NIST Unveils a Cybersecurity Self-Assessment ToolGauging the Effectiveness of Risk Management Initiatives
The National Institute of Standards and Technology has issued a draft of a self-assessment tool that's designed to help enterprises gauge the impact and effectiveness of their cybersecurity risk management initiatives.
Known as the Baldrige Cybersecurity Excellence Builder, the self-assessment tool is based on the Baldrige Performance Excellence Program and the risk management mechanisms of NIST's cybersecurity framework. The Baldrige Performance Excellence Program, like the cybersecurity framework, is designed to help organizations worldwide guide their operations, improve performance and achieve sustainable results. NIST, a Commerce Department unit, administers the Baldrige program.
Commerce Deputy Secretary Bruce Andrews says organizations have been calling for a way to measure the effectiveness of the cybersecurity framework, and the Baldrige Cybersecurity Excellence Builder is designed, in part, to do that. "The builder will strengthen the already powerful cybersecurity framework so that organizations can better manage their cybersecurity risks," Andrews said in announcing the tool at an Internet Security Alliance conference.
The builder tool is intended to help organizations ensure that their cybersecurity systems and processes support the enterprises' larger organizational activities and functions. "These decisions around cybersecurity are going to impact your organization and what it does and how it does it," says Robert Fangmeyer, director of the Baldrige Performance Excellence Program. "If your cybersecurity operations and approaches aren't integrated into your larger strategy, aren't integrated into your workforce development efforts, aren't integrated into the results of the things you track for your organization and overall performance, then they're not likely to be effective."
According to NIST, organizations can use the Baldrige Cybersecurity Excellence Builder to:
- Identify cybersecurity-related activities that are critical to business strategy and the delivery of critical services;
- Prioritize investments in managing cybersecurity risk;
- Assess the effectiveness and efficiency in using cybersecurity standards, guidelines and practices;
- Evaluate their cybersecurity results; and
- Identify priorities for improvement.
The builder and framework are not one-size-fits-all tools; they can be adapted to meet an organization's specific needs. NIST says the builder guides users through a process that details their organization's distinctive characteristics and strategies tied to cybersecurity. A series of questions helps define the organization's approaches to cybersecurity in the areas of leadership, strategy, customers, workforce and operations, as well as the results achieved with them.
The tool's assessment rubric helps users determine whether their organization's cybersecurity maturity level is reactive, early, mature or a role model, according to NIST. The completed evaluation can lead to an action plan for upgrading cybersecurity practices and management and implementing those improvements. It also can measure the progress and effectiveness of the process. NIST recommends organizations use the builder periodically so they can maintain the highest level of cybersecurity readiness.
Genesis of Initiative
Fangmeyer says the genesis of the builder tool dates back a year ago when Tony Scott, the federal CIO, approached the Baldrige Performance Excellence Program to create a cybersecurity equivalent to the Malcolm Baldrige National Quality Award given annually by the Commerce Department. That award recognizes U.S. organizations that demonstrate performance excellence involving products, services and customer quality. Winning enterprises maintain a role-model organizational management system that ensures continuous improvement.
Instead of initially creating a cybersecurity award, however, the Baldrige Performance Excellence Program worked with the White House Office of Management and Budget, where Scott is based, and the NIST Information Technology Laboratory's Applied Cybersecurity Division to create the self-assessment tool.
NIST issued the builder as a draft and is seeking comments from stakeholders before it publishes a final version of the self-assessment tool. Fangmeyer say he hopes stakeholders will employ elements of the tool, not just read the 35-page draft, before submitting their comments on it. NIST will accept public comments on the draft until Dec. 15 via e-mail to email@example.com.
Responding to an executive order issued by President Obama, NIST released in February 2014 the cybersecurity framework to help critical infrastructure operators manage cybersecurity risk. But many other types of organizations have adopted the framework, which provides a risk-based approach for cybersecurity through five core functions: identify, protect, detect, respond and recovery.
Citing research from IT adviser Gartner, NIST says 30 percent of U.S. organizations used the framework in 2015, and it expects that percentage to grow to 50 percent by 2020.