Evaluating cybersecurity risk

Evaluating cybersecurity risk

With the specter of a cybersecurity incident hovering over enterprise systems, government leaders can

be more confident in their risk management programs by assessing their effectiveness with the Baldridge Cybersecurity Excellence Builder.

The self-assessment tool blends organizational performance evaluation strategies from National Institute of Standards and Technology’s Baldrige Performance Excellence Program with risk management standards, guidelines and best practices from the Cybersecurity Framework. Applying Baldrige principles to the framework lets organizations “maximize the framework’s value and manage all areas affected by cybersecurity as a unified whole,” NIST said.

Using the builder, organizations can:

  • Determine cybersecurity-related activities that are important to business strategy and the delivery of critical services.
  • Prioritize investments in managing cybersecurity risk. 
  • Assess the effectiveness and efficiency of cybersecurity standards, guidelines and practices.
  • Assess their cybersecurity results.
  • Identify priorities for improvement

The tool first helps users detail their organization’s unique cybersecurity characteristics and situations. Through a series of questions, the builder helps define current approaches to cybersecurity and their results. Users can then determine their organization’s cybersecurity maturity level and develop an action plan to upgrade their cybersecurity practices and management, implement improvements and measure progress and effectiveness.

Designed for use by leaders responsible for cybersecurity policy and operations, the builder is meant to be part of a continuous improvement program, used periodically to maintain high levels of cybersecurity readiness. It consists of 17 items, divided into three groups – organizational, process and results. Organizations can be assessed at a reactive, early, mature or role model level for each evaluation factor. Following the assessment of approaches, deployment, learning and integration is a self-analysis worksheet.

The draft Baldrige Cybersecurity Excellence Builder was developed through a collaboration between NIST and the Office of Management and Budget’s Office of Electronic Government and Information Technology, with input from private sector representatives. Comments on the tool are due Dec. 15.

About the Author

Kathleen Hickey is a freelance writer for GCN.


  • Records management: Look beyond the NARA mandates

    Pandemic tests electronic records management

    Between the rush enable more virtual collaboration, stalled digitization of archived records and managing records that reside in datasets, records management executives are sorting through new challenges.

  • boy learning at home (Travelpixs/Shutterstock.com)

    Tucson’s community wireless bridges the digital divide

    The city built cell sites at government-owned facilities such as fire departments and libraries that were already connected to Tucson’s existing fiber backbone.

Stay Connected