conduct an initial assessment by answering the questions in the Organizational Context section. If you identify topics for which conflicting, little, or no information is available, use these topics for action planning.
  • Conduct a full self-assessment of your cybersecurity risk management system.
  • Apply the assessment rubric to determine whether your organization's cybersecurity maturity level is reactive, early, mature, or role model. The completed evaluation can lead to an action plan for implementing improvements.

To learn more

  • Download the Baldrige Cybersecurity Excellence Builder.
  • Read the FAQs about the Baldrige Cybersecurity Initiative.
  • Learn more about the NIST Cybersecurity Framework and its voluntary guidance, based on existing standards, guidelines, and practices.
  • Ask questions of the Baldrige Program (301-975-2036; baldrige [at] (baldrige[at]nist[dot]gov)).

If you use the Builder, we invite you to submit lessons learned and comments at This is the first in a series of blogs on the Baldrige Cybersecurity Excellence Builder. Future blogs will focus on using the tool to improve your cybersecurity policies and operations in the areas of leadership, strategy, customers, measurement, workforce, operations, and results.    

About the author

Jacqueline Calhoun

I’m Jackie Calhoun from the Baldrige Marketing and Partnering Team. I joined the Program in 1993 and during my career here,  I have been fortunate enough to be on the Publications Management Team and Examiner Training and Workforce Development Team. I also I have served as Team leader on each of the teams. Prior to Baldrige, I worked as a physical scientist in the NIST Physics Laboratory, Center for Radiation Research.

Related posts


The BCEB takes a holistic approach to measuring and improving the way cybersecurity is integrated into an organization's strategy and operations. I see more and more organizations that no longer maintain a "security belongs to the guys down the hall" approach. Security - physical and logical - is an integral part of what we each do, and the BCEB draws on decades of experience to help consider opportunities to improve our Approach, Deployment, Learning, and Integration. Well done!
Our congrats go out to the NIST Baldrige Cybersecurity Excellence Builder Team! Great job on a very challenging area of process-driven and cultural change! We call this type of enterprise-wide change, "Cybersecurity Convergence". We have a specific maturity model and analytical measurement approach that we want to add into the NIST Cybersecurity Center-of-Excellence. Would you know who we should work with there? Our members would like to also collaborate with other industry peers in benchmarking these NIST-specific best practices. (Please visit if you'd like to opt-in to our distribution list for free.)

Add new comment

Enter the characters shown in the image.
This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.
Please be respectful when posting comments. We will post all comments without editing as long as they are appropriate for a public, family friendly website, are on topic and do not contain profanity, personal attacks, misleading or false information/accusations or promote specific commercial products, services or organizations. Comments that violate our comment policy or include links to non-government organizations/web pages will not be posted.