Widgetized Section

Go to Admin » Appearance » Widgets » and move Gabfire Widget: Social into that MastheadOverlay zone

Government Leaders: Assess Your Cybersecurity Performance with NIST Resources

The views expressed are those of the author and do not necessarily reflect the views of ASPA as an organization.

By Jacqueline Calhoun
October 15, 2018

How do you know as a government leader if you are doing enough to address cybersecurity risks? One way to find out is to assess your organization’s cybersecurity performance using a tool based on two frameworks developed at the U.S. Commerce Department’s National Institute of Standards and Technology (NIST): the Baldrige Cybersecurity Excellence Builder (BCEB).

The BCEB is a voluntary self-assessment tool that enables leaders of any organization to better understand the effectiveness of its cybersecurity risk-management efforts. It helps the organization identify strengths and opportunities for improvement in managing cybersecurity risk based on the organization’s operational and strategic objectives, as well as the needs and expectations of key stakeholders.

The BCEB combines concepts in NIST’s Framework for Improving Critical Infrastructure Cybersecurity (Cybersecurity Framework, Version 1.1, NIST CSF)  the Baldrige Excellence Framework. Like those two sources, it is not a one-size-fits-all approach. It is adaptable and scalable to an organization’s needs, goals, capabilities, and environment. Through interrelated sets of open-ended questions, it encourages leaders to use the approaches that best fit their organizations and effectively address their most important cybersecurity needs.

Defining Leaders

The BCEB defines leaders as an organization’s senior leaders and those specifically responsible for overseeing and executing cybersecurity risk management and operations.

The “Leadership” item in the BCEB asks how the personal actions of an organization’s senior leaders and cybersecurity leaders, as well as the characteristics of its governance system, demonstrate and reinforce accountability, and guide and sustain its cybersecurity policies and operations. Following are questions from the two key areas of leadership in this item:

1.1 Leading for Cybersecurity: How do your senior and cybersecurity leaders lead your cybersecurity policies and operations?

1.2 Governance and Societal Responsibilities: How do you govern your cybersecurity policies and operations and fulfill your cybersecurity-related societal responsibilities?

Assessment Scope

Below are some key steps to help an organization get started conducting a self-assessment of its cybersecurity program. First, leaders may want to determine if the self-assessment will cover the full organization, a subunit, or parts of an organization. It would be beneficial to select individuals with leadership and facilitation skills who have widespread knowledge of the cybersecurity management system to lead the effort by serving as “champions.”

Getting Started

  1. Read the BCEBfrom cover to cover. It’s a short, easy-to-read booklet and includes additional information on how to perform an assessment.
  2. Respond to the questions in the Organizational Context section.This will help ensure that you are focusing on your most critical needs. If you identify important topics for which you have conflicting, little, or no information, you may want to get clarity on these before moving on.
  3. Answer the process (categories 1-6) questionsto document your organization’s key cybersecurity-related processes. Answer the results (category 7) questions, which will help you understand the effectiveness and impact of your cybersecurity efforts. In completing the questions, leaders may discover blind spots in the cybersecurity management system that you have not considered or areas where you should place additional emphasis.
  4. Assess your responses by using the assessment rubric. The rubric will help you to assess your cybersecurity risk management program’s maturity level and determine if your processes and results are reactive, early, developing, mature, leading, or exemplary.
  5. Prioritize your actions and develop an action plan.Use the self-analysis worksheet to indicate the importance (high, medium, low) of each item to the successful management of cybersecurity within your organization. Prioritization will help you develop an action plan that most effectively uses resources.
  6. Measure and evaluate your progress in achieving specific improvement goals.As you continue to use the BCEB, you will learn more about your organization and begin to define the ways to build on your strengths, close gaps, and innovate.
  7. Share what you’ve learned to help others. Finally, the Baldrige Performance Excellence Program invites you to submit your BCEB lessons learned and comments.

Not Ready, Start Here

If your organization is not ready to complete the full self-assessment after completing the Organizational Context, consider doing a self-assessment using just one category or item in which you need improvement. Answer the individual questions in the selected category; then, when ready, conduct a full self-assessment to reveal key linkages between your chosen category and the other items. This will enable you to gain a systems perspective as embodied in the seven integrated categories.

Additional Support

View a webcast for a brief overview on integrating the BCEB with the NIST Framework for Improving Critical Infrastructure Cybersecurity. Start learning about the BCEB as you begin to plan for a self-assessment of your cybersecurity risk management system. For hands-on leadership development, leaders in any sector may also find it beneficial to apply to participate as part of a year-long cohort of the Baldrige Executive Fellows Program to learn how national role-model organizations are using the Baldrige Excellence Framework to maintain high performance.

Author: Jacqueline Calhoun is a senior staff member of the Baldrige Performance Excellence Program at NIST. A current member of the federal program’s Marketing and Partnering Team, she also has led and served on teams since 1993 directing publications management and volunteer training and workforce development. Prior to her work with the Baldrige program, she worked as a physical scientist in the NIST Physics Laboratory, Center for Radiation Research.

1 Star2 Stars3 Stars4 Stars5 Stars (1 votes, average: 5.00 out of 5)

Leave a Reply

Your email address will not be published. Required fields are marked *