Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

NIST Releases Baldrige-Based Tool for Cybersecurity Excellence

Comments Sought on Draft Guide to Enhance Cybersecurity Framework

WASHINGTON, D.C.— The U.S. Commerce Department’s National Institute of Standards and Technology (NIST) released today the draft Baldrige Cybersecurity Excellence Builder, a self-assessment tool to help organizations better understand the effectiveness of their cybersecurity risk management efforts.

NIST is requesting public comments on the draft document, which blends the best of two globally recognized and widely used NIST resources: the organizational performance evaluation strategies from the Baldrige Performance Excellence Program and the risk management mechanisms of the Cybersecurity Framework.

Deputy Secretary of Commerce Bruce Andrews announced the release of the draft document today during his remarks at the Internet Security Alliance’s 15th Anniversary Conference in Washington, D.C.

“The Baldrige Cybersecurity Excellence Builder answers a call from many organizations to provide a way for them to measure how effectively they are using the Cybersecurity Framework,” Andrews said. “The Builder will strengthen the already powerful Cybersecurity Framework so that organizations can better manage their cybersecurity risks.”

Using the Builder, organizations of all sizes and types can:

  • determine cybersecurity-related activities that are important to business strategy and the delivery of critical services;
  • prioritize investments in managing cybersecurity risk; 
  • assess the effectiveness and efficiency in using cybersecurity standards, guidelines and practices; 
  • assess their cybersecurity results; and
  • identify priorities for improvement.

The Cybersecurity Framework, released in February 2014, was developed by NIST through a collaborative process involving industry, academia and government agencies. NIST was directed by an executive order to create the framework specifically for managing cybersecurity risks related to critical infrastructure, but a broad array of public and private sector organizations now use it. The framework provides a risk-based approach for cybersecurity through five core functions—identify, protect, detect, respond and recovery. 

According to a report by the information technology research company Gartner, the framework is currently used by 30 percent of U.S. organizations, a number expected to rise to 50 percent by 2020.

The Baldrige Performance Excellence Program, through its Baldrige Excellence Framework, has helped thousands or organizations worldwide guide their operations, improve performance and get sustainable results for nearly 30 years. It encourages a proven systems thinking approach to achieving organization-wide excellence, driving process improvement and performance management into all key aspects of the organization. 

A 2011 economic report estimated the benefit-to-cost ratio of the Baldrige Program to the U.S. economy at 820 to 1. 

The Cybersecurity Framework gives order and structure to today’s multiple approaches for cybersecurity management by assembling standards, guidelines and practices that are working effectively in many organizations. Applying Baldrige principles enables organizations to maximize the framework’s value and manage all areas affected by cybersecurity as a unified whole. 

The Cybersecurity Framework
The Cybersecurity Framework

Like the Cybersecurity Framework, the Baldrige Cybersecurity Excellence Builder is not a “one-size-fits-all” tool for dealing with cybersecurity risks. It is adaptable to meet an organization’s specific needs, goals, capabilities and environments.

The Builder guides users through a process that details their organization’s distinctive characteristics and strategic situations related to cybersecurity. Then, a series of questions helps define the organization’s current approaches to cybersecurity in the areas of leadership, strategy, customers, workforce and operations, as well as the results achieved with them. 

Finally, an assessment rubric lets users determine their organization’s cybersecurity maturity level—classified as “reactive,” “early,” “mature,” or “role model.” The completed evaluation can then lead to an action plan to upgrade cybersecurity practices and management, implement those improvements, and measure the progress and effectiveness of the process. Designed to be a key part of an organization’s continuous improvement efforts, the Builder should be used periodically to maintain the highest possible level of cybersecurity readiness. 

The draft Baldrige Cybersecurity Excellence Builder was developed through a collaboration between NIST and the Office of Management and Budget’s Office of Electronic Government and Information Technology, with input from private sector representatives.

Public comments on the draft will be accepted until Thursday, Dec. 15, 2016, via e-mail to baldrigecybersecurity [at] (baldrigecybersecurity[at]nist[dot]gov).

As a non-regulatory agency of the Commerce Department, NIST promotes U.S. innovation and industrial competitiveness by advancing measurement science, standards and technology in ways that enhance economic security and improve our quality of life. For more information, visit

Released September 15, 2016, Updated January 8, 2018