On August 26, 2015, DoD published a rule amending the Defense Federal Acquisition Regulation Supplement (DFARS). Subsequently, on December 30, 2015, DoD provided notice that both large and small contractors would be given more time – until December 31, 2017 – to comply with the rules. Until that time, however, contractors still would be required to document both their cybersecurity shortcomings as well as their progress toward full compliance with NIST rules. According to the DFARS, in order to qualify for DoD contracts, businesses would not be allowed to have any security system gaps when full compliance with the NIST guidelines becomes mandatory on December 31, 2017
NIST Releases Baldrige-Based Tool for Cybersecurity Excellence
Comments Sought on Draft Guide to Enhance Cybersecurity Framework
September 15, 2016
- determine cybersecurity-related activities that are important to business strategy and the delivery of critical services;
- prioritize investments in managing cybersecurity risk;
- assess the effectiveness and efficiency in using cybersecurity standards, guidelines and practices;
- assess their cybersecurity results; and
- identify priorities for improvement.
The Cybersecurity Framework, released in February 2014, was developed by NIST through a collaborative process involving industry, academia and government agencies. NIST was directed by anexecutive order(link is external) to create the framework specifically for managing cybersecurity risks related to critical infrastructure, but a broad array of public and private sector organizations now use it. The framework provides a risk-based approach for cybersecurity through five core functions—identify, protect, detect, respond and recovery.
According to a report by the information technology research company Gartner, the framework is currently used by 30 percent of U.S. organizations, a number expected to rise to 50 percent by 2020.
The Baldrige Performance Excellence Program, through its Baldrige Excellence Framework, has helped thousands or organizations worldwide guide their operations, improve performance and get sustainable results for nearly 30 years. It encourages a proven systems thinking approach to achieving organization-wide excellence, driving process improvement and performance management into all key aspects of the organization.
A 2011 economic report estimated the benefit-to-cost ratio of the Baldrige Program to the U.S. economy at 820 to 1.
The Cybersecurity Framework gives order and structure to today’s multiple approaches for cybersecurity management by assembling standards, guidelines and practices that are working effectively in many organizations. Applying Baldrige principles enables organizations to maximize the framework’s value and manage all areas affected by cybersecurity as a unified whole.
This video shows why organizations of all sizes and types use NIST’s voluntary Cybersecurity Framework to manage their cybersecurity-related risk. Strengthening this resource is the Baldrige Cybersecurity Excellence Builder, a self-assessment tool that helps organizations measure how effectively they are using the Cybersecurity Framework.
Like the Cybersecurity Framework, the Baldrige Cybersecurity Excellence Builder is not a “one-size-fits-all” tool for dealing with cybersecurity risks. It is adaptable to meet an organization’s specific needs, goals, capabilities and environments.
The Builder guides users through a process that details their organization’s distinctive characteristics and strategic situations related to cybersecurity. Then, a series of questions helps define the organization’s current approaches to cybersecurity in the areas of leadership, strategy, customers, workforce and operations, as well as the results achieved with them.
Finally, an assessment rubric lets users determine their organization’s cybersecurity maturity level—classified as “reactive,” “early,” “mature,” or “role model.” The completed evaluation can then lead to an action plan to upgrade cybersecurity practices and management, implement those improvements, and measure the progress and effectiveness of the process. Designed to be a key part of an organization’s continuous improvement efforts, the Builder should be used periodically to maintain the highest possible level of cybersecurity readiness.
The draft Baldrige Cybersecurity Excellence Builder was developed through a collaboration between NIST and the Office of Management and Budget (link is external)’s Office of Electronic Government and Information Technology (link is external), with input from private sector representatives.
Public comments on the draft will be accepted until Thursday, Dec. 15, 2016, via e-mail to [email protected](link sends e-mail).
As a non-regulatory agency of the Commerce Department (link is external), NIST promotes U.S. innovation and industrial competitiveness by advancing measurement science, standards and technology in ways that enhance economic security and improve our quality of life. For more information, visit www.nist.gov.