BALDRIGE CYBERSECURITY EXCELLENCE BUILDER Key questions for improving your organization’s cybersecurity performance v1 0 #BaldrigeCyber www nist gov baldrige Improve Your Performance The Baldrige Cybersecurity Excellence Builder self-assessment helps you understand and improve what is critical to your organization’s cybersecurity risk management It is a voluntary self-assessment based on the more detailed Framework for Improving Critical Infrastructure Cybersecurity managed by NIST’s Information Technology Laboratory Applied Cybersecurity Division and the Baldrige Excellence Framework compiled by the Baldrige Performance Excellence Program at NIST Organizational Context Understand the business factors and organiStrategy zational priorities underlying your cyberseCreate clear strategic prior- curity risk management ities for your cybersecurity Workforce program Engage and empower your entire workforce to achieve your cyberLeadership security-related objectives Understand how your leaders’ actions guide and sustain your cybersecurity risk management Customers Understand and exceed the cybersecurity-related requirements and expectations of your customers Measurement Analysis and Knowledge Management Through measurement and analysis align cybersecurity policies and operations with your objectives Manage your organization’s cybersecurity-related knowledge RESULTS Use data and information to evaluate and improve cybersecurity-related policies and operations in alignment with your strategy Operations Design manage and improve your cybersecurity operations for effectiveness and efficiency For more information on the Baldrige Cybersecurity Initiative www nist gov baldrige products-services baldrige-cybersecurity-initiative The Baldrige Program thanks the Foundation for the Malcolm Baldrige National Quality Award and the following organizations for supporting the publication of this booklet CYBER Contents 2 Introduction 6 Baldrige Cybersecurity Excellence Builder 6 C Organizational Context   8 1 Leadership    10 2 Strategy   12 3 Customers   14 4 Measurement Analysis and Knowledge Management   16 5 Workforce   18 6 Operations   20 7 Results   23 Assessing Your Responses   24 Assessment Rubric   24 Process Categories 1–6    25 Results Category 7    26 Glossary of Key Terms   28 User Tools 28 Benefits of Using the Baldrige Cybersecurity Excellence Builder by Organizational Role 29 Crosswalk Baldrige Cybersecurity Excellence Builder and Cybersecurity Framework 31 Self-Analysis Worksheet On the Web For spreadsheet versions of the Baldrige Cybersecurity Excellence Builder questions and Self-Analysis Worksheet see www nist gov baldrige products-services baldrige-cybersecurity-initiative 1 CYBER Introduction What is the Baldrige Cybersecurity Excellence Builder The Baldrige Cybersecurity Excellence Builder is a voluntary self-assessment tool that enables organizations to better understand the effectiveness of their cybersecurity risk management efforts It helps your organization identify strengths and opportunities for improvement in managing cybersecurity risk based on your organization’s mission needs and objectives The Baldrige Cybersecurity Excellence Builder combines concepts in the Framework for Improving Critical Infrastructure Cybersecurity Cybersecurity Framework www nist gov cyberframework and the Baldrige Excellence Framework www nist gov baldrige publications baldrige-excellence-framework Like those two sources it is not a one-size-fits-all approach It is adaptable and scalable to your organization’s needs goals capabilities and environment It does not prescribe how you should structure your organization’s cybersecurity policies and operations Through interrelated sets of open-ended questions it encourages you to use the approaches that best fit your organization Using this self-assessment you can • determine cybersecurity-related activities that are important to your business strategy and critical service delivery • prioritize your investments in managing cybersecurity risk • determine how best to enable your workforce customers suppliers partners and collaborators to be risk conscious and security aware and to fulfill their cybersecurity roles and responsibilities • assess the effectiveness and efficiency of your use of cybersecurity standards guidelines and practices • assess the cybersecurity results you achieve and • identify strengths to leverage and priorities for improvement What is the relationship between the Baldrige Cyber­security Excellence Builder and the Framework for Improving Critical Infrastructure Cybersecurity The Baldrige Cybersecurity Excellence Builder blends the organizational performance and systems perspectives of the Baldrige Excellence Framework with the holistic enterprise-based approach of the Cybersecurity Framework Baldrige Excellence Framework Framework for Improving Critical Infrastructure Cybersecurity Cybersecurity Standards Guidelines Practices and References Baldrige Cybersecurity Excellence Builder Leading Edge of Validated Leadership and Performance Practice Self-Assessment Tool The Cybersecurity Framework assembles and organizes standards guidelines and practices that are working effectively in many organizations It also includes informative references that are common across critical infrastructure sectors In the Baldrige approach as applied to cybersecurity an organization manages all areas affected by cybersecurity as a unified whole As shown in the diagram on the next page the system consists of your cybersecurity-related approaches in the areas of leadership strategy customers workforce and operations as well as the results you achieve As shown in the diagram the Baldrige framework is based on a set of core values and concepts For descriptions of these see 2 Baldrige Cybersecurity Excellence Builder the Baldrige framework booklet www nist gov baldrige publications baldrige-excellence-framework The system foundation is measurement analysis and knowledge management The background for all of these components is the Organizational Context section in which you define your organization’s distinctive characteristics and situation Organizational Context Strategy Leadership Workforce RESULTS Integration Customers Operations Measurement Analysis and Knowledge Management s Core Values and Concept The Baldrige Cybersecurity Excellence Builder incorporates the content outlined in the Cybersecurity Framework into those system elements See the User Tools section for a crosswalk showing how the items in the Baldrige Cybersecurity Excellence Builder relate to the elements of the Cybersecurity Framework Who in an organization should use the Baldrige Cybersecurity Excellence Builder The Baldrige Cybersecurity Excellence Builder is intended for use by the leaders and managers in your organization who are concerned with and responsible for mission-driven c­ ybersecurity-related policy and operations These leaders and managers may include senior leaders chief security officers and chief information officers among others For these and other roles and functions and the benefits to each of using the Baldrige Cybersecurity Excellence Builder see the User Tools section Why does the Baldrige Cybersecurity Excellence Builder include questions about my organization as a whole Why doesn’t it ask only about my cybersecurity policies and operations Because cybersecurity is an organization-wide concern the Baldrige Cybersecurity Excellence Builder includes questions about • your organizational and your cybersecurity leaders • cybersecurity in the context of your organization’s overall strategy • the cybersecurity needs and expectations of internal and external customers • the measurement of cybersecurity performance in the context of overall performance measurement • your overall workforce and your cybersecurity workforce • your cybersecurity operations and their alignment with overall operations and • results related to each of these areas Your organization’s situation and cybersecurity risks are unique Therefore the Baldrige Cybersecurity Excellence Builder leads to you understand your organization’s cybersecurity policies and operations in the context of its characteristics and strategic situation Introduction 3 How can my organization use the Baldrige Cybersecurity Excellence Builder to assess and improve its management of cybersecurity risks 1 Scope The Baldrige Cybersecurity Excellence Builder is most valuable as a voluntary assessment of an entire organization’s cybersecurity risk management program but it is also useful in assessing a subunit multiple subunits or parts of an organization 2 Organizational Context Decide on the scope The Organizational Context section is critically important for the following reasons • It helps you identify gaps in key information and focus on key cybersecurity performance requirements and results • You can use it as an initial self-assessment If you identify topics for which conflicting little or no information is available you can use these topics for action planning • It sets the context for and allows you to address unique aspects of your organization’s ­cybersecurity-related needs in your responses to the questions in the rest of the Baldrige Cyber­ security Excellence Builder Complete the Organizational Context Measure and evaluate your progress Answer the process questions categories 1–6 Prioritize your actions Develop an action plan Assess your answers using the rubric Answer the results questions categories 7 3 Process Questions Categories 1–6 Many of the questions in these 12 items begin with “how ” In answering the questions give information on your organization’s key cybersecurity-related processes • Approach How do you accomplish your organization’s cybersecurity-related work How systematic are the key processes you use • Deployment How consistently are your key cybersecurity-related processes used in relevant parts of your organization • Learning How well have you evaluated and improved your key cybersecurity-related processes How well have improvements been shared within your organization • Integration How well do your cybersecurity-related processes address your current and future organizational needs 4 Results Questions Category 7 For these five items give information on the cybersecurity-related results that are the most important to your organization’s success • Levels For your key measures of the effectiveness and efficiency of cybersecurity-related processes what is your current performance • Trends Are the results improving staying the same or getting worse • Comparisons How does your performance compare with that of other organizations and competitors or with benchmarks • Integration Are you tracking cybersecurity-related results that are important to your organization and consider the expectations and needs of your key stakeholders Are you using the results in decision making 5 Assess Your Responses Using the process and results assessment rubrics on pages 24 and 25 assign a descriptor Reactive Early Developing Mature Leading or Exemplary to your responses to each item 4 Baldrige Cybersecurity Excellence Builder 6 Prioritize Your Actions Develop an Action Plan Then determine the importance of areas of strength and opportunities for improvement Celebrate the strengths of your cybersecurity risk management program and build on them to improve what you do well Sharing what you do well with the rest of your organization can speed improvement Also prioritize your opportunities for improving your cybersecurity-related processes and results you cannot do everything at once Think about what is most important for your organization as a whole at this time balancing the differing needs and expectations of your stakeholders and your expected results and decide what to work on first 7 Measure and Evaluate Your Progress As you respond to the questions and gauge your responses against the rubric you will begin to identify strengths and gaps—first within the categories and then among them The coordination of key processes and linkages between your processes and your results can lead to cycles of improvement As you continue to use this assessment tool you will learn more about your organization and begin to define the best ways to build on your strengths close gaps and innovate You might also consult relevant informative references listed in the Cybersecurity Framework These specific sections of standards guidelines and practices common among critical infrastructure sectors illustrate methods to achieve the outcomes associated with cybersecurity functions In addition completing this voluntary self-assessment might serve as a first step in carrying out these suggestions in the Cybersecurity Framework section 3 0 “How to Use the Framework” • 3 1 Basic Review of Cybersecurity Processes Use the information gained from answering the self-assessment questions to compare your current cybersecurity-related activities with those outlined in the Cybersecurity Frame­ work Core • 3 2 Establishing or Improving a Cybersecurity Program Use your answers to the self-assessment questions to inform the seven steps in creating or improving a cybersecurity program • 3 3 Communicating Cybersecurity Requirements with Stakeholders Your answers to the questions might inform the creation of a Target Profile to express cybersecurity risk management requirements to stakeholders Baldrige Cybersecurity Excellence Builder Category Structure Category title 3 Customers Your customers are the ultimate judges of the quality of your organization’s products and services Cybersecurity risk can harm your ability to gain and maintain customers Thus your organization must consider all cybersecurity-related product and service features and modes of access and support that contribute value to your customers What to measure See item 7 2 Customer Results Item title Key questions to answer 3 1 Voice of the Customer How do you obtain cybersecurity-related information from your customers Why is this category important to cybersecurity What should my organization measure for this category 1 How do you listen to interact with and observe internal and external customers to obtain actionable information on their cybersecurity-related requirements and expectations 2 How do you determine internal and external customers’ satisfaction and dissatisfaction with your organization’s cybersecurity policies and operations 3 How do you determine the impact of your organization’s cybersecurity policies and operations on customer engagement Terms in small caps are defined in the Glossary of Key Terms pages 26–27 Notes 3 1 The voice of the customer refers to your process for capturing customer-related information In listening to the voice of the customer you might gather and integrate various types of customer data such as survey data focus group findings blog comments and data from other social media and complaint data Q2 You might use any or all of the following to determine customer satisfaction and dissatisfaction surveys formal and informal feedback customer account histories complaints customer referral rates and transaction completion rates Introduction Q3 Customer engagement is your customers’ investment in or commitment to your brand and product service offerings It is based on your ongoing ability to serve their needs and build relationships so that they will continue using your products Characteristics of engaged customers include retention brand loyalty willingness to make an effort to do business—and increase their business—with you and willingness to actively advocate for and recommend your brand and product service offerings Explanatory notes 5 CYBER Baldrige Cybersecurity Excellence Builder C Organizational Context Having a clear understanding of your organization why it exists where your senior leaders want to take it in the future who your key stakeholders are what their expectations are and what resources support critical functions will enable you to make and implement strategic decisions about cyber­security risks policies and operations C 1 Organizational Description What are your key organizational characteristics a Organizational Environment 1 Product Offerings  What are your organization’s main product and service offerings What is the relative importance of each to your success What mechanisms do you use to deliver your products and services 2 Mission Vision and Values   What are your stated mission vision and values What are your organization’s core competencies and what is their relationship to your mission 3 Workforce Profile  What is your overall workforce profile What is your cyber­security workforce profile What recent changes have you experienced in the composition of your overall and your cybersecurity workforce or in your needs for them What are • your overall workforce and cybersecurity workforce employee groups and segments and • the key drivers that engage them in accomplishing their work including cybersecurity-related work and in achieving your mission and vision 4 Assets  What are your organization’s major physical and virtual assets including its data knowledge devices systems facilities and equipment What are your priorities for protecting these assets based on their criticality and business value 5 Legal and Regulatory Requirements  What are the key laws and regulations relating to cybersecurity in your industry What are the key applicable • safety regulations relating to cybersecurity • accreditation certification or registration requirements relating to cybersecurity • industry cybersecurity standards and • environmental financial and product regulations relating to cybersecurity b Organizational Relationships 1 Organizational Structure  What are your overall organizational leadership structure and governance system What are the reporting relationships among your governance board senior leaders and parent organization as appropriate What is the structure of your cybersecurity operations What are the reporting relationships among your senior leaders and your cybersecurity leaders and managers 2 Customers and Stakeholders  What are your key internal and external customer groups and stakeholder groups as appropriate What are their key requirements and expectations for your cybersecurity policies and operations What are the differences in these requirements and expectations among customer groups and stakeholder groups 3 Suppliers and Partners  What are your key types of suppliers partners and collaborators for your organization as a whole and for your cybersecurity operations What role do they play in producing and delivering your key products and services and your customer support services What cybers ­ ecurity roles do they play in your organization What are your key mechanisms for two-way communication with suppliers partners and collaborators What are your key supply-chain requirements Terms in small caps are defined in the Glossary of Key Terms pages 26–27 6 Baldrige Cybersecurity Excellence Builder Notes C 1a 2 Core competencies are your organization’s areas of greatest expertise They are those strategically important possibly specialized capabilities that are central to fulfilling your mission or that provide an advantage in your marketplace or service environment Your core competencies should inform the decisions you make about cybersecurity roles responsibilities and risks C 1a 3 “Workforce” refers to the people actively involved in accomplishing your organization’s work It includes permanent temporary and part-time personnel as well as any contract employees you supervise You should describe your suppliers in response to C 1b 3 C 1a 3 Workforce or employee groups and segments might be based on type of employment or contract-reporting relationship location including telework tour of duty work environment or other factors Your cybersecurity workforce profile might include information on education tenure certifications and other key characteristics This information will help you establish and manage cybersecurity roles and responsibilities for the entire workforce C 1a 4 Assets include physical devices and systems software platforms and applications operational technologies intellectual property organizational communication and data flows external information systems including “cloud services” and data and information Your responses should include those high-value assets that support the strategically important products and services you describe in C 1a 1 C 1b 2 Customer groups might be based on common expectations behaviors preferences or profiles C 2 Organizational Situation What is your organization’s strategic situation a Competitive Environment 1 Competitive Position  What is your competitive position What are your relative size and growth in your industry or the markets you serve How many and what types of competitors do you have 2 Competitiveness Changes  What key changes if any are affecting your competitive situation 3 Comparative Data  What key sources of comparative and competitive cybersecurity data are available from within your industry What key sources of comparative cybersecurity data are available from outside your industry What limitations if any affect your ability to obtain or use these data b Strategic Context What are your key strategic challenges and advantages in the areas of business operations and cybersecurity c Performance Improvement System What are the key elements of your performance improvement system including your processes for evaluation and improvement of key cybersecurity-related projects and processes Terms in small caps are defined in the Glossary of Key Terms pages 26–27 Notes C 2a 3 While comparative data about cybersecurity may be relatively sparse their use is important for the following reasons 1 Your organization needs to know where it stands relative to competitors and to best practices 2 comparative information and information obtained from benchmarking often provide the impetus for significant improvement or transformational change 3 comparing your organization’s performance to that of others frequently leads to a better understanding of your processes and their performance 4 data on competitors’ performance may reveal organizational advantages as well as challenge areas and 5 comparative Baldrige Cybersecurity Excellence Builder information may support business analysis and decisions relating to core competencies partnering and outsourcing C 2c Your performance improvement system refers to your overall approach to improving processes and projects within your organization The approach you use should be related to your organization’s needs Some examples of approaches that are compatible with the overarching systems approach provided by this self-assessment are Lean Six Sigma PlanDo-Check-Act ISO standards and decision science among others 7 1 Leadership The personal actions of your senior leaders and cybersecurity leaders as well as the characteristics of your governance system demonstrate and reinforce accountability and guide and sustain your cybersecurity policies and operations What to measure See category 7 for organizational performance results to report See item 7 4 for results specifically related to leadership and governance 1 1 Leading for Cybersecurity How do your senior and cybersecurity leaders lead your cybersecurity policies and operations 1 How do your leaders deploy the organization’s mission vision and values to the workforce to key suppliers and partners and to key customers and other stakeholders as appropriate 2 How do your leaders’ actions demonstrate their commitment to cybersecurity 3 How do your leaders’ actions demonstrate their commitment to legal and ethical behavior 4 How do your leaders communicate with and engage other organizational leaders the workforce and key customers and stakeholders regarding cybersecurity 5 How do your leaders create an environment for cybersecurity policies and operations that are successful now and in the future 6 How do your leaders create a focus on action that will achieve the organization’s cybersecurity objectives in alignment with its mission Terms in small caps are defined in the Glossary of Key Terms pages 26–27 Notes 1 1 In this item “leaders” includes your organization’s senior leaders and those specifically responsible for overseeing and executing cybersecurity risk management and operations Leadership on cybersecurity policies and approaches ideally resides at multiple organizational levels Your organization should decide whether each question refers to all senior leaders or your cybersecurity leaders Q1 Your organization’s mission and vision should set the context for the cybersecurity-related strategic objectives and action plans you describe in items 2 1 and 2 2 Q4 This includes encouraging frank two-way communication about cybersecurity communicating key decisions and taking a direct role in motivating the workforce including by participating in reward and recognition programs 8 Q5 To create an environment for cybersecurity policies and operations that are successful now and in the future leaders should create an environment for operational agility cultivate organization learning and learning for workforce members and create a workforce culture that fosters engagement in cybersecurity matters A successful organization understanding that some risk is always present determines and oversees its risk appetite and risk tolerance Q6 In creating a focus on action that will achieve the organization’s objectives leaders should create a focus on action that will improve your organization’s cybersecurity performance in the context of its mission and strategy identify needed actions set expectations for performance that create and balance value for customers and other stakeholders and demonstrate personal accountability for the organization’s actions Baldrige Cybersecurity Excellence Builder 1 2 Governance and Societal Responsibilities How do you govern your cybersecurity policies and operations and fulfill your cybersecurity-related societal responsibilities 1 How does your organization ensure responsible governance of its cybersecurity policies and operations 2 How do you address and anticipate legal regulatory and community concerns with your cybersecurity-related policies and operations 3 How do you promote and ensure ethical behavior in all cybersecurity-related interactions 4 How do you actively support and strengthen the cybersecurity infrastructure of your key communities Terms in small caps are defined in the Glossary of Key Terms pages 26–27 Notes Q1 Responsible governance of cybersecurity policies and operations includes accountability for these policies and operations accountability for strategic plans fiscal accountability transparency and protection of stakeholder and stockholder interests as appropriate In protecting stakeholder interests the governance system should consider and sanction appropriate levels of risk for the organization recognizing the need to accept risk as part of running a successful organization Q3 Some examples of measures of ethical behavior are the percentage of independent board members instances of ethical conduct or compliance breaches and responses to them survey results showing workforce perceptions of organizational ethics ethics hotline use and results of ethics reviews and audits Baldrige Cybersecurity Excellence Builder Q4 To support and strengthen key communities an organization might identify its key communities determine areas for external participation in improving cybersecurity infrastructure and contribute to the improvement of cybersecurity in those key communities by actively sharing information This might include contributing comparative data on cybersecurity outcomes and actively sharing information with partners to ensure that accurate current information is being distributed and consumed to improve cybersecurity before a cybersecurity event occurs 9 2 Strategy Managing cybersecurity risk requires clear and robust planning and implementation particularly when improvement alternatives and the need to respond to unanticipated needs compete for limited resources What to measure Many results covered in category 7 will flow from your strategy See item 2 2 Q5 on establishing measures for the achievement and effectiveness of your cybersecurity-related action plans See item 7 4 Q6 for results for strategy achievement 2 1 Strategy Development How do you include cybersecurity considerations in your strategy development 1 How do you include cybersecurity planning in your overall organizational strategic planning process 2 How do you ensure alignment between your cybersecurity planning and your organization’s overall strategic planning 3 How does your strategy development process stimulate and incorporate innovation in cybersecurity policies and operations 4 How do you collect and analyze relevant data and develop information on cybersecurity for your strategic planning process 5 How do you decide which key cybersecurity processes will be accomplished by your workforce and which by external suppliers and partners 6 What are your organization’s key cybersecurity-related strategic objectives and timetable for achieving them 7 How do your organization’s key cybersecurity-related strategic objectives align with your organization’s overall strategic objectives 8 How do your strategic objectives achieve appropriate balance among varying and potentially competing cybersecurity needs customer and stakeholder requirements and business objectives Terms in small caps are defined in the Glossary of Key Terms pages 26–27 Notes 2 1 Strategy development refers to your organization’s approach to preparing for the future This item asks how your strategic planning considers your organization’s cybersecurity needs in alignment with your organization’s overall strategy 2 1 In developing your cybersecurity strategy you should consider your level of acceptable enterprise risk As appropriate you might involve key suppliers distributors partners and customers in your cybersecurity strategy development Q3 Stimulating and incorporating innovation includes identifying strategic opportunities prospects for new or changed cybersecurity policies procedures technologies and processes and deciding which ones are intelligent risks to pursue Innovation refers to making meaningful change to improve products services processes or organizational effectiveness and create new value for stakeholders The outcome of innovation is a discontinuous or “breakthrough” change 10 Q4 Your collection and analysis should include these key elements of risk your strategic challenges and strategic advantages with regard to cybersecurity potential relevant changes in your regulatory and external business environment potential blind spots with regard to cybersecurity and your ability to execute the cybersecurity-related parts of the plan Your decisions about these elements may give rise to organizational risk Analysis of these factors is the basis for managing strategic cybersecurity-related risk in your organization Q5 Decisions on which key cybersecurity processes will be accomplished by your workforce and which externally should consider your core competencies and those of potential suppliers and partners This is a fundamental consideration in your key cybersecurity work systems consisting of how your cybersecurity-related work is accomplished through internal work processes and external resources These decisions are strategic and involve protecting intellectual property capitalizing on core competencies and mitigating risk Baldrige Cybersecurity Excellence Builder 2 2 Strategy Implementation How do you implement the cybersecurity-related elements of your strategy 1 What are your key short- and longer-term cybersecurity-related action plans 2 How do you deploy your cybersecurity-related action plans 3 How do you ensure that financial and other resources are available to support the achievement of your cybersecurity-related action plans while you meet current obligations 4 What are your key workforce plans to support your short- and longer-term cybersecurity-related strategic objectives and action plans 5 What key performance measures or indicators do you use to track the achievement and effectiveness of your cybersecurity-related action plans 6 For these key performance measures or indicators what are your performance projections for your shortand longer-term planning horizons 7 How do you establish and implement modified cybersecurity-related action plans if circumstances require a shift in plans and rapid execution of new plans Terms in small caps are defined in the Glossary of Key Terms pages 26–27 Notes 2 2 The development and deployment of your strategy described in item 2 1 and action plans relating to cybersecurity are closely linked to other items The following are examples of key linkages • Item 1 1 how your leaders communicate organizational direction with regard to cybersecurity • Category 3 how you gather internal and external customer knowledge as input to your strategy and action plans and to use in deploying action plans • Category 4 how you measure and analyze cyber­ security data and manage cyber­security knowledge to support key information needs support the development of your strategy provide an effective basis for cybersecurity performance measurements and track progress on achieving cybersecurity-related strategic objectives and action plans Baldrige Cybersecurity Excellence Builder • Category 5 how you meet cybersecurity workforce capability and capacity needs determine cybersecurity-related development and learning needs and design your workforce development and learning system accordingly and implement workforce-related changes resulting from action plans • Category 6 how you address changes to your cyber­ security work processes resulting from action plans • Item 7 1 specific accomplishments on the cybersecurityrelated elements of your strategy and action plans 11 3 Customers Your customers are the ultimate judges of the quality of your organization’s products and services Cybersecurity risk can harm your ability to gain and maintain customers Thus your organization must consider all cybersecurity-related product and service features and modes of access and support that contribute value to your customers What to measure See item 7 2 Customer Results 3 1 Voice of the Customer How do you obtain cybersecurity-related information from your customers 1 How do you listen to interact with and observe internal and external customers to obtain actionable information on their cybersecurity-related requirements and expectations 2 How do you determine internal and external customers’ satisfaction and dissatisfaction with your organization’s cybersecurity policies and operations 3 How do you determine the impact of your organization’s cybersecurity policies and operations on customer engagement Terms in small caps are defined in the Glossary of Key Terms pages 26–27 Notes 3 1 The voice of the customer refers to your process for capturing customer-related information In listening to the voice of the customer you might gather and integrate various types of customer data such as survey data focus group findings blog comments and data from other social media and complaint data Q2 You might use any or all of the following to determine customer satisfaction and dissatisfaction surveys formal and informal feedback customer account histories complaints customer referral rates and transaction completion rates 12 Q3 Customer engagement is your customers’ investment in or commitment to your brand and product service offerings It is based on your ongoing ability to serve their needs and build relationships so that they will continue using your products Characteristics of engaged customers include retention brand loyalty willingness to make an effort to do business—and increase their business—with you and willingness to actively advocate for and recommend your brand and product service offerings Baldrige Cybersecurity Excellence Builder 3 2 Customer Engagement How do you engage customers in cybersecurity by serving their needs and building relationships 1 How do you enable internal and external customers to seek information and support related to your cybersecurity policies and operations 2 How do you ensure that internal and external customers understand and fulfill their cybersecurity roles and responsibilities 3 How do you build and manage internal and external customer relationships to retain customers meet their requirements and exceed their expectations with regard to cybersecurity 4 How do you manage internal and external customer complaints about your cybersecurity policies and operations Terms in small caps are defined in the Glossary of Key Terms pages 26–27 Note Q1 Your approach to enabling customers to seek information and support should include provisions to protect privacy and civil liberties when personal information is used collected processed maintained or disclosed in connection with your organization’s cybersecurity activities Some examples of activities with privacy or civil liberties considerations include cybersecurity activities that may result in the overcollection or overretention of personal information disclosure or use of personal information unrelated to cybersecurity activities and cybersecurity mitigation activities that result in denial of service or other similar potentially adverse Baldrige Cybersecurity Excellence Builder impacts including incident detection or monitoring that may impact freedom of expression or association Privacy principles to consider incorporating in cybersecurity policies and operations include minimizing the collection disclosure and retention of personal information use limitations outside of cybersecurity activities on any information collected specifically for cybersecurity activities transparency for certain cybersecurity activities and individual consent and redress for adverse impacts arising from use of personal information in cybersecurity activities 13 4 Measurement Analysis and Knowledge Management This category is the “brain center” for aligning your cybersecurity operations with your objectives Measuring and analyzing how your organization is performing on a comprehensive yet carefully culled set of cybersecurity-related measures helps you make decisions that improve performance What to measure Q2 and Q3 ask for your key cybersecurity performance measures including your key financial measures See the notes to Q2 and Q3 for an explanation 4 1 Measurement Analysis and Improvement of Performance How do you measure analyze and then improve cybersecurity-related performance 1 How do you track data and information on daily cybersecurity operations and overall cybersecurity performance 2 What are your key cybersecurity performance measures including your key financial measures for your cybersecurity operations 3 What are your key measures for the impact of cybersecurity performance on your organization’s overall key  performance measures 4 How do you select comparative data and information to support fact-based decision making on cybersecurity policies and operations 5 How do you select voice-of-the-customer and market data and information to support fact-based decision making on cybersecurity policies and operations 6 How do you ensure that your measurement of cybersecurity performance can respond to rapid or unexpected organizational or external changes 7 How do you review your organization’s cybersecurity performance and capabilities 8 How do you project your organization’s future cybersecurity performance 9 How do you use findings from performance reviews addressed in question 6 to develop and deploy priorities for continuous improvement and opportunities for innovation in your cybersecurity policies and operations Terms in small caps are defined in the Glossary of Key Terms pages 26–27 Notes 4 1 This item asks how your organization’s overall performance measurement and analysis system includes the measurement and analysis of cybersecurity-related performance The results of performance analysis and review should inform the development and implementation of the cybersecurity-related elements of your organization’s strategy see category 2 Q2 Your key cybersecurity performance measures are those that are critical to achieving the cybersecurity-related strategic objectives described in category 2 Depending on your organization’s strategy and goals these might include measures of customer and process performance operational performance supplier workforce partner cost and financial performance and governance and compliance results Q2 Q3 Key financial measures for your cybersecurity operations might include measures of performance to budget Measures for the impact of cybersecurity performance on your organization’s overall performance might include the 14 financial impact of cybersecurity operations and incidents on organization-wide operations as well as on your ability to meet customer and stakeholder requirements and business objectives See the notes to item 7 5 for specific examples Q4 Organizations obtain comparative data and information by benchmarking and by seeking competitive comparisons Benchmarking is identifying processes and results that represent best practices and performance for similar activities inside or outside your industry Competitive comparisons relate your performance to that of competitors and other organizations providing similar products and services Q7 Your reviews of cybersecurity performance should be informed by performance measures identified throughout this self-assessment tool and they should be guided by the strategic objectives and action plans you identify in category 2 Reviews might include a review by your organization’s governance board Baldrige Cybersecurity Excellence Builder 4 2 Knowledge Management How do you manage your organization’s cybersecurityrelated knowledge assets 1 How do you verify and ensure the quality of organizational data and information related to cybersecurity 2 How do you ensure the availability of organizational data and information related to cybersecurity 3 How do you build manage and update your organization’s cybersecurity-related knowledge and awareness 4 How do you share cybersecurity best practices in your organization and with customers suppliers and partners as appropriate 5 How do you use your knowledge and resources to embed learning in the way your cybersecurity operations function Terms in small caps are defined in the Glossary of Key Terms pages 26–27 Notes Q3 Building managing and updating cybersecurity-related knowledge allows you to maintain your organization’s awareness of a continually changing cybersecurity threat environment It involves collecting and transferring workforce knowledge related to cybersecurity blending and correlating cybersecurity-related data from different sources including other organization to build new knowledge transferring relevant cybersecurity-related knowledge from and to customers suppliers partners and collaborators and assembling and transferring relevant cybersecurity-related knowledge for use in innovation and strategic planning processes Sources for building and updating your organization’s cybersecurity-related knowledge and awareness may include for example cybersecurity information learned from other organizations service tickets reported to the help desk Baldrige Cybersecurity Excellence Builder lessons learned from recovery exercises and data reported by customers An important element of cybersecurity risk management includes the ability to predict and avoid cybersecurity incidents based on lessons learned and or information shared by partners and others Q5 Embedding learning in the way your cybersecurity operations function means that learning 1 is a part of everyday cybersecurity work 2 results in solving problems at their source 3 is focused on building and sharing cybersecurity knowledge throughout your organization and 4 is driven by opportunities to bring about significant meaningful change and to innovate with regard to cyber­ security Organizational learning takes place when processes intentionally include mechanisms that monitor performance and conformance identify improvement targets analyze gaps and prioritize improvements 15 5 Workforce Success in achieving your cybersecurity-related objectives depends on an engaged workforce—including workforce members involved directly in cybersecurity-related operations and members of your overall workforce This workforce benefits from meaningful work clear organizational direction the opportunity to learn and accountability for performance What to measure See item 7 3 Workforce Results 5 1 Workforce Environment How do you build an effective and supportive environment for your cybersecurity workforce 1 How do you assess your cybersecurity workforce capability and capacity needs 2 How do you recruit hire place and retain new cybersecurity workforce members 3 How do you organize and manage your cybersecurity workforce to establish roles and responsibilities 4 How do you prepare your cybersecurity workforce for changing capability and capacity needs Terms in small caps are defined in the Glossary of Key Terms pages 26–27 Notes 5 1 The questions in this item refer to your cybersecurity workforce See item 5 2 for questions on your entire workforce 5 1 Your cybersecurity workforce consists of the people actively involved in accomplishing your organization’s cybersecurity work It includes permanent temporary and part-time personnel as well as any contract employees you supervise It includes team leaders supervisors and managers at all levels Suppliers and people supervised by a contractor should be addressed in categories 2 and 6 Q1 Cybersecurity workforce capability is your organization’s ability to carry out its cybersecurity work processes through its people’s knowledge skills abilities and competencies Cybersecurity workforce capacity is your organization’s ability to ensure sufficient staffing levels to carry out its cybersecurity work processes including the 16 ability to meet seasonal or varying demand levels In assessing your cybersecurity workforce capability and capacity needs you should consider not only current needs but also future requirements based on the strategic objectives and action plans you identify in category 2 Q2 This question refers only to new cybersecurity workforce members For the retention of existing workforce members see item 5 2 Workforce Engagement Q4 Preparing your cybersecurity workforce for changing capability and capacity needs involves ensuring continuity preventing workforce reductions and minimizing the impact of any reductions that occur It also involves preparing for and managing any periods of workforce growth as well as preparing your workforce for changes in organizational structure and work systems as needed Baldrige Cybersecurity Excellence Builder 5 2 Workforce Engagement How do you engage your workforce to achieve a highperformance work environment in support of cybersecurity policies and operations 1 How do you foster an organizational culture that is characterized by open communication high performance and a workforce that is engaged in cybersecurity matters 2 How do you assess the engagement of your organization’s overall workforce in cybersecurity matters 3 How does your workforce performance management system support workforce engagement in cybersecurity matters and high performance in fulfilling cybersecurity roles and responsibilities 4 How does your learning and development system support your organization’s needs and the development of your organization’s overall workforce members managers and leaders in fulfilling cybersecurity roles and responsibilities 5 How do you evaluate the effectiveness and efficiency of your cybersecurity learning and development system 6 How do you carry out succession planning for key cybersecurity management and leadership positions Terms in small caps are defined in the Glossary of Key Terms pages 26–27 Notes 5 2 The questions in this item refer to your organization’s entire workforce Q1 Fostering such a culture includes empowering your workforce and ensuring a safe trusting and cooperative environment Q2 Drivers of workforce engagement identified in C 1a 3 refer to the drivers of workforce members’ commitment both emotional and intellectual to accomplishing the organization’s work including cybersecurity-related work mission and vision Baldrige Cybersecurity Excellence Builder Q3 Your workforce performance management system should consider compensation reward recognition and retention practices It should reinforce intelligent risk taking a customer and business focus and achievement of your action plans Q4 Learning and development needs include the knowledge skills and abilities workforce members need to fulfill their cybersecurity roles and responsibilities Organizations benefit when an understanding of these needs becomes part of the organizational culture evolving from lessons learned from previous security activities information shared by other sources and continuous awareness of activities on their systems and networks 17 6 Operations Designing managing and improving your cybersecurity-related operations for effectiveness and efficiency helps you achieve your cybersecurity-related objectives in turn supporting your organization’s overall goals and objectives What to measure See item 7 1 Cybersecurity Process Results 6 1 Work Processes How do you design manage and improve your key cybersecurity work processes a Cybersecurity Process Design Management and Improvement 1 How do you determine key cybersecurity work process requirements 2 How do you design your cybersecurity work processes to meet requirements 3 How does your day-to-day operation of cybersecurity work processes ensure that they meet key process requirements 4 How do you determine the key support processes that enable your cybersecurity operations 5 How do you improve your cybersecurity work processes to improve their performance and reduce variability 6 How do you pursue opportunities for innovation in your cybersecurity operations b Protection of Assets and Systems 1 How do you limit access to physical and logical assets and associated facilities to authorized users processes or devices consistent with the risk of unauthorized access 2 How do you manage information and records data consistent with your risk strategy to protect their confidentiality and integrity and ensure their availability 3 How do you maintain and use security policies addressing purpose scope roles responsibilities management commitment and coordination among organizational entities processes and procedures to manage protection of information systems and assets 4 How do you maintain and repair industrial control and information system components consistent with policies and procedures 5 How do you manage technical security solutions to ensure the security and resilience of systems and assets consistent with related policies procedures and agreements c Detection of Cybersecurity Events 1 How do you detect anomalies in a timely manner and assess the impact of cybersecurity events 2 How do you monitor information systems and assets at discrete intervals to identify cybersecurity events and verify the effectiveness of protective measures 3 How do you maintain and test detection processes and procedures to ensure timely and adequate awareness of anomalies d Response to Cybersecurity Events 1 How do you execute and maintain response processes and procedures to ensure timely response to detected cybersecurity events 2 How do you coordinate response activities with other workforce units customers and stakeholders as appropriate including external law enforcement agencies 3 How do you analyze your response activities to ensure adequate response and support recovery activities 4 How do you limit expansion of an event mitigate its effects and eradicate the event e Recovery from Cybersecurity Events 1 How do you execute and maintain recovery processes and procedures to ensure timely restoration of systems or assets affected by cybersecurity events 2 How do you coordinate recovery activities with other workforce units customers and stakeholders such as coordinating centers Internet service providers victims other computer security incident response teams and vendors Terms in small caps are defined in the Glossary of Key Terms pages 26–27 18 Baldrige Cybersecurity Excellence Builder Notes 6 1a 1 6 1a 2 The design of your key cybersecurity work processes should consider your customers’ and stakeholders’ requirements and expectations of your organization and of its products and services 6 1a 3 Ensuring that your day-to-day operation of cybersecurity work processes meets requirements includes establishing key performance measures or in-process measures to control and improve these processes 6 1a 4 Support processes for your key cybersecurity work processes might include those for finance and human resources for example 6 1a 5 The results of improvements in process performance should be reported in item 7 1 To improve process performance and reduce variability you might implement approaches such as a Lean Enterprise System Six Sigma methodology ISO quality system standards PDCA methodology decision sciences or other process improvement tools These approaches might be part of the performance improvement system you describe in C 2c in the Organizational Context section 6 1b–6 1e The Cybersecurity Framework Core includes the functions of Identify Protect Detect Respond and Recover These functions organize basic cybersecurity activities at their highest level The Core identifies underlying key categories and subcategories for each function and matches them with examples of informative references such as existing standards guidelines and practices Protect Detect Respond and Recover are covered in this item The Identify function is covered by questions in the Organizational Context and in categories 1 2 3 and 5 6 1b–6 1e Your responses should include aspects of your work processes that involve external suppliers and partners such as third-party connections into your organization’s networks and systems 6 2 Operational Effectiveness How do you ensure effective management of your cybersecurity operations 1 How do you control the overall costs of your cybersecurity operations 2 How do you manage your cybersecurity-related supply chain 3 How do you ensure that all your suppliers and partners understand and fulfill their cybersecurity roles and responsibilities 4 How do you ensure that your cybersecurity operations consider their impact on and align with your organization’s overall operations 5 How do you ensure that your cybersecurity operations consider and align with your organization’s overall operational safety system 6 How do you ensure that your organization incorporates cybersecurity-related considerations and operations in its preparation for disasters or emergencies 7 In the event of an emergency how do you ensure that systems and assets continue to be secure and available to serve customers and business needs Terms in small caps are defined in the Glossary of Key Terms pages 26–27 Notes Q2 Managing your supply chain includes selecting suppliers and ensuring that they are qualified and positioned to not only meet operational needs but also enhance your performance and your customers’ satisfaction measuring and evaluating your suppliers’ performance providing feedback to your suppliers to help them improve and dealing with poorly performing suppliers An organization with effective supply-chain risk management can account for emerging cyber supply-chain risk using near-real-time risk manage- Baldrige Cybersecurity Excellence Builder ment information coordinated among all relevant levels of the organization and external suppliers partners Q6 Q7 Your preparation for disasters and emergencies should consider all systems and assets that are needed to provide your products and services to customers including supply-chain availability It should also consider the extent to which your organization is part of customers’ critical infrastructure 19 7 Results Results provide data and information measures of progress for evaluating improving and innovating cybersecurity-related processes policies and operations in alignment with your cybersecurity and organizational strategy 7 1 Cybersecurity Process Results What are your cybersecurity performance and process effectiveness results 1 What are your results for the protection of your systems and assets 2 What are your results for the detection of cybersecurity events 3 What are your results for your response to cybersecurity events 4 What are your results for your recovery from cybersecurity events 5 What are your process effectiveness and efficiency results for your cybersecurity operations 6 What are your emergency preparedness results for your cybersecurity operations 7 What are your results for suppliers’ and partners’ understanding and fulfillment of their cybersecurity roles and responsibilities 8 What are your results for management of your cybersecurity supply chain Terms in small caps are defined in the Glossary of Key Terms pages 26–27 Notes 7 The results you report in items 7 1–7 5 should provide key information for analyzing and reviewing your cybersecurityrelated performance item 4 1 demonstrate use of cyber­ security knowledge item 4 2 and provide the operational basis for customer-focused results item 7 2 and financial results item 7 5 There is not a one-to-one correspondence between results items and categories 1–6 Results should be considered systemically Contributions to individual results items frequently stem from processes in more than one category Q1–Q8 The results you report here should address the key operational requirements you identify in the Organizational Context section and in category 6 Q1 Results for the protection of systems and assets should relate to the protection processes you describe in category 6 These results might include for example the percentage of devices and or software accurately recorded in inventory the percentage of devices configured according to policy the percentage of critical information servers supported by strong authentication and the number of facilities with Personal Identity Verification PIV -based electronic locks Q2 Results for the detection of cybersecurity events should relate to the detection processes you report in category 6 These results might include for example the number of anomalies detected investigated and resolved and the percentage of planned vulnerability mitigation actions effectively completed 20 Q3 Results for your response to cybersecurity events should relate to the response processes you report in category 6 These results might include for example incident recovery and response time number of disaster recovery incidents and number of reports shared with Information Sharing and Analysis Organizations or other appropriate third parties Q4 Results for your recovery from cybersecurity events should relate to the recovery processes you report in category 6 These results might include for example the time to restore lost availability the time to access alternate availability mechanisms and restore services and results of efforts to restore your organization’s reputation Q5 Process effectiveness and efficiency results for your cybersecurity operations might include those for simplification of jobs waste reduction and work layout improvements Q6 Emergency preparedness results might include the cybersecurity operation’s response times for emergency drills or exercises and results for work relocation or contingency exercises Q8 Results for cybersecurity supply-chain performance might include the percentage of contracts that include cybersecurity monitoring and reporting requirements supplier and partner audits and acceptance results for externally provided services and processes as well as improvements in downstream supplier services to customers Baldrige Cybersecurity Excellence Builder 7 2 Customer Results What are your customer-focused cybersecurity performance results 1 What are your results for your internal and external customers’ satisfaction and dissatisfaction with your cybersecurity policies and operations 2 What are your results for the impact of your organization’s cybersecurity policies and operations on customer engagement 3 What are your results for your internal and external customers’ understanding and fulfillment of their cybersecurity roles and responsibilities Terms in small caps are defined in the Glossary of Key Terms pages 26–27 Notes 7 2 Results for customer satisfaction dissatisfaction and engagement should relate to the customer groups you identify in C 1b 2 and to the listening and determination methods you report in item 3 1 Q2 Results might include for example those for the impact of cybersecurity policies and procedures incidents and responses to incidents on customer loyalty retention and willingness to recommend Q1 Results might include for example survey results on customer satisfaction and dissatisfaction with cyber­ security and privacy and the number of complaints about cybersecurity-related issues Q3 Results might include for example the number of potential incidents reported by external customers the requirements for service-level agreements regarding recovery of critical customer systems the percentage of customers who have changed their passwords regularly or within a specified time period and the number of customer systems applying multifactor strengthened authentication 7 3 Workforce Results What are your workforce-focused cybersecurity performance results 1 What are your capability and capacity results for your cybersecurity workforce 2 What are your results for the engagement of your workforce in cybersecurity matters 3 What are your results for workforce members’ fulfillment of their cybersecurity roles and responsibilities 4 What are your workforce and leader development results related to cybersecurity Terms in small caps are defined in the Glossary of Key Terms pages 26–27 Notes 7 3 Results reported in this item should relate to the processes you report in category 5 Your results should also respond to the key work process needs you report in category 6 and to the action plans you report in item 2 2 Q1 Results might include for example the number of qualified referrals received through employee recommendations the percentage of cybersecurity vacancies remaining open for a specified number of days and the percentage of staff members who have achieved necessary qualifications e g Certified Information Security Manager CISM Certified Information Systems Security Professional CISSP Q2 Results should relate to the workforce engagement drivers you describe in C 1a 3 and the methods of assessing engagement you describe in item 5 2 Baldrige Cybersecurity Excellence Builder Q3 Results might include the percentage of employees who follow specific cybersecurity policies and practices such as those who observe your organization’s password practices Q4 Results might include for example the percentage of employees who complete role-specific cybersecurity training cybersecurity management training hours per full-time equivalent the percentage of employees trained on incident handing the percentage of employees trained to recognize and avoid email scams the percentage of employees trained on how to secure an email browser and the number of employees trained on use of guidelines for cell phone and personal device security 21 7 4 Leadership and Governance Results What are your cybersecurity leadership and governance results 1 What are your results for leaders’ communication and engagement with your organization’s other leaders your workforce and your key customers and stakeholders regarding cybersecurity 2 What are your results for governance accountability related to cybersecurity 3 What are your legal and regulatory results related to cybersecurity 4 What are your results for ethical behavior related to cybersecurity 5 What are your results for support of the cybersecurity infrastructure of your key communities 6 What are your results for the achievement of your cybersecurity strategy and action plans Terms in small caps are defined in the Glossary of Key Terms pages 26–27 Notes Q1 Responses should include results relating to the communication processes you identify in item 1 1 Q4 Responses should relate to the processes for ensuring ethical behavior that you identify in item 1 2 Q2 Responses should include results relating to the governance processes you describe in item 1 2 These results might include financial statement issues and risks important internal and external auditor recommendations and management’s responses to these matters Q5 Results for support of the cybersecurity infrastructure of your key communities might include the extent of external participation and collaboration to improve cybersecurity and results showing its effectiveness e g improved detection using shared indicators of compromise Q3 Legal and regulatory results should relate to the processes and measures you describe in item 1 2 Examples might be the percentage of business systems in compliance with legal and regulatory requirements the number of compliance breaches and the frequency of warnings violation notices for cybersecurity infractions Q6 Results for strategy and action plan achievement should relate to the strategic objectives and goals you report in item 2 1 and the action plan performance measures you report in item 2 2 7 5 Financial Results What are your cybersecurity-related financial performance results 1 What are your financial and budgetary performance results for your cybersecurity operations 2 What are your results for the impact of cybersecurity costs on your organization’s overall financial performance Terms in small caps are defined in the Glossary of Key Terms pages 26–27 Notes 7 5 Results should relate to the financial measures you report in item 4 1 and the financial management approaches you report in item 2 2 Q1 Examples might include cybersecurity spending as a percentage of the IT budget cost performance to budget and lowering of costs as a result of increased efficiency 22 Q2 Examples might include cost savings or losses avoided e g fines for nonconformance produced by the information security program or through costs incurred from addressing information security events cost schedule variance in information security activities and the impact of the cost of cybersecurity breaches on your organization’s other financial results Baldrige Cybersecurity Excellence Builder CYBER Assessing Your Responses   1 For each item e g 1 1 1 2 in categories 1–7 of the Baldrige Cybersecurity Excellence Builder use the process and results rubrics on pages 24–25 to assign a descriptor Reactive Early Developing Mature Leading or Exemplary for each evaluation factor For processes categories 1–6 the evaluation factors are approach deployment learning and integration ADLI • Approach consists of the methods used to carry out a process the degree to which your approach is systematic i e repeatable and based on reliable data and information the appropriateness of these methods to the item questions and your operating environment and the effectiveness of your use of the methods • Deployment is the extent to which your approach is applied consistently and the extent to which it is used by all appropriate work units • Learning is the refinement of your approach through cycles of evaluation and improvement the encouragement of breakthrough change to your approach through innovation and the sharing of refinements and innovations with other relevant work units and processes in your organization • Integration is the extent to which your approach is aligned with the organizational needs identified in the Organizational Context section and in other process items Integration also includes the extent to which your measures information and improvement systems are complementary across processes and work units and the extent to which your plans processes results analyses learning and actions are harmonized across processes and work units to support organization-wide goals For results category 7 the evaluation factors are levels trends comparisons and integration LeTCI “let’s see” • Levels are your current performance on a meaningful measurement scale • Trends are your rate of performance improvement or continuation of good performance in areas of importance i e the slope of data points over time • Comparisons are your performance relative to that of other appropriate organizations such as competitors or organizations similar to yours and your performance relative to industry leaders or relevant benchmarks • Integration is the extent to which your results address important performance requirements relating to customers products services markets processes and action plans identified in the Organizational Context section and in the process items categories 1–6 It also includes the extent to which your results reflect harmonization across your processes and work units to support organization-wide goals   2 Indicate the importance high medium or low of each item to the successful management of cybersecurity within your organization   3 Prioritize your actions Celebrate your strengths of your cybersecurity risk management program and build on them to improve what you do well Sharing the things you do well with the rest of your organization can speed improvement Prioritize your opportunities for improvement you cannot do everything at once Think about what is most important for your organization as a whole at this time balancing the differing needs and expectations of your stakeholders and decide what to work on first Look at the next level in the rubric for how you might improve Develop an action plan implement it and measure your progress Assessing Your Responses 23 24 Baldrige Cybersecurity Excellence Builder Assessment Rubric Cybersecurity-related policies operations seek and achieve efficiencies through analysis innovation and the sharing of information and knowledge Key cybersecurity-related approaches are used consistently in appropriate organizational units and by customers partners and suppliers as appropriate although use may vary in some areas or work units Key cybersecurity-related approaches are used consistently in most appropriate organizational units by customers partners and suppliers as appropriate with no significant gaps Many elements of cybersecurity-related policies operations are characterized by effective well-ordered repeatable approaches Developing Mature Exemplary Leading All elements of cybersecurity-related policies operations are characterized by effective well-ordered repeatable approaches policies operations are characterized by effective well-ordered repeatable approaches cybersecurity-related Key cybersecurity-related approaches are used consistently in all appropriate organizational units and by customers partners and suppliers as appropriate Cybersecurity-related policies operations are systematically evaluated for improvement and learnings are shared with some innovation Key cybersecurity-related approaches are used consistently in appropriate organizational units and by customers partners and suppliers as appropriate although some are in the early stages of use Some elements of cybersecurity-related policies operations are characterized by effective well-ordered repeatable approaches Early Most elements of Cybersecurity-related policies operations are beginning to be systematically evaluated and improved Key cybersecurity-related approaches are beginning to be used consistently in appropriate organizational units and by customers partners and suppliers as appropriate Cybersecurity-related policies operations are beginning to be carried out with well-ordered repeatable approaches Reactive Fact-based systematic evaluation and improvement and organizational l­ earning through innovation are key tools cybersecurity-related policies operations are characterized by refinement and innovation backed by analysis and sharing Cybersecurity-related policies operations are in the early stages of a transition from reacting to problems to a general improvement orientation Improvement in cybersecurity-related policies operations is achieved mainly in reaction to immediate needs or problems Cybersecurity-related approaches are not used consistently in appropriate organizational units or by customers partners and suppliers as appropriate Cybersecurity-related policies operations are characterized by activities created to fix problems rather than by processes Learning Deployment Evaluation Factor Approach Maturity Level Process Categories 1–6 CYBER Cybersecurity-related policies operations in different units work in total harmony with each other and with current and future organizational needs defined by your organization Cybersecurity-related policies operations in different units work mainly in harmony with each other and with current and future organizational needs defined by your organization Cybersecurity-related approaches are aligned among work units and with your organization’s overall needs Cybersecurity-related approaches are beginning to be aligned among work units and with your organization’s basic needs largely through joint problem solving cybersecurity-related approaches are aligned with other areas or work units and with organization-wide approaches in different parts of your organization or between cybersecurity-related policies operations and those of the rest of the organization individual areas or work units operate independently cybersecurity-related policies operations There is no coordination among Integration Assessment Rubric 25 Cybersecurity-related results are not tracked over time or have not improved Cybersecurity-related results are frequently missing poor or not used Cybersecurity-related results show improvement or sustained high performance over time in some areas of importance to your organization’s ongoing success Most cybersecurity-related results show improvement or sustained high performance over time in most areas of importance to your organization’s ongoing success The full array of cybersecurity-related results is trended over time indicating improvement or sustained high performance in all areas of importance to your organization’s ongoing success Many cybersecurityrelated results are tracked and they show good performance levels Most cybersecurityrelated results are tracked and they show good-to-excellent performance levels The full array of cybersecurity-related results is tracked indicating top performance Developing Mature Leading Exemplary Some trend data are tracked and most show improvement over time Some cybersecurityrelated results are tracked and they show good performance levels Early Some trend data are tracked and some show improvement over time Trends Levels A few cybersecurityrelated results are tracked and they show early good performance levels Reactive Maturity Level Results Category 7 Most cybersecurity-related results that are important to your organization’s ongoing success are tracked including projections of future results The results are used in decision making Most cybersecurity-related results that are important to your organization’s ongoing success are tracked The results are used in decision making Many cybersecurity-related results show good performance relative to available information on competitors other relevant organizations or benchmarks Cybersecurity-related results indicate top performance relative to information on other organizations or benchmarks Many cybersecurity-related results that are important to your organization’s ongoing success are tracked results are beginning to be used in decision making Many cybersecurity-related results that are important to your organization’s ongoing success are tracked A few cybersecurity-related results that are important to your organization’s ongoing success are tracked Cybersecurity-related results that are important to your organization’s ongoing success are not tracked Integration Some cybersecurity-related results show good performance relative to available information on competitors other relevant organizations or benchmarks Some available comparative information is tracked Little or no available comparative information is tracked Available comparative information is not tracked Comparisons Evaluation Factor CYBER Glossary of Key Terms The terms below are those in small caps in the Baldrige Cybersecurity Excellence Builder categories and assessment rubric ACTION PLANS Specific actions that your organization takes to reach its short- and longer-term strategic objectives These plans specify the resources committed to and the time horizons for accomplishing the plans See also strategic objectives ALIGNMENT A state of consistency among plans processes information resource decisions workforce capability and capacity actions results and analyses that support key organization-wide goals See also integration APPROACH The methods your organization uses to carry out its processes BENCHMARKS Processes and results that represent the best practices and best performance for similar activities inside or outside your organization’s industry COLLABORATORS Organizations or individuals who cooperate with your organization to support a particular activity or event or who cooperate intermittently when their short-term goals are aligned with or are the same as yours See also partners CORE COMPETENCIES Your organization’s areas of greatest expertise those strategically important capabilities that are central to fulfilling your mission or that provide an advantage in your marketplace or service environment CUSTOMER An actual or potential user of your organization’s products programs or services See also stakeholders CUSTOMER ENGAGEMENT Your customers’ investment in or commitment to your brand and product offerings CYBERSECURITY The process of protecting information and assets by limiting the occurrence of detecting and responding to attacks CYBERSECURITY EVENT A cybersecurity change that may have an impact on organizational operations including mission capabilities or reputation DEPLOYMENT The extent to which your organization applies an approach in relevant work units throughout your organization DETECT Develop and implement the appropriate activities to identify the occurrence of a cyber­security event Detect is one of the five functions included in the Cybersecurity Framework Core The others are Identify Protect Respond and Recover 26 EFFECTIVE How well a process or a measure addresses its intended purpose ETHICAL BEHAVIOR The actions your organization takes to ensure that all its decisions actions and stakeholder interactions conform to its moral and professional principles of conduct These principles should support all applicable laws and regulations and are the foundation for your organization’s culture and values GOALS Future conditions or performance levels that your organization intends or desires to attain See also performance projections GOVERNANCE The system of management and controls exercised in the stewardship of your organization HIGH PERFORMANCE Ever-higher levels of overall organizational and individual performance including quality productivity innovation rate and cycle time HOW The systems and processes that your organization uses to achieve its mission requirements IDENTIFY Develop the organizational understanding to manage cybersecurity risk to systems assets data and capabilities Identify is one of the five functions included in the Cybersecurity Framework Core The others are Protect Detect Respond and Recover INNOVATION Making meaningful change to improve products services processes or organizational effectiveness and create new value for stakeholders The outcome of innovation is a discontinuous or breakthrough change INTEGRATION The harmonization of plans processes information resource decisions workforce capability and capacity actions results and analyses to support key organization-wide goals See also alignment KEY Major or most important critical to achieving your intended outcome KNOWLEDGE ASSETS Your organization’s accumulated intellectual resources the knowledge possessed by your organization and its workforce in the form of information ideas learning understanding memory insights cognitive and technical skills and capabilities LEARNING New knowledge or skills acquired through evaluation study experience and innovation LEVELS Numerical information that places or positions your organization’s results and performance on a meaningful measurement scale Baldrige Cybersecurity Excellence Builder MEASURES AND INDICATORS Numerical information that quantifies the input output and performance dimensions of processes products programs projects services and the overall organization outcomes MISSION Your organization’s overall function PARTNERS Key organizations or individuals who are working in concert with your organization to achieve a common goal or improve performance Typically partnerships are formal arrangements See also collaborators PERFORMANCE Outputs and their outcomes obtained from processes products services and customers that permit you to evaluate and compare your organization’s results to performance projections standards past results goals and other organizations’ results PERFORMANCE EXCELLENCE An integrated approach to organizational performance management that results in 1 delivery of ever-improving value to customers and stakeholders contributing to ongoing organizational success 2 improvement of your organization’s overall effectiveness and capabilities and 3 learning for the organization and for people in the workforce PERFORMANCE PROJECTIONS Estimates of your organization’s future performance See also goals PROCESS Linked activities with the purpose of producing a product or service for a customer user within or outside your organization PROTECT Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services Protect is one of the five functions included in the Cybersecurity Framework Core The others are Identify Detect Respond and Recover RECOVER Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event Recover is one of the five functions included in the Cybersecurity Framework Core The others are Identify Protect Detect and Respond RESPOND Develop and implement the appropriate activities to take action regarding a detected cybersecurity event Respond is one of the five functions included in the Cybersecurity Framework Core The others are Identify Protect Detect and Recover RESULTS Outputs and outcomes achieved by your organization SEGMENT One part of your organization’s customer market product offering or workforce base SENIOR LEADERS Your organization’s senior management group or team Glossary of Key Terms STAKEHOLDERS All groups that are or might be affected by your organization’s actions and success See also customer STRATEGIC ADVANTAGES Those marketplace benefits that exert a decisive influence on your organization’s likelihood of future success These advantages are frequently sources of current and future competitive success relative to other providers of similar products services STRATEGIC CHALLENGES Those pressures that exert a decisive influence on your organization’s likelihood of future success These challenges are frequently driven by your organization’s anticipated competitive position in the future relative to other providers of similar products services STRATEGIC OBJECTIVES The aims or responses that your organization articulates to address major change or improvement competitiveness or social issues and business advantages See also action plans SYSTEMATIC Well-ordered repeatable and exhibiting the use of data and information so that learning is possible TRENDS Numerical information that shows the direction and rate of change of your organization’s results or the consistency of its performance over time VALUE The perceived worth of a product process asset or function relative to its cost and possible alternatives VALUES The guiding principles and behaviors that embody how your organization and its people are expected to operate VISION Your organization’s desired future state VOICE OF THE CUSTOMER Your process for capturing customer-related information WORK PROCESSES Your organization’s most important internal value-creation processes WORKFORCE All people actively supervised by your organization and involved in accomplishing your organization’s work including paid employees e g permanent part-time temporary and telecommuting employees as well as contract employees supervised by your organization and volunteers as appropriate WORKFORCE CAPABILITY Your organization’s ability to accomplish its work processes through its people’s knowledge skills abilities and competencies WORKFORCE CAPACITY Your organization’s ability to ensure sufficient staffing levels to accomplish its work processes and deliver your products services to customers including the ability to meet seasonal or varying demand levels WORKFORCE ENGAGEMENT The extent of workforce members’ emotional and intellectual commitment to accomplishing your organization’s work mission and vision 27 CYBER User Tools Benefits of Using the Baldrige Cybersecurity Excellence Builder by Organizational Role Role Function Benefit of Reason for Using the Baldrige Cybersecurity Excellence Builder Board and Executive Management • Understand how internal and external cybersecurity should support organizational business objectives including support for customers • Understand current and planned workforce engagement processes and their success • Understand opportunities to improve cybersecurity in alignment with organizational objectives • Understand the potential exposure of the organization’s assets to various risks • Align cybersecurity policy and practices with the organization’s mission vision and values Chief Information Officer CIO • Understand how cybersecurity affects organizational information management practices and culture • Improve communication and engagement with organizational leaders and the cybersecurity workforce • Understand how cybersecurity affects the organization’s culture and environment Chief Information Security Officer CISO • Support the organization’s commitment to legal and ethical behavior • Create and apply cybersecurity policy and practices to support the organization’s mission vision and values • Respond to rapid or unexpected organizational or external changes • Support continuous improvement through periodic use of the self-assessment tool • Support organizational understanding of compliance with various contractual and or regulatory requirements • Understand the effectiveness of workforce communication learning and engagement as well as operational considerations for cybersecurity IT Process Management • Improve understanding of business requirements and mission objectives and their priorities • Determine the effectiveness of IT processes and potential improvements • Understand how aspects of cybersecurity are integrated with organizational change management processes Risk Management • Discern the impact of cybersecurity on internal external customers partners and workforce • Improve understanding of how workforce engagement in cybersecurity and communication to the workforce about cybersecurity impact the organization’s overall risk posture • Improve management of and communication about risk related to external suppliers and partners Legal Compliance Roles • Understand legal ethical behavior on the part of the workforce as well as the overall cultural environment • Understand how the organization applies cybersecurity-related policies and operations to ensure responsible governance including legal regulatory and community concerns • Understand how the organization integrates external suppliers and partners into cybersecurity risk management including contractual obligations for partners’ cybersecurity protection and reporting Employees Workforce 28 • Understand leaders’ expectations • Be better prepared for changes in cybersecurity capability and capacity needs • Benefit from a workplace culture and environment characterized by open communication high performance and engagement in cybersecurity matters • Learn to fulfill their cybersecurity roles and responsibilities Baldrige Cybersecurity Excellence Builder Crosswalk Baldrige Cybersecurity Excellence Builder and Cybersecurity Framework Related Sections in the Cybersecurity Framework Cybersecurity Excellence Builder Categories and Items 2 4 Figure 2 Notional Information and Decision Flows Appendix A Framework Core Functions and Categories1 3 2 Establishing or Improving a Cybersecurity Program C Organizational Context   C 1  Organizational Description Executive Level Step 1 Prioritize and Scope Step 2 Orient ID-AM ID-BE ID-SC   C 2  Organizational Situation Executive Level Changes in Current and Future Risk Step 1 Prioritize and Scope Step 2 Orient ID-BE ID-RM   1 1  Leading for Cybersecurity Executive Level Step 1 Prioritize and Scope Step 2 Orient ID-BE RC-CO   1 2  Governance and Societal    Responsibilities Executive Level Step 2 Orient ID-GV RS-CO   2 1  Strategy Development Business Process Level Mission Priority and Risk Appetite and Budget Changes in Current and Future Risk Step 1 Prioritize and Scope Step 2 Orient Step 4 Conduct a Risk Assessment Step 5 Create a Target Profile Step 6 Determine Analyze and Prioritize Gaps ID-BE ID-GV ID-RA ID-RM ID-SC   2 2  Strategy Implementation Business Process Level Mission Priority and Risk Appetite and Budget Changes in Current and Future Risk Step 1 Prioritize and Scope Step 2 Orient Step 5 Create a Target Profile Step 7 Implement Action Plan ID-BE ID-GV ID-RA ID-RM   3 1 Voice of the Customer Business Process Management Implementation Operations Level Step 3 Create a Current Profile Step 5 Create a Target Profile ID-BE   3 2  Customer Engagement Business Process Management Implementation Operations Level Step 3 Create a Current Profile Step 5 Create a Target Profile ID-AM PR-AT RS-CO RC-CO 1 Leadership 2 Strategy 3 Customers 4 Measurement Analysis and Knowledge Management  4 1 Measurement Analysis     and Improvement of    Performance Implementation Progress Step 6 Determine Analyze and Prioritize Gaps DE-AE DE-DP RS-IM RC-IM   4 2  Knowledge Management Business Process Management Implementation Operations Level Step 6 Determine Analyze and Prioritize Gaps ID-RA DE-AE RS-CO  The Cybersecurity Framework functions are Identify ID Protect PR Detect DE Respond RS and Recover RC For definitions of these functions see the glossary For a detailed explanation of the categories within these functions see the Cybersecurity Framework www nist gov cyberframework 1 Continued on the next page User Tools 29 Crosswalk continued Related Sections in the Cybersecurity Framework Cybersecurity Excellence Builder Categories and Items 2 4 Figure 2 Notional Information and Decision Flows 3 2 Establishing or Improving a Cybersecurity Program Appendix A Framework Core Functions and Categories1 5 Workforce   5 1  Workforce Environment Business Process Management Implementation Operations Level Step 3 Create a Current Profile Step 5 Create a Target Profile ID-AM ID-GV PR-IP DE-DP RS-CO   5 2  Workforce Engagement Business Process Management Implementation Operations Level Step 3 Create a Current Profile Step 5 Create a Target Profile PR-AT PR-IP RS-CO   6 1  Work Processes Implementation Operations Level Step 2 Orient Step 3 Create a Current Profile Step 4 Conduct a Risk Assessment Step 5 Create a Target Profile   6 2  Operational Effectiveness Implementation Operations Level Step 3 Create a Current Profile Step 5 Create a Target Profile ID-AM ID-BE ID-SC PR-AT PR-IP   7 1  Cybersecurity Process    Results Implementation Progress Step 3 Create a Current Profile Step 5 Create a Target Profile PR-AC PR-DS PR-IP PR-MA DE-AE DE-CM DE-DP RS-RP RS-AN RS-IM RS-MI RC-RP RC-IM   7 2  Customer Results Implementation Progress Step 3 Create a Current Profile Step 5 Create a Target Profile ID-BE ID-AM PR-AT RS-CO RC-CO   7 3  Workforce Results Implementation Progress Step 3 Create a Current Profile Step 5 Create a Target Profile ID-AM ID-GV PR-IP DE-DP RS-CO PR-AT PR-IP RS-CO   7 4  Leadership and     Governance Results Implementation Progress Step 3 Create a Current Profile Step 5 Create a Target Profile ID-BE ID-GV ID-RA ID-RM RC-CO   7 5  Financial Results Implementation Progress Step 3 Create a Current Profile Step 5 Create a Target Profile ID-BE 6 Operations PR-AC PR-DS PR-IP PR-MA DE-AE DE-CM DE-DP RS-RP RS-AN RS-IM RS-MI RC-RP RC-IM 7 Results 30 Baldrige Cybersecurity Excellence Builder Self-Analysis Worksheet For a spreadsheet version of this worksheet see www nist gov baldrige products-services baldrige-cybersecurity-initiative Reactive Early Developing Mature Leading or Exemplary Process Categories 1–6 Approach Deployment Learning High Medium or Low Integration Importance 1 Leadership 1 1 Leading for Cybersecurity How do your senior and cybersecurity leaders lead your cybersecurity policies and operations 1 2 Governance and Societal Responsibilities How do you govern your cybersecurity policies and operations and fulfill your cybersecurity-related societal responsibilities 2 Strategy 2 1 Strategy Development How do you include cybersecurity considerations in your strategy development 2 2 Strategy Implementation How do you implement the cybersecurity-related elements of your strategy 3 Customers 3 1 Voice of the Customer How do you obtain cybersecurity-related information from your customers 3 2 Customer Engagement How do you engage customers in cybersecurity by serving their needs and building relationships 4 Measurement Analysis and Knowledge Management 4 1 Measurement Analysis and Improvement of Performance How do you measure analyze and then improve cybersecurityrelated performance 4 2 Knowledge Management How do you manage your organization’s cybersecurityrelated knowledge assets 5 Workforce 5 1 Workforce Environment How do you build an effective and supportive environment for your cybersecurity workforce 5 2 Workforce Engagement How do you engage your workforce to achieve a highperformance work environment in support of cybersecurity policies and operations Continued on the next page User Tools 31 Self-Analysis Worksheet continued Reactive Early Developing Mature Leading or Exemplary Process Categories 1–6 Approach Deployment Learning Integration High Medium or Low Importance 6 Operations 6 1 Work Processes How do you design manage and improve your key cybersecurity work processes 6 2 Operational Effectiveness How do you ensure effective management of your cybersecurity operations Reactive Early Developing Mature Leading or Exemplary Results Category 7 Levels Trends Comparisons Integration High Medium or Low Importance 7 1 Cybersecurity Process Results What are your cybersecurity performance and process effectiveness results 7 2 Customer Results What are your customer-focused cybersecurity performance results 7 3 Workforce Results What are your workforce-focused cybersecurity performance results 7 4 Leadership and Governance Results What are your cybersecurity leadership and governance results 7 5 Financial Results What are your cybersecurity-related financial performance results BALDRIGE EXCELLENCE FRAMEWORK™ is a trademark and BALDRIGE PERFORMANCE EXCELLENCE PROGRAM and Design® MALCOLM BALDRIGE NATIONAL QUALITY AWARD® and PERFORMANCE EXCELLENCE® are federally registered trademarks of the U S Department of Commerce National Institute of Standards and Technology The unauthorized use of these trademarks and service marks is prohibited 32 Baldrige Cybersecurity Excellence Builder You’ve used the Baldrige Cybersecurity Excellence Builder to assess your organization’s cybersecurity program WHAT’S NEXT LOADING Tell Us about Your Experience Submit feedback on the Baldrige Cybersecurity Excellence Builder at www nist gov baldrige products-services baldrige-cybersecurity-initiative Learn More about the Baldrige Cybersecurity Initiative See www nist gov baldrige products-services baldrige-cybersecurity-initiative to learn more about this initiative Learn More about the Cybersecurity Framework The Framework for Improving Critical Infrastructure Cybersecurity www nist gov cyberframework is voluntary guidance based on existing standards guidelines and practices for organizations to better manage and reduce cybersecurity risk Download the Baldrige Excellence Builder The Baldrige Excellence Builder www nist gov baldrige products-services baldrige-excellence-builder includes key questions for improving your organization’s overall performance It is based on the Baldrige Excellence Framework’s Criteria for Performance Excellence Purchase the Baldrige Excellence Framework Booklet The Baldrige Excellence Framework Business Nonprofit Education or Health Care www nist gov baldrige products-services baldrige-excellence-framework is a comprehensive guide to organizational performance excellence Attend the Quest for Excellence© Conference At Quest www nist gov baldrige qe and other Baldrige conferences you will learn best performance management practices from Baldrige Award recipients Contact the Baldrige Program We’ll answer your questions on these and other products and services www nist gov baldrige 301 975 2036 baldrige@nist gov #BaldrigeCyber www nist gov baldrige National Institute of Standards and Technology NIST The mission of NIST an agency of the U S Department of Commerce is to promote U S innovation and industrial competitiveness by advancing measurement science standards and technology in ways that enhance economic security and improve our quality of life Baldrige Performance Excellence Program Created by Congress in 1987 the Baldrige Program is a unique public-private partnership that is dedicated to helping organizations improve their performance and succeed in the global marketplace The program administers the Presidential Malcolm Baldrige National Quality Award In collaboration with the greater Baldrige community we address critical national needs through • a systems approach to achieving organizational excellence • organizational self-assessment tools and analysis of organizational strengths and opportunities for improvement by a team of trained experts • training executive education conferences and workshops on proven best management practices and on using the Baldrige Excellence Framework to improve • Baldrige-based approaches to cybersecurity risk management and community excellence and • support for and partnership with the Alliance for Performance Excellence www baldrigepe org alliance a national network of Baldrige-based organizations Applied Cybersecurity Division Information Technology Laboratory As one of the major research components of NIST the Information Technology Laboratory has the broad mission to promote U S innovation and industrial competitiveness by advancing measurement science standards and technology through research and development in information technology mathematics and statistics The Applied Cybersecurity Division www nist gov itl applied-cybersecurity implements practical cybersecurity and privacy through outreach and effective application of standards and best practices necessary for the U S to adopt cybersecurity capabilities The Division • develops cybersecurity standards and guidelines in an open transparent and collaborative way • does cybersecurity testing and measurement—from developing test suites and methods to validating cryptographic modules and • advances applied cybersecurity—applications of NIST’s research standards and testing and measurement work Foundation for the Malcolm Baldrige National Quality Award The mission of the Baldrige Foundation www baldrigefoundation org is to ensure the long-term financial growth and viability of the Baldrige Performance Excellence Program and to support organizational performance excellence in the United States and throughout the world For more information www nist gov baldrige 301 975 2036 baldrige@nist gov CONNECT WITH BALDRIGE @BaldrigeProgram #Baldrige 03 2017 T1549 Photo credits ©Titima Ongkantong Shutterstock ©Aleksandr Danilenko Shutterstock