Government Contracts Monitor

Short Take: New Self-Assessment for Cybersecurity Risk Management Tool

September 19, 2016

Last week, the National Institute of Standards and Technology (NIST) released a draft of its new Baldrige Cybersecurity Excellence Builder, another component in NIST’s cybersecurity framework. The Cybersecurity Excellence Builder is based on NIST’s Baldrige Performance Excellence Program. NIST’s Baldrige Program, a partnership between the public and private sectors, is dedicated to organizational performance excellence and educates agencies and private entities on industry best practices toward the goal of organizational growth, sustainment, effectiveness and capabilities. Cybersecurity is a key component to organizational success under the Baldrige Performance Excellence Program.

The new 35-page Cybersecurity Excellence Builder provides instructions on its use for organizational self-assessment, and suggestions as to which stakeholders should use it, and in what way it will benefit their particular interests. To complete the self-assessment, a stakeholder analyzes its organizational capabilities and structure in six specific cybersecurity processes: Leadership; Strategy; Customers; Measurement, Analysis and Knowledge Management; Workforce; and Operations. Each process has 4 specific Evaluation Factors: Approach, Deployment, Learning and Integration.

The tool then provides a rubric for an organization to evaluate its responses, and determine its Maturity Level for each category and each evaluation factor; Maturity levels range from “Reactive” to “Role Model.” The self-assessment worksheet also lets organizations prioritize the importance of specific processes and factors to allow them to formulate courses of action that will ultimately improve their cybersecurity processes, as part of the overarching goal of performance excellence. The tool provides a convenient, low-cost mechanism for organizations to begin to establish their goals and priorities for cybersecurity in-house. If the tool is well-received by organizations and widely used, NIST may expand its Cybersecurity Initiative beyond the Excellence Builder (Phase 1), to Phase 2, which would include voluntary assessments by independent experts, and sharing best practices.