The National Institute of Standards and Technology (NIST) has issued a draft of a self-assessment tool named Baldrige Cybersecurity Excellence Builder.

The tool is based on the Baldrige Performance Excellence Program and the risk management mechanisms of the NIST cybersecurity framework.

The Baldrige Cybersecurity Excellence Builder was designed to help enterprises to measure the effectiveness of their implementation of the cybersecurity framework and improve the risk management.

“The builder will strengthen the already powerful cybersecurity framework so that organizations can better manage their cybersecurity risks,” said Commerce Deputy Secretary Bruce Andrews that presented the tool at an Internet Security Alliance conference.

The development of the draft of the Baldrige Cybersecurity Excellence Builder is the result of a the collaboration between NIST and the Office of Management and Budget(link is external)’s Office of Electronic Government and Information Technology(link is external), with input from private sector representatives.

The Baldrige Cybersecurity Excellence Builder tool was devised to help organizations ensure that their cybersecurity program (systems and processes) supports their activities and functions.

“These decisions around cybersecurity are going to impact your organization and what it does and how it does it,” says Robert Fangmeyer, director of the Baldrige Performance Excellence Program. “If your cybersecurity operations and approaches aren’t integrated into your larger strategy, aren’t integrated into your workforce development efforts, aren’t integrated into the results of the things you track for your organization and overall performance, then they’re not likely to be effective.”

The NIST explained that the use of the Baldrige Cybersecurity Excellence Builder tool allows organizations of any size and type to:

  • Identify cybersecurity-related activities that are critical to business strategy and the delivery of critical services;
  • Prioritize investments in managing cybersecurity risk;
  • Assess the effectiveness and efficiency in using cybersecurity standards, guidelines and practices;
  • Evaluate their cybersecurity results; and
  • Identify priorities for improvement.

The Builder guides users through a process that details their organization’s distinctive characteristics and strategic situations related to cybersecurity. Then, a series of questions helps define the organization’s current approaches to cybersecurity in the areas of leadership, strategy, customers, workforce and operations, as well as the results achieved with them.

The approach behind the Baldrige Cybersecurity Excellence Builder is simple, the tool uses a series of questions that help the organizations assess their strategies tied to the cybersecurity. The areas assessed by the survey leadership, strategy, customers, workforce, and operations.

As a last step of the assessment, a rubric lets users evaluating the cybersecurity maturity level of their organization.

“The tool’s assessment rubric helps users determine whether their organization’s cybersecurity maturity level is reactive, early, mature or a role model, according to NIST. The completed evaluation can lead to an action plan for upgrading cybersecurity practices and management and implementing those improvements.” reads the announcement published by the NIST. “It also can measure the progress and effectiveness of the process. NIST recommends organizations use the builder periodically so they can maintain the highest level of cybersecurity readiness.”

Public comments on the draft will be accepted until Thursday, Dec. 15, 2016, via e-mail to baldrigecybersecurity@nist.gov(link sends e-mail).

Pierluigi Paganini

Source: cyberdefense magazine