The National Institute of Standards and Technology has issued a draft of a cybersecurity self-assessment tool.

The Baldrige Cybersecurity Excellence Builder is a self-assessment tool to help organizations better understand the effectiveness of their cybersecurity risk management efforts.

NIST is requesting public comments on the draft document, which blends the best of two globally recognized and widely used NIST resources: the organizational performance evaluation strategies from the Baldrige Performance Excellence Program and the risk management mechanisms of the Cybersecurity Framework.

Deputy Secretary of Commerce Bruce Andrews announced the release of the draft document and said: “The Baldrige Cybersecurity Excellence Builder answers a call from many organizations to provide a way for them to measure how effectively they are using the Cybersecurity Framework. The Builder will strengthen the already powerful Cybersecurity Framework so that organizations can better manage their cybersecurity risks.”

Using the Builder, organizations of all sizes and types can:

• determine cybersecurity-related activities that are important to business strategy and the delivery of critical services;
• prioritize investments in managing cybersecurity risk; 
• assess the effectiveness and efficiency in using cybersecurity standards, guidelines and practices; 
• assess their cybersecurity results; and
• identify priorities for improvement.

The Cybersecurity Framework, released in February 2014, was developed by NIST through a collaborative process involving industry, academia and government agencies. NIST was directed by an executive order to create the framework specifically for managing cybersecurity risks related to critical infrastructure, but a broad array of public and private sector organizations now use it. The framework provides a risk-based approach for cybersecurity through five core functions—identify, protect, detect, respond and recovery. 

According to a report by the information technology research company Gartner, the framework is currently used by 30 percent of US organizations, a number expected to rise to 50 percent by 2020.

The Builder guides users through a process that details their organization’s distinctive characteristics and strategic situations related to cybersecurity. Then, a series of questions helps define the organization’s current approaches to cybersecurity in the areas of leadership, strategy, customers, workforce and operations, as well as the results achieved with them. 

Finally, an assessment rubric lets users determine their organization’s cybersecurity maturity level—classified as “reactive,” “early,” “mature,” or “role model.” The completed evaluation can then lead to an action plan to upgrade cybersecurity practices and management, implement those improvements, and measure the progress and effectiveness of the process. Designed to be a key part of an organization’s continuous improvement efforts, the Builder should be used periodically to maintain the highest possible level of cybersecurity readiness. 

The draft Baldrige Cybersecurity Excellence Builder was developed through a collaboration between NIST and the Office of Management and Budget, Office of Electronic Government and Information Technology, with input from private sector representatives.

Public comments on the draft will be accepted until Thursday, Dec. 15, 2016, via e-mail to baldrigecybersecurity@nist.gov (link sends e-mail).