BALDRIGE

CYBERSECURITY
EXCELLENCE BUILDER
Key questions for improving your
organization’s cybersecurity performance

v1.1
2019 #BaldrigeCyber
www.nist.gov/baldrige
Improve Your Performance

Workforce
Engage and empower your
entire workforce to achieve
your cyber-security-related
objectives.

RESULTS
Use data and information to
evaluate and improve
cybersecurity-related
policies and operations in
alignment with your
strategy.
The Baldrige Cybersecurity Excellence Builder self-assessment helps you understand and improve what is critical to
your organization’s cybersecurity risk management. It is a voluntary self-assessment based on the more detailed
Framework for Improving Critical Infrastructure Cybersecurity, managed by NIST’s Information Technology Laboratory,
Applied Cybersecurity Division, and the Baldrige Excellence Framework, compiled by the Baldrige Performance Excel-
lence Program at NIST.

Organizational Context
Strategy
Understand the business factors and organi-
zational priorities underlying your cyberse-
Create clear strategic prior- curity risk management.
ities for your
cybersecurity program.
risk management.
Leadership
Understand how your leaders’
actions guide and sustain
your cybersecurity
 Customers
Understand and exceed
the cybersecurity-related re-
quirements and expectations of
your customers.
Measurement, Analysis, and
Knowledge Management Through
measurement and analysis, align
cybersecurity policies and
operations with your objectives.
Manage your organization’s
cybersecurity-related knowledge.

Operations
Design, manage, and im-
prove your cybersecurity
operations for effectiveness
and efficiency.

For more information on the Baldrige Cybersecurity Initiative:

www.nist.gov/baldrige/products-services/baldrige-cybersecurity-initiative

The Baldrige Program thanks the Baldrige Foundation for

supporting the program’s mission and the following
Association for Executives in

organizations for supporting the publication of this booklet. Healthcare Information Security
CYBER Contents

2 Introduction
6 Baldrige Cybersecurity Excellence Builder
6 C Organizational Context
8 1 Leadership
10 2 Strategy
12 3 Customers
14 4 Measurement, Analysis, and Knowledge Management
16 5 Workforce
18 6 Operations
21 7 Results

25 Assessing Your Responses

26 Assessment Rubric
26 Process (Categories 1–6)
27 Results (Category 7)

28 Glossary of Key Terms

30 User Tools
30 Benefts of Using the Baldrige Cybersecurity Excellence Builder, by Organizational Role
31 Linkages in the Baldrige Cybersecurity Excellence Builder
32 Crosswalk: Baldrige Cybersecurity Excellence Builder and Cybersecurity Framework
34 Self-Analysis Worksheet

On the Web
For spreadsheet versions of the Baldrige Cybersecurity Excellence Builder questions and Self-Analysis Worksheet, see
www.nist.gov/baldrige/products-services/baldrige-cybersecurity-initiative.

1
CYBER Introduction
What is the Baldrige Cybersecurity Excellence Builder?
The Baldrige Cybersecurity Excellence Builder (BCEB) is a voluntary self-assessment tool that enables organizations to
better understand the effectiveness of their cybersecurity risk management efforts. It helps your organization identify
strengths and opportunities for improvement in managing cybersecurity risk based on your organization’s mission, needs,
and objectives.
The BCEB combines concepts in the Framework for Improving Critical Infrastructure Cybersecurity (Cybersecurity
Framework; www.nist.gov/cyberframework) and the Baldrige Excellence Framework (www.nist.gov/baldrige/publications).
Like those two sources, it is not a one-size-fts-all approach. It is adaptable and scalable to your organization’s needs, goals,
capabilities, and environment. It does not prescribe how you should structure your organization’s cybersecurity policies and
operations. Through interrelated sets of open-ended questions, it encourages you to use the approaches that best ft your
organization. Version 1.1 of the BCEB refects the 2019–2020 Baldrige Excellence Framework and the Framework for
Improving Critical Infrastructure Cybersecurity, Version 1.1.
Using this self-assessment, you can
• determine cybersecurity-related activities that are important to your business strategy and critical service delivery;
• prioritize your investments in managing cybersecurity risk;
• determine how best to enable your workforce, customers, suppliers, partners, and collaborators to be risk-
conscious and security-aware, and to fulfll their cybersecurity roles and responsibilities;
• assess the effectiveness and effciency of your use of cybersecurity standards, guidelines, and practices;
• assess the cybersecurity results you achieve; and
• identify strengths to leverage and priorities for improvement.

What is the relationship between the BCEB and the Framework

for Improving Critical Infrastructure Cybersecurity?
The BCEB blends the organizational performance and systems perspectives of the Baldrige Excellence Framework with the
holistic, enterprise-based approach of the Cybersecurity Framework.

Framework for Baldrige

Improving Critical Excellence
Infrastructure Framework
Cybersecurity Leading Edge of
Cybersecurity Standards, Baldrige Validated Leadership
Guidelines, Practices, Cybersecurity and Performance
and References Excellence Practice
Builder
Self-Assessment
Tool

The Cybersecurity Framework assembles and organizes standards, guidelines, and practices that are working effectively in
many organizations. It also includes informative references that are common across critical infrastructure sectors. In the
Baldrige approach as applied to cybersecurity, an organization manages all areas affected by cybersecurity
as a unifed whole. As shown in the diagram on the inside front cover, the system consists of your cybersecurity-related
approaches in the areas of leadership, strategy, customers, workforce, and operations, as well as the results you achieve. (As
shown in the diagram, the Baldrige framework is based on a set of core values and concepts. For descriptions of these, see the
Baldrige framework booklet, www.nist.gov/baldrige/publications.) The system foundation

2 Baldrige Cybersecurity Excellence Builder

 is measurement, analysis, and knowledge management. The background for all of these components is the Organiza-tional
Context, in which you defne your organization’s distinctive characteristics and situation.
The BCEB incorporates the content outlined in the Cybersecurity Framework into those system elements. See the User
Tools section for a crosswalk showing how the items in the BCEB relate to the elements of the Cybersecurity
Framework.

Who in an organization should use the BCEB?

The BCEB is intended for use by the leaders and managers in your organization who are concerned with and respon-sible for
mission-driven, cybersecurity-related policy and operations. These leaders and managers may include senior leaders, chief
security offcers, and chief information offcers, among others. For these and other roles and functions, and the benefts to each
of using the BCEB, see the User Tools section.

Why does the BCEB include questions about my

organization as a whole? Why doesn’t it ask only about my
cybersecurity policies and operations?
Because cybersecurity is an organization-wide concern, the BCEB includes questions about
• your organizational and your cybersecurity leaders,
• cybersecurity in the context of your organization’s overall strategy,
• the cybersecurity needs and expectations of internal and external customers,
• the measurement of cybersecurity performance in the context of overall performance measurement,
• your overall workforce and your cybersecurity workforce,
• your overall and your cybersecurity suppliers and partners,
• your cybersecurity operations and their alignment with overall operations, and
• results related to each of these areas.
The BCEB leads to you understand your organization’s cybersecurity policies and operations in the context of its
unique characteristics, strategic situation, and cybersecurity risks.

How can my organization use the BCEB to assess and

improve its management of cybersecurity risks?
The BCEB asks you to describe your Organizational Context, defne your processes, and report your results. As you do so,
notice the linkages among these elements (e.g., describing your workforce in C.1a[3], detailing your workforce processes
for in category 5, and stating your workforce results in item 7.3). The linkages among these categories help you align your
processes and results with your unique organizational characteristics and situation. For examples of these linkages, see page
31.

1. Scope
The BCEB is most valuable as a voluntary assessment of an entire organization’s cybersecurity risk management
program, but it is also useful in assessing a subunit, multiple subunits, or parts of an organization.

2. Organizational Context
The Organizational Context section is critically important for the following reasons:
• It helps you identify gaps in key information and focus on key cybersecurity performance requirements and
results.
• You can use it as an initial self-assessment. If you identify topics for which conficting, little, or no information is
available, you can use these topics for action planning.
• It sets the context for understanding your organization’s cybersecurity-related needs and responding to the
questions in the rest of the BCEB.

Introduction 3
 3. Process Questions (Categories 1–6)
Decide on
Many of the questions in these 12 items begin with “how.” In the scope.
answering the questions, give information on your Measure and Complete the
organization’s key cybersecurity-related processes:
• Approach: How do you accomplish your evaluate your Organizational
organization’s cybersecurity-related work? How progress. Context.
systematic are the Prioritize your Answer the
key processes you use?
• Deployment: How consistently are your key
cybersecurity-related processes used in relevant actions. process questions
parts of your organization? Develop an (categories 1–6).
action plan.
• Learning: How well have you evaluated and Assess your Answer the
improved your key cybersecurity-related
processes? How well have improvements been
shared within your organization? answers using results questions
• Integration: How well do your cybersecurity- the rubric. (category 7).
related processes address your current and future
organizational needs?

4. Results Questions (Category 7)

For these fve items, give information on the cybersecurity-related results that are the most important to your organi-zation’s
success:
• Levels: For your key measures of the effectiveness and effciency of cybersecurity-related processes, what is your
current performance?
• Trends: Are the results improving, staying the same, or getting worse?
• Comparisons: How does your performance compare with that of other organizations and competitors, or with
benchmarks?
• Integration: Are you tracking cybersecurity-related results that are important to your organization and consider the
expectations and needs of your key stakeholders? Are you using the results in decision making?

5. Assess Your Responses

Using the process and results assessment rubrics on pages 26 and 27, assign a descriptor (Reactive, Early, Developing,
Mature, Leading, or Exemplary) to your responses to each item.

6. Prioritize Your Actions; Develop an Action Plan

Then determine the importance of areas of strength and opportunities for improvement. Celebrate the strengths of your
cybersecurity risk management program, and build on them to improve what you do well. Sharing what you do well with the
rest of your organization can speed improvement. Also, prioritize your opportunities for improving your cybersecurity-
related processes and results; you cannot do everything at once. Think about what is most important for your organization as
a whole at this time, balancing the differing needs and expectations of your stakeholders and your expected results, and
decide what to work on frst.

7. Measure and Evaluate Your Progress

As you respond to the questions and gauge your responses against the rubric, you will begin to identify strengths and gaps—
frst within the categories and then among them. The coordination of key processes, and linkages between your processes and
your results, can lead to cycles of improvement. As you continue, you will begin to defne the best ways to build on your
strengths, close gaps, and innovate.
You might also consult relevant informative references listed in the Cybersecurity Framework. These specifc sections of
standards, guidelines, and practices common among critical infrastructure sectors illustrate methods to achieve the
outcomes associated with cybersecurity functions.

4 Baldrige Cybersecurity Excellence Builder

 In addition, completing this voluntary self-assessment might serve as a frst step in carrying out these suggestions in the
Cybersecurity Framework, section 3.0 (“How to Use the Framework”):
• 3.1 Basic Review of Cybersecurity Practices: Use your answers to the self-assessment questions to compare your
current cybersecurity-related activities with those outlined in the Cybersecurity Framework Core.
• 3.2 Establishing or Improving a Cybersecurity Program: Use your answers to the self-assessment questions to
inform the seven steps outlined in that subsection.
• 3.3 Communicating Cybersecurity Requirements with Stakeholders: Your answers to the questions might inform the
creation of a Target Profle.

Baldrige Cybersecurity Excellence Builder Category Structure

······· 3
Customers
Why is this category
important to
Category title ■ cybersecurity?
Cybersecurity risk can harm your ability to gain and retain customers, who are the ultimate judges of the quality of your
organization’s products and services. Thus, your organization must consider all cybersecurity-related policies, operations, and
modes of access and support that contribute value to your customers. What should my
What to measure? See item 7.2, Customer Results.
◄······································ organization measure
Item title for this category?
·········► 3.1 Customer Expectations: How do you listen to your customers and determine their
cybersecurity-related satisfaction?
(1) HOW do you listen to, interact with, and observe internal and external CUSTOMERS to obtain
actionable information on their CYBERSECURITY-related requirements and expectations?
(2) HOW do you determine internal and external CUSTOMERS’ satisfaction and dissatisfaction with your organization’s
Key questions
to answer CYBERSECURITY policies and operations?

(3) HOW do you determine the impact of your organization’s CYBERSECURITY policies and operations on CUSTOMER
ENGAGEMENT ?

(4) HOW do you use VOICE -OF-THE -CUSTOMER data and information to support fact-based decision making on
CYBERSECURITY policies and operations?

Terms in SMALL CAPS are defined in the Glossary of Key Terms (pages 28–29).

Explanatory
Notes notes
3.1. In gathering customer expectations, you might gather Q3. Customer engagement is your customers’ investment in
and integrate various types of customer data, such as survey or commitment to your brand and product/service offerings.
data, focus group fndings, data from social media, and It is based on your ongoing ability to serve their needs and
complaint data. build relationships so that they will continue using your
Q2. You might use any or all of the following to determine products. Characteristics of engaged customers include
retention, brand loyalty, willingness to make an effort to
customer satisfaction and dissatisfaction: surveys, formal and
do business—and increase their business—with you, and
informal feedback, customer account histories, complaints,
willingness to actively advocate for and recommend your
customer referral rates, and transaction completion rates.
brand and product/service offerings.

Introduction 5
CYBER Baldrige Cybersecurity Excellence Builder
C Organizational Context
The Organizational Context is a snapshot of your organization and its strategic environment. With a clear understanding of your
organization, why it exists, where your senior leaders want to take it in the future, who your key stakeholders are, what their
expectations are, and what resources support critical functions, you will be better able to make and implement strategic decisions
about cybersecurity risks, policies, and operations.

C.1 Organizational Description: What are your key organizational characteristics?

a. Organizational Environment
(1) Product Offerings What are your organization’s main product and service offerings? What is the relative
importance of each to your success? What mechanisms do you use to deliver your products and services?
(2) MISSION, VISION, and VALUES What are your stated MISSION, VISION, and VALUES? Other than VALUES, what are the
characteristics of your organizational culture, if any? What are your organization’s CORE COMPETENCIES, and what is
their relationship to your MISSION?
(3) WORKFORCE Profile What is your overall WORKFORCE profle? What is your CYBERSECURITY WORKFORCE profle?
What recent changes have you experienced in the composition of your overall and your CYBERSECURITY WORK-FORCE or
in your needs for them? What are
• your overall WORKFORCE and CYBERSECURITY WORKFORCE employee groups and SEGMENTS; and
• the KEY drivers that engage them in accomplishing their work, including CYBERSECURITY-related work, and in
achieving your MISSION and VISION?
(4) Assets What are your organization’s major physical and virtual assets, including its data, knowledge, devices,
systems, and facilities? What are your priorities for protecting these assets, based on their criticality and business
VALUE?

(5) Legal and Regulatory Requirements What are the KEY laws and regulations relating to CYBERSECURITY in your
industry? Relating to CYBERSECURITY, what are the KEY applicable
• safety regulations;
• accreditation, certifcation, or registration requirements;
• industry standards; and
• environmental, fnancial, and product regulations? b.
Organizational Relationships
(1) Organizational Structure What are your overall organizational leadership structure and GOVERNANCE structure?
What are the reporting relationships among your GOVERNANCE board, SENIOR LEADERS, and parent organization, as
appropriate? What is the structure of your CYBERSECURITY operations? What are the reporting relationships among
your SENIOR LEADERS and your CYBERSECURITY leaders and managers?
(2) CUSTOMERS and STAKEHOLDERS What are your KEY internal and external CUSTOMER groups and STAKEHOLDER
groups, as appropriate? What are their KEY requirements and expectations for your CYBERSECURITY policies and
operations, including any differences among these groups?
(3) Suppliers, PARTNERS, and COLLABORATORS What are your KEY types of suppliers, PARTNERS, and COLLABORA-
TORS for your organization as a whole and for your CYBERSECURITY operations? What role do they play in produc-ing
and delivering your KEY products and services and your CUSTOMER support services? What roles do they play in your
CYBERSECURITY operations? What are your KEY CYBERSECURITY requirements for suppliers? What are your KEY supply-
network requirements?

Terms in SMALL CAPS are defined in the Glossary of Key Terms (pages 28–29).

6 Baldrige Cybersecurity Excellence Builder

Notes
C.1a(2). Core competencies are your organization’s areas of environment, or other factors. Your cybersecurity workforce
greatest expertise. They are those strategically important, profle might include information on education, tenure,
possibly specialized capabilities that are central to fulflling your certifcations, and other key characteristics. This information
mission or that provide an advantage in your market-place or will help you establish and manage cybersecurity roles and
service environment. Your core competencies should inform the responsibilities for the entire workforce.
decisions you make about cybersecurity roles, responsibilities,
C.1a(4). Assets include physical devices and systems, soft-
and risks. ware platforms and applications, operational technologies,
C.1a(3). “Workforce” refers to the people actively involved intellectual property, organizational communication and data
in accomplishing your organization’s work. It includes fows, external information systems (including “cloud
permanent, temporary, and part-time personnel, as well as any services”), and data and information. Your responses should
contract employees you supervise. You should describe your include those high-value assets that support the strategically
suppliers in response to C.1b(3). important products and services you describe in C.1a(1).
C.1a(3). Workforce or employee groups and segments might be C.1b(2). Customer groups might be based on common
based on type of employment or contract-reporting relationship, expectations, behaviors, preferences, or profles.
location (including telework), tour of duty, work

C.2 Organizational Situation: What is your organization’s strategic situation?

a. Competitive Environment
(1) Competitive Position What are your relative size and growth in your industry or the markets you serve? How
many and what types of competitors do you have?
(2) Competitiveness Changes What KEY changes, if any, are affecting your competitive situation?
(3) Comparative Data What KEY sources of comparative and competitive CYBERSECURITY data are available from within
your industry? What KEY sources of comparative CYBERSECURITY data are available from outside your indus-try? What
limitations, if any, affect your ability to obtain or use these data?
b. Strategic Context
What are your KEY STRATEGIC CHALLENGES and ADVANTAGES in the areas of business, operations, and CYBERSECURITY?
c. Performance Improvement System
What is your PERFORMANCE improvement system, including your PROCESSES for evaluation and improvement of KEY
CYBERSECURITY-related projects and PROCESSES?

Terms in SMALL CAPS are defined in the Glossary of Key Terms (pages 28–29).

Notes
C.2a(3). While comparative data about cybersecurity may be as challenge areas; and (5) comparative information may
relatively sparse and diffcult to obtain, their use is important for support business analysis and decisions relating to core
the following reasons: (1) Your organization needs to know competencies, partnering, and outsourcing.
where it stands relative to competitors and to best practices; (2)
C.2c. Your performance improvement system refers to your
comparative information and information obtained from
overall approach to improving processes and projects within
benchmarking often provide the impetus for signifcant
your organization. The approach you use should be related to
improvement or transformational change;
your organization’s needs. Some examples of approaches that
(3) comparing your organization’s performance to that of
are compatible with the overarching systems approach
others frequently leads to a better understanding of your
provided by this self-assessment are Lean, Six Sigma, Plan-Do-
processes and their performance; (4) data on competitors’
Check-Act, ISO standards, and decision science, among others.
performance may reveal organizational advantages as well

Baldrige Cybersecurity Excellence Builder 7

 1 Leadership
The personal actions of your senior leaders and cybersecurity leaders, as well as the characteristics of your governance system,
demonstrate and reinforce accountability, and guide and sustain your cybersecurity policies and operations.
What to measure? See category 7 for organizational performance results to report. See item 7.4 for results specifcally related to
leadership and governance.

1.1 Leading for Cybersecurity: How do your senior and cybersecurity leaders
lead your cybersecurity policies and operations?
(1) HOW do your leaders DEPLOY the organization’s MISSION, VISION, and VALUES to the WORKFORCE, to KEY suppliers and
PARTNERS, and to KEY CUSTOMERS and other STAKEHOLDERS, as appropriate?

(2) HOW do your leaders’ actions demonstrate their commitment to CYBERSECURITY?

(3) HOW do your leaders’ actions demonstrate their commitment to legal and ETHICAL BEHAVIOR?
(4) HOW do your leaders communicate with and engage other organizational leaders, the entire WORKFORCE, KEY
PARTNERS, and KEY CUSTOMERS and STAKEHOLDERS regarding CYBERSECURITY?

(5) HOW do your leaders create an environment for CYBERSECURITY policies and operations that are successful now and in the
future?
(6) HOW do your leaders create a focus on action that will achieve the organization’s CYBERSECURITY objectives in
ALIGNMENT with its MISSION?

Terms in SMALL CAPS are defined in the Glossary of Key Terms (pages 28–29).

Notes
1.1. In this item,“leaders” include your organization’s senior Q5. To create an environment for success now and in the future,
leaders and those specifcally responsible for overseeing and leaders should create an environment for the achievement of the
executing cybersecurity risk management and operations. mission; create and reinforce the organization’s culture; foster
Leadership on cybersecurity policies and approaches ideally engagement in cybersecurity matters; cultivate organizational
resides at multiple organizational levels. Your organization agility, accountability, learn-ing, innovation, and intelligent risk
should decide whether each question refers to all senior leaders taking; and participate in succession planning and the
or your cybersecurity leaders. development of future organizational leaders.
Q1. Your organization’s mission and vision should set the
context for the cybersecurity-related strategic objectives and Q6. Leaders should create a focus on action that will improve
action plans you describe in items 2.1 and 2.2. your organization’s cybersecurity performance in the context
of its mission and strategy; identify needed actions; set
Q4. This includes encouraging frank, two-way communica-
expectations for performance that create and balance value
tion about cybersecurity; communicating key decisions; and
for customers and other stakeholders; and demonstrate
taking a direct role in motivating the workforce.
personal accountability for the organization’s actions.

8 Baldrige Cybersecurity Excellence Builder

1.2 Governance and Societal Responsibilities: How do you govern your cybersecurity
policies and operations and make cybersecurity-related societal contributions?
(1) HOW does your organization ensure responsible GOVERNANCE of its CYBERSECURITY policies and operations?
(2) HOW do you address current and anticipate future legal, regulatory, and community concerns with your
CYBERSECURITY-related policies and operations?

(3) HOW do you promote and ensure ETHICAL BEHAVIOR in all CYBERSECURITY-related interactions?
(4) HOW do you actively support and strengthen the CYBERSECURITY infrastructure of your KEY communities?

Terms in SMALL CAPS are defined in the Glossary of Key Terms (pages 28–29).

Notes
Q1. Responsible governance includes accountability for Q4. To support and strengthen key communities, an
cybersecurity policies and operations, accountability for stra- organization might identify its key communities, determine
tegic plans, fscal accountability, transparency, and protection of areas for external participation in improving cybersecurity
stakeholder and stockholder interests, as appropriate. infrastructure, and contribute to the improvement of
In protecting stakeholder interests, the governance system cybersecurity in those key communities by actively sharing
should consider and sanction appropriate levels of risk for the information. This might include contributing comparative data
organization, recognizing the need to accept risk as part of on cybersecurity outcomes and actively sharing information
running a successful organization. with partners to ensure that accurate, current information is
being distributed and consumed to improve cybersecurity
Q3. Some examples of measures of ethical behavior are
before an event occurs.
instances of ethical conduct or compliance breaches and
responses to them, survey results showing workforce
perceptions of organizational ethics, ethics hotline use, and
results of ethics reviews and audits.

Baldrige Cybersecurity Excellence Builder 9

 2 Strategy
Managing cybersecurity risk requires clear and robust planning and implementation, particularly when improvement alterna-tives
and the need to respond to unanticipated needs compete for limited resources.
What to measure? Many results covered in category 7 will fow from your strategy. See item 2.2, Q5, on establishing measures for
the achievement and effectiveness of your cybersecurity-related action plans. See item 7.5, Q3, for results for strategy achievement.

2.1 Strategy Development: How do you include cybersecurity considerations

in your strategy development?
(1) HOW do you include CYBERSECURITY planning in your overall organizational strategic planning PROCESS?
(2) HOW do you ensure ALIGNMENT between your CYBERSECURITY planning and your organization’s overall strategic
planning?
(3) HOW does your strategy development PROCESS stimulate and incorporate INNOVATION in CYBERSECURITY policies and
operations?
(4) HOW do you collect and analyze relevant data and develop information on CYBERSECURITY for your strategic
planning PROCESS?
(5) HOW do you decide which KEY CYBERSECURITY PROCESSES will be accomplished by your WORKFORCE and which by
external suppliers and PARTNERS?
(6) What are your organization’s KEY CYBERSECURITY-related STRATEGIC OBJECTIVES and timetable for achieving them?
(7) How do your organization’s KEY CYBERSECURITY-related STRATEGIC OBJECTIVES align with your organization’s overall
STRATEGIC OBJECTIVES?

(8) HOW do your STRATEGIC OBJECTIVES achieve appropriate balance among varying and potentially competing
CYBERSECURITY needs, CUSTOMER and STAKEHOLDER requirements, and business objectives?

Terms in SMALL CAPS are defined in the Glossary of Key Terms (pages 28–29).

Notes
2.1. Strategy development refers to your organization’s Q4. Your collection and analysis should include these key
approach to preparing for the future. This item asks how elements of risk: your strategic challenges and strategic
your strategic planning considers your organization’s advantages with regard to cybersecurity, potential relevant
cybersecurity needs in alignment with your organization’s changes in your regulatory and external business environ-ment,
overall strategy. potential blind spots with regard to cybersecurity, and your
2.1. In developing your cybersecurity strategy, you should ability to execute the cybersecurity-related parts of the plan.
consider your level of acceptable enterprise risk. As Analysis of these factors is the basis for managing strategic
appropriate, you might involve key suppliers, distributors, cybersecurity-related risk in your organization.
partners, and customers in your cybersecurity strategy Q5. Decisions on which key cybersecurity processes will be
development. accomplished by your workforce and which externally should
Q3. Stimulating and incorporating innovation includes consider your core competencies and those of poten-tial
identifying strategic opportunities (prospects for new or suppliers and partners. These decisions are strategic and involve
changed cybersecurity policies, procedures, technologies, and protecting intellectual property, capitalizing on core
processes) and deciding which ones are intelligent risks to competencies, and mitigating risk.
pursue. Innovation refers to making meaningful change to
improve products/services, processes, or organizational
effectiveness and create new value for stakeholders. The
outcome of innovation is a discontinuous or “breakthrough”
change.

10 Baldrige Cybersecurity Excellence Builder

2.2 Strategy Implementation: How do you implement the cybersecurity-related
elements of your strategy?
(1) What are your KEY short- and longer-term CYBERSECURITY-related ACTION PLANS?
(2) HOW do you DEPLOY your CYBERSECURITY-related ACTION PLANS?
(3) HOW do you ensure that fnancial and other resources are available to support the achievement of your
CYBERSECURITY-related ACTION PLANS while you meet current obligations?

(4) What are your KEY WORKFORCE plans to support your short- and longer-term CYBERSECURITY-related STRATEGIC
OBJECTIVES and ACTION PLANS?

(5) What KEY PERFORMANCE MEASURES or INDICATORS do you use to track the achievement and EFFECTIVENESS of your
CYBERSECURITY-related ACTION PLANS?

(6) For these KEY PERFORMANCE MEASURES or INDICATORS, what are your PERFORMANCE PROJECTIONS for your short-
and longer-term planning horizons?
(7) HOW do you recognize and respond when circumstances require a shift in CYBERSECURITY-related plans and rapid
execution of new plans?

Terms in SMALL CAPS are defined in the Glossary of Key Terms (pages 28–29).

Notes
2.2. The development and deployment of your cybersecurity • Category 5: how you meet cybersecurity work-force
strategy (described in item 2.1) and action plans are closely capability and capacity needs; determine cybersecurity-
linked to other items. The following are examples of key related development and learning needs, and design your
linkages: workforce development and learning system accordingly;
• Item 1.1: how your leaders communicate organiza- and implement workforce-related changes resulting from
action plans
tional direction with regard to cybersecurity
• Category 6: how you address changes to your cyber-
• Category 3: how you gather internal and external
security work processes resulting from action plans
customer knowledge as input to your strategy and
action plans and to use in deploying action plans • Item 7.5: specifc accomplishments on the cybersecurity-
related elements of your strategy and action plans
• Category 4: how you measure and analyze cyber-
security data and manage cybersecurity knowledge to
support key information needs, support the develop-
ment of your strategy, provide an effective basis for
cybersecurity performance measurements, and track
progress on achieving cybersecurity-related strategic
objectives and action plans

Baldrige Cybersecurity Excellence Builder 11

 3 Customers
Cybersecurity risk can harm your ability to gain and retain customers, who are the ultimate judges of the quality of your
organization’s products and services. Thus, your organization must consider all cybersecurity-related policies, operations, and
modes of access and support that contribute value to your customers.
What to measure? See item 7.2, Customer Results.

3.1 Customer Expectations: How do you listen to your customers and

determine their cybersecurity-related satisfaction?
(1) HOW do you listen to, interact with, and observe internal and external CUSTOMERS to obtain actionable information on
their CYBERSECURITY-related requirements and expectations?
(2) HOW do you determine internal and external CUSTOMERS’ satisfaction and dissatisfaction with your organization’s
CYBERSECURITY policies and operations?

(3) HOW do you determine the impact of your organization’s CYBERSECURITY policies and operations on CUSTOMER
ENGAGEMENT?

(4) HOW do you use VOICE-OF-THE-CUSTOMER data and information to support fact-based decision making on
CYBERSECURITY policies and operations?

Terms in SMALL CAPS are defined in the Glossary of Key Terms (pages 28–29).

Notes
3.1. In gathering customer expectations, you might gather and Q3. Customer engagement is your customers’ investment in or
integrate various types of customer data, such as survey data, commitment to your brand and product/service offerings. It is
focus group fndings, data from social media, and complaint based on your ongoing ability to serve their needs and build
data. relationships so that they will continue using your products.
Characteristics of engaged customers include retention, brand
Q2. You might use any or all of the following to determine
loyalty, willingness to make an effort to do business—and
customer satisfaction and dissatisfaction: surveys, formal and
increase their business—with you, and willingness to actively
informal feedback, customer account histories, complaints,
advocate for and recommend your brand and product/service
customer referral rates, and transaction completion rates.
offerings.

12 Baldrige Cybersecurity Excellence Builder

3.2 Customer Engagement: How do you build relationships with internal and
external customers around cybersecurity?
(1) HOW do you build and manage internal and external CUSTOMER relationships to retain CUSTOMERS, meet their
requirements, and exceed their expectations with regard to CYBERSECURITY?
(2) HOW do you enable internal and external CUSTOMERS to seek information and support related to your
CYBERSECURITY policies and operations?

(3) HOW do you ensure that internal and external CUSTOMERS understand and fulfll their CYBERSECURITY roles and
responsibilities?
(4) HOW do you manage internal and external CUSTOMER complaints about your CYBERSECURITY policies and
operations?

Terms in SMALL CAPS are defined in the Glossary of Key Terms (pages 28–29).

Note
Q2. Your approach to enabling customers to seek informa-tion Privacy principles to consider incorporating in cybersecurity
and support should include provisions to protect privacy and policies and operations include establishing and maintaining a
civil liberties when personal information is used, collected, privacy program that ensures compliance with applicable
processed, maintained, or disclosed in connection with your requirements, coordination between privacy and other
organization’s cybersecurity activities. Some examples of organizational programs, and integration of privacy policy
activities with privacy or civil liberties consid-erations include regarding what privacy-related data may be used by whom and
cybersecurity activities that may result in the overcollection or for what purposes (see Security and Privacy Controls for
overretention of personal information; disclosure or use of Information Systems and Organizations, SP 800-53 Rev. 5
personal information unrelated to cyber-security activities; and (Draft), https://csrc.nist.gov/publications/detail/sp/800-53 /rev-
cybersecurity mitigation activities that result in denial of service 5/draft).
or other similar potentially adverse impacts, including incident
detection or monitoring that may impact freedom of expression
or association.

Baldrige Cybersecurity Excellence Builder 13

 4 Measurement, Analysis, and Knowledge Management
This category is the “brain center” for aligning your cybersecurity operations with your objectives. Measuring and analyzing how
your organization is performing on a comprehensive yet carefully culled set of cybersecurity-related measures helps you make
decisions that improve performance.
What to measure? Q2 and Q3 ask for your key cybersecurity performance measures, including your key fnancial measures.
See the notes to Q2 and Q3 for an explanation.

4.1 Measurement, Analysis, and Improvement of Performance: How do you

measure, analyze, and then improve cybersecurity-related performance?
(1) HOW do you track data and information on daily CYBERSECURITY operations and overall CYBERSECURITY
PERFORMANCE?

(2) What are your KEY CYBERSECURITY PERFORMANCE MEASURES, including your KEY fnancial MEASURES for your
CYBERSECURITY operations?

(3) What are your KEY MEASURES for the impact of CYBERSECURITY PERFORMANCE on your organization’s overall
KEY PERFORMANCE MEASURES?

(4) HOW do you select comparative data and information to support fact-based decision making on CYBERSECURITY
policies and operations?
(5) HOW do you ensure that your measurement of CYBERSECURITY PERFORMANCE can respond to rapid or unexpected
organizational or external changes and provide timely data?
(6) HOW do you review your organization’s CYBERSECURITY PERFORMANCE and capabilities?
(7) HOW do you project your organization’s future CYBERSECURITY PERFORMANCE?
(8) HOW do you use fndings from PERFORMANCE reviews to develop priorities for continuous improvement and
opportunities for INNOVATION in your CYBERSECURITY policies and operations?

Terms in SMALL CAPS are defined in the Glossary of Key Terms (pages 28–29).

Notes
4.1. This item asks how you measure and analyze Q2. Depending on your organization’s strategy and goals,
cybersecurity-related performance as part of your organiza- these might include measures of customer and process
tion’s overall performance measurement and analysis system. performance; operational performance; supplier, workforce,
The questions are closely linked to each other and to other partner, cost, and fnancial performance; and governance and
items: compliance results.
• Your measurement of cybersecurity performance Q2, Q3. Key fnancial measures might include measures of
(Q1–Q5) should inform your reviews (Q6). performance to budget. Measures for the impact of cyber-
security performance on your organization’s overall perfor-
• Your key cybersecurity performance measures are those
mance might include the fnancial impact of cybersecurity
that are critical to achieving your cybersecurity-related
operations and incidents on organization-wide operations, as
strategic objectives (item 2.1, Q6).
well as on your ability to meet customer and stakeholder
• Your performance reviews (Q6) should refect your requirements and business objectives. See the notes to item 7.5
cybersecurity-related strategic objectives and action for examples.
plans (category 2), and the results of cybersecurity
Q4. Organizations obtain comparative data and information by
performance analysis and review should inform your
benchmarking and by seeking competitive comparisons.
strategy development and implementation, your
Benchmarking is identifying processes and results that represent
priorities for improvement, and your opportunities for
best practices and performance for similar activi-ties, inside or
innovation (Q7, Q8).
outside your industry. Competitive comparisons relate your
• Your performance results should be reported in items performance to that of competitors and other organizations
7.1–7.5. providing similar products and services.

14 Baldrige Cybersecurity Excellence Builder

4.2 Knowledge Management: How do you manage your organization’s
cybersecurity-related knowledge assets?
(1) HOW do you verify and ensure the quality of organizational data and information related to CYBERSECURITY?
(2) How do you ensure the availability of organizational data and information related to CYBERSECURITY?
(3) HOW do you build, manage, and update your organization’s CYBERSECURITY-related knowledge and awareness?
(4) HOW do you share CYBERSECURITY best practices in your organization and with CUSTOMERS, suppliers, PARTNERS, and
COLLABORATORS, as appropriate?

(5) HOW do you use your knowledge and resources to embed LEARNING in the way your CYBERSECURITY operations
function?

Terms in SMALL CAPS are defined in the Glossary of Key Terms (pages 28–29).

Notes
Q3. Building, managing, and updating cybersecurity-related management includes the ability to predict and avoid
knowledge allows you to maintain your organization’s cybersecurity incidents based on lessons learned and/or
awareness of a continually changing cybersecurity threat information shared by partners and others.
environment. It involves collecting and transferring workforce
Q5. Embedding learning in the way your cybersecurity
knowledge related to cybersecurity; blending and correlating
operations function means that learning (1) is a part of everyday
cybersecurity-related data from different sources to build new
cybersecurity work; (2) results in solving problems at their
knowledge; transferring relevant cybersecurity-related
source; (3) is focused on building and sharing cybersecurity
knowledge from and to customers, suppliers, partners, and
knowledge throughout your organization; and (4) is driven by
collaborators; and assembling and transferring relevant
opportunities to bring about signifcant, meaningful change and
cybersecurity-related knowledge for use in innovation and
to innovate with regard to cyber-security. Organizational
strategic planning processes.
learning takes place when processes intentionally include
Sources for building and updating your organization’s mechanisms that monitor performance and conformance,
cybersecurity-related knowledge and awareness may include, identify improvement targets, analyze gaps, and prioritize
for example, cybersecurity information learned from other improvements.
organizations, service tickets reported to the help desk, lessons
learned from recovery exercises, and data reported by
customers. An important element of cybersecurity risk

Baldrige Cybersecurity Excellence Builder 15

 5 Workforce
Success in achieving your cybersecurity-related objectives depends on an engaged workforce—including workforce members
involved directly in cybersecurity-related operations and members of your overall workforce. Workforce members beneft from
meaningful work, clear organizational direction, the opportunity to learn, and accountability for performance.
What to measure? See item 7.3, Workforce Results.

5.1 Workforce Environment: How do you build an effective and supportive

environment for your cybersecurity workforce?
(1) HOW do you assess your CYBERSECURITY WORKFORCE CAPABILITY and CAPACITY needs?
(2) HOW do you recruit, hire, onboard, and retain new CYBERSECURITY WORKFORCE members?
(3) HOW do you prepare your CYBERSECURITY WORKFORCE for changing CAPABILITY and CAPACITY needs?
(4) HOW do you organize and manage your CYBERSECURITY WORKFORCE to establish roles and responsibilities?

Terms in SMALL CAPS are defined in the Glossary of Key Terms (pages 28–29).

Notes
5.1. The questions in this item refer to your cybersecurity organization’s ability to ensure suffcient staffng levels to carry
workforce. See item 5.2 for questions on your entire out its cybersecurity work processes, including the ability to
workforce. meet seasonal or varying demand levels. In assess-ing your
capability and capacity needs, you should consider not only
5.1. Your cybersecurity workforce consists of the people
current needs but also future requirements based on the
actively involved in accomplishing your organization’s
strategic objectives and action plans you identify in category 2.
cybersecurity work. It includes permanent, temporary, and
part-time personnel, as well as any contract employees you
supervise. It includes team leaders, supervisors, and managers Q3. Preparing your cybersecurity workforce for changing
at all levels. Suppliers and people supervised by a contractor capability and capacity needs involves ensuring continuity,
should be addressed in categories 2 and 6. preventing workforce reductions, and minimizing the impact of
any reductions that occur. It also involves preparing for and
Q1. Cybersecurity workforce capability is your organiza-
managing any periods of workforce growth, as well
tion’s ability to carry out its cybersecurity work processes
as preparing your workforce for changes in organizational
through its people’s knowledge, skills, abilities, and
structure and work systems, as needed.
competencies. Cybersecurity workforce capacity is your

16 Baldrige Cybersecurity Excellence Builder

5.2 Workforce Engagement: How do you engage your workforce for high
performance in support of cybersecurity policies and operations?
(1) HOW do you assess the ENGAGEMENT of your organization’s overall WORKFORCE in CYBERSECURITY matters?
(2) HOW do you foster an organizational culture that is characterized by open communication, HIGH PERFORMANCE, and
ENGAGEMENT in CYBERSECURITY matters?

(3) HOW does your WORKFORCE PERFORMANCE management system support HIGH PERFORMANCE in fulflling
CYBERSECURITY roles and responsibilities?

(4) HOW does your CYBERSECURITY LEARNING and development system support your organization’s needs, and support
WORKFORCE members in fulflling their CYBERSECURITY roles and responsibilities?

(5) HOW do you evaluate the EFFECTIVENESS and effciency of your CYBERSECURITY LEARNING and development system?
(6) HOW do you carry out succession planning for KEY CYBERSECURITY management, leadership, and other KEY
positions?

Terms in SMALL CAPS are defined in the Glossary of Key Terms (pages 28–29).

Notes
5.2. The questions in this item refer to your organization’s Q3. Your workforce performance management system should
entire workforce. consider compensation, reward, recognition, and retention
Q1. Drivers of workforce engagement (identifed in C.1a[3]) practices. It should reinforce intelligent risk taking, a customer
refer to the drivers of workforce members’ commitment, both and business focus, and achievement of your action plans.
emotional and intellectual, to accomplishing the organization’s
work (including cybersecurity-related work), mission, and Q4. Learning and development needs include the knowl-edge,
vision. skills, and abilities workforce members need to fulfll their
Q2. Fostering such a culture includes empowering your cybersecurity roles and responsibilities. Organizations beneft
workforce and ensuring a safe, trusting, and cooperative when an understanding of these needs becomes part of the
environment. organizational culture, evolving from lessons learned from
previous security activities, information shared by other
sources, and continuous awareness of activities on their systems
and networks.

Baldrige Cybersecurity Excellence Builder 17

 6 Operations
Designing, managing, and improving your cybersecurity-related operations for effectiveness and effciency helps you achieve your
cybersecurity-related objectives, in turn supporting your organization’s overall goals and objectives.
What to measure? See item 7.1, Cybersecurity Process Results.

6.1 Work Processes: How do you design, manage, and improve your key
cybersecurity work processes?
a. CYBERSECURITY PROCESS Design, Management, and Improvement
(1) HOW do you determine the requirements for your KEY CYBERSECURITY WORK PROCESSES (listed in sections b–d)?
(2) HOW do you design your CYBERSECURITY WORK PROCESSES to meet requirements?
(3) HOW does your day-to-day operation of CYBERSECURITY WORK PROCESSES ensure that they meet KEY PROCESS
requirements?
(4) HOW do you determine the KEY support PROCESSES that enable your CYBERSECURITY operations?
(5) HOW do you improve your CYBERSECURITY WORK PROCESSES to improve their PERFORMANCE and reduce variability?
(6) HOW do you pursue opportunities for INNOVATION in your CYBERSECURITY operations?
b. PROTECTION
(1) HOW do you limit access to physical and logical assets and associated facilities to authorized users, PROCESSES, and
devices consistent with the risk of unauthorized access?
(2) HOW do you manage information and records (data) consistent with your risk strategy to PROTECT the
confdentiality, integrity, and availability of information?
(3) HOW do you maintain and use security policies (addressing purpose, scope, roles, responsibilities, management
commitment, and coordination among organizational entities), PROCESSES, and procedures to manage PROTECTION of
information systems and assets?
(4) HOW do you maintain and repair industrial control and information system components consistent with policies and
procedures?
(5) HOW do you manage technical security solutions to ensure the security and resilience of systems and assets
consistent with related policies, procedures, and agreements?
c. DETECTION
(1) HOW do you DETECT anomalies in a timely manner and assess the potential impact of CYBERSECURITY EVENTS?
(2) HOW do you monitor information systems and assets to identify CYBERSECURITY EVENTS and verify the effectiveness of
protective measures?
(3) HOW do you maintain and test DETECTION PROCESSES and procedures to ensure awareness of anomalies?
d. RESPONSE
(1) HOW do you execute and maintain RESPONSE PROCESSES and procedures to ensure RESPONSE to detected
CYBERSECURITY EVENTS?

(2) HOW do you coordinate RESPONSE activities with other WORKFORCE units, CUSTOMERS, and STAKEHOLDERS, as
appropriate, including external law enforcement agencies?
(3) HOW do you analyze your RESPONSE activities to ensure EFFECTIVE RESPONSE and support RECOVERY activities?
(4) HOW do you prevent expansion of an event, mitigate its effects, and resolve the incident?

(Continued on the next page)

18 Baldrige Cybersecurity Excellence Builder

 e. RECOVERY
(1) HOW do you execute and maintain RECOVERY PROCESSES and procedures to ensure restoration of systems or assets
affected by CYBERSECURITY incidents?
(2) HOW do you coordinate RECOVERY activities with other WORKFORCE units, CUSTOMERS, and STAKEHOLDERS, such as
coordinating centers, Internet service providers, owners of attacking systems, victims, other computer security incident
RESPONSE teams, and vendors?

Terms in SMALL CAPS are defined in the Glossary of Key Terms (pages 28–29).

Notes
6.1a(1), 6.1a(2). The design of your key cybersecurity work 6.1b–6.1e. The Cybersecurity Framework Core includes the
processes should consider your customers’ and stakeholders’ functions of Identify, Protect, Detect, Respond, and Recover
requirements and expectations of your organization. (identifed as key work processes in this item). These func-tions
organize basic cybersecurity activities at their highest level. The
6.1a(3). To ensure that the operation of cybersecurity work
Core identifes underlying key categories and subcategories for
processes meets requirements, an organization would establish
each function, and matches them with examples of informative
key performance measures or in-process measures, monitor
references, such as existing stan-dards, guidelines, and
them, and use the results (see item 7.1) to control and improve
practices. Protect, Detect, Respond, and Recover are covered in
the processes.
this item. The Identify function is covered by questions in the
6.1a(4). Support processes might include, for example, Organizational Context and in categories 1, 2, 3, and 5.
physical security, human resources, and procurement.
6.1a(5). To improve process performance and reduce 6.1b–6.1e. Your responses should include aspects of your
variability, you might implement approaches such as a Lean work processes that involve external suppliers and partners,
Enterprise System, Six Sigma methodology, ISO quality such as third-party connections into your organization’s
system standards, PDCA methodology, decision sciences, or networks and systems.
other process improvement tools. These approaches might be
part of the performance improvement system you describe in
C.2c in the Organizational Context section.

Baldrige Cybersecurity Excellence Builder 19

6.2 Operational Effectiveness: How do you ensure effective management
of your cybersecurity operations?
a. PROCESS Efficiency and Effectiveness
(1) HOW do you manage the cost and effciency of your CYBERSECURITY operations?
(2) HOW do you ensure that your CYBERSECURITY operations consider their impact on and align with your
organization’s overall operations?
b. Supply-Network Management
(1) HOW do you select and prioritize suppliers that are qualifed and positioned to meet your CYBERSECURITY needs and
achieve your CYBERSECURITY objectives?
(2) HOW do you promote ALIGNMENT and collaboration on CYBERSECURITY within your supply network?
(3) How do you ensure supply-network agility in responding to changes in CUSTOMER, market, and organizational
CYBERSECURITY requirements?

(4) HOW do you communicate CYBERSECURITY PERFORMANCE expectations, measure and evaluate suppliers’
PERFORMANCE, provide feedback to help them improve, and deal with poorly performing suppliers?

c. Safety and Emergency Management

(1) HOW do you ensure that your CYBERSECURITY operations consider and align with your organization’s overall
operational safety system?
(2) HOW do you ensure that your organization incorporates CYBERSECURITY-related considerations and operations in its
preparation for disasters or emergencies?
(3) In the event of an emergency, HOW do you ensure that systems and assets continue to be secure and available to serve
CUSTOMERS and business needs?

Terms in SMALL CAPS are defined in the Glossary of Key Terms (pages 28–29).

Notes
6.2a. Managing effciency includes supply network, rather than supply chain, emphasizes the
interdependencies among organizations and their suppliers.
• incorporating cycle time, productivity, and other
effciency and effectiveness factors into your work 6.2b(4). Your monitoring of supplier effectiveness should
processes; relate to achievement of the key requirements described in 6.1,
including methods for periodically reviewing supplier
• preventing rework; and
performance to confrm that they are performing cybersecu-rity
• balancing the need for cost control and effciency with responsibilities assigned to them and contributing to the
the cybersecurity needs of your organization and achievement of cybersecurity-related objectives.
customers.
6.2c. Your preparation for disasters and emergencies should
6.2b. Your supply network (see also C.1b[3] in the Orga- consider all systems and assets that are needed to provide your
nizational Context section) consists of the entities involved in products and services to customers, including supply-network
producing your products and services (including your availability. It should also consider the extent
cybersecurity operations) and delivering them to your cus- to which your organization is part of customers’ critical
tomers. Increasingly, these entities are interlinked and exist in infrastructure.
interdependent rather than linear relationships. The term

20 Baldrige Cybersecurity Excellence Builder

 7 Results
Results provide data and information (measures of progress) for evaluating, improving, and innovating cybersecurity-related
processes, policies, and operations in alignment with your cybersecurity and organizational strategy.

7.1 Cybersecurity Process Results: What are your cybersecurity performance and
process effectiveness results?
(1) What are your RESULTS for the PROTECTION of your systems and assets?
(2) What are your RESULTS for the DETECTION of CYBERSECURITY EVENTS?
(3) What are your RESULTS for your RESPONSE to CYBERSECURITY EVENTS?
(4) What are your RESULTS for your RECOVERY from CYBERSECURITY EVENTS?
(5) What are your PROCESS EFFECTIVENESS and effciency RESULTS for your CYBERSECURITY operations?
(6) What are your emergency preparedness RESULTS for your CYBERSECURITY operations?
(7) What are your RESULTS for suppliers’ and PARTNERS’ understanding and fulfllment of their CYBERSECURITY roles and
responsibilities?
(8) What are your RESULTS for management of your CYBERSECURITY supply network?

Terms in SMALL CAPS are defined in the Glossary of Key Terms (pages 28–29).

Notes
7. The results you report in items 7.1–7.5 should provide key Q3. Results for your response to cybersecurity events should
information for analyzing and reviewing your cybersecurity- relate to the response processes you report in category 6. These
related performance (item 4.1), demonstrate use of cyber- results might include, for example, incident recovery and
security knowledge (item 4.2), and provide the operational basis response time, number of disaster recovery incidents, and
for customer-focused results (item 7.2) and fnancial results number of reports shared with Information Sharing and Analysis
(item 7.5). There is not a one-to-one correspondence between Organizations or other appropriate third parties.
results items and categories 1–6. Results should be considered
Q4. Results for your recovery from cybersecurity events
systemically. Contributions to individual results items
should relate to the recovery processes you report in category
frequently stem from processes in more than one category.
6. These results might include, for example, the time to
restore lost availability, the time to access alternate
Q1–Q8. The results you report here should address the key availability mechanisms and restore services, and results of
operational requirements you identify in the Organizational efforts to restore your organization’s reputation.
Context section and in category 6. Q5. Process effectiveness and effciency results for your
Q1. Results for the protection of systems and assets should cybersecurity operations might include ensuring that security
relate to the protection processes you describe in category and other requirements are considered at the design phase,
6. These results might include, for example, the percentage of avoiding costly mitigation through prevention of vulnerabilities,
devices and/or software accurately recorded in inventory, the and reduction of incidents based on effective training of
percentage of devices confgured according to policy, the expectations and responsibilities.
percentage of critical information servers supported by strong
Q6. Emergency preparedness results might include the
authentication, the number of business systems securely hosted
cybersecurity operation’s response times for emergency drills or
in an approved cloud environment, and the number of facilities
exercises and results for work relocation or contingency
with Personal Identity Verifcation (PIV)-based electronic locks.
exercises.
Q8. Results for cybersecurity supply-network performance
Q2. Results for the detection of cybersecurity events should might include the percentage of contracts that include
relate to the detection processes you report in category 6. These cybersecurity monitoring and reporting requirements; supplier
results might include, for example, the number of anomalies and partner audits; and acceptance results for exter-nally
detected, investigated, and resolved, and the percentage of provided services and processes, as well as improve-ments in
planned vulnerability mitigation actions effectively completed. downstream supplier services to customers.

Baldrige Cybersecurity Excellence Builder 21

7.2 Customer Results: What are your customer-focused cybersecurity
performance results?
(1) What are your RESULTS for your internal and external CUSTOMERS’ satisfaction and dissatisfaction with your
CYBERSECURITY policies and operations?

(2) What are your RESULTS for the impact of your organization’s CYBERSECURITY policies and operations on CUSTOMER
ENGAGEMENT?

(3) What are your RESULTS for your internal and external CUSTOMERS’ understanding and fulfllment of their
CYBERSECURITY roles and responsibilities?

Terms in SMALL CAPS are defined in the Glossary of Key Terms (pages 28–29).

Notes
7.2. Results for customer satisfaction, dissatisfaction, and Q2. Results might include, for example, those for the impact of
engagement should relate to the customer groups you cybersecurity policies and procedures, incidents, and responses
identify in C.1b(2) and to the listening and determination to incidents on customer loyalty, retention, and willingness to
methods you report in item 3.1. recommend.
Q1. Results might include, for example, survey results on Q3. Results might include, for example, the number of
customer satisfaction and dissatisfaction with cyber-security potential incidents reported by external customers, the
and privacy, and the number of complaints about requirements for service-level agreements regarding recov-ery
cybersecurity-related issues. of critical customer systems, the percentage of customers who
have changed their passwords regularly or within a specifed
time period, and the number of customer systems applying
multifactor (strengthened) authentication.

22 Baldrige Cybersecurity Excellence Builder

7.3 Workforce Results: What are your workforce-focused cybersecurity
performance results?
(1) What are your CAPABILITY and CAPACITY RESULTS for your CYBERSECURITY WORKFORCE?
(2) What are your RESULTS for the ENGAGEMENT of your WORKFORCE in CYBERSECURITY matters?
(3) What are your RESULTS for WORKFORCE members’ fulfllment of their CYBERSECURITY roles and responsibilities?
(4) What are your WORKFORCE and leader development RESULTS related to CYBERSECURITY?

Terms in SMALL CAPS are defined in the Glossary of Key Terms (pages 28–29).

Notes
7.3. Results reported in this item should relate to the Q3. Results might include the percentage of employees who
processes you report in category 5. Your results should also follow specifc cybersecurity policies and practices, such as
respond to the key work process needs you report in those who observe your organization’s password practices.
category 6 and to the action plans you report in item 2.2.
Q4. Results might include, for example, the percentage of
Q1. Results might include, for example, the number of employees who complete role-specifc cybersecurity training,
qualifed referrals received through employee recommenda- cybersecurity management training hours per full-time
tions, the percentage of cybersecurity vacancies remaining equivalent, the percentage of employees trained on incident
open for a specifed number of days, and the percentage of staff handing, the percentage of employees trained to recognize and
members who have achieved necessary qualifcations (e.g., avoid email scams, the percentage of employees trained on how
Certifed Information Security Manager [CISM], Certi-fed to secure an email browser, and the number of employees
Information Systems Security Professional [CISSP]). trained on use of guidelines for cell phone and personal device
Q2. Results should relate to the workforce engagement drivers security.
you describe in C.1a(3) and the methods of assessing
engagement you describe in item 5.2.

Baldrige Cybersecurity Excellence Builder 23

7.4 Leadership and Governance Results: What are your cybersecurity
leadership and governance results?
(1) What are your RESULTS for leaders’ communication and engagement with your organization’s other leaders, your
WORKFORCE, and your KEY CUSTOMERS and STAKEHOLDERS regarding CYBERSECURITY?

(2) What are your RESULTS for GOVERNANCE accountability related to CYBERSECURITY?
(3) What are your legal and regulatory RESULTS related to CYBERSECURITY?
(4) What are your RESULTS for ETHICAL BEHAVIOR related to CYBERSECURITY?
(5) What are your RESULTS for support of the CYBERSECURITY infrastructure of your KEY communities?

Terms in SMALL CAPS are defined in the Glossary of Key Terms (pages 28–29).

Notes
Q1. Responses should include results relating to the com- Q4. Responses should relate to the processes for ensuring
munication processes you identify in item 1.1. ethical behavior that you identify in item 1.2.
Q2. Responses should include results relating to the Q5. Results for support of the cybersecurity infrastructure of
governance processes you describe in item 1.2. These results your key communities might include the extent of external
might include fnancial statement issues and risks, important participation and collaboration to improve cybersecurity and
internal and external auditor recommendations, and results showing its effectiveness (e.g., improved detection using
management’s responses to these matters. shared indicators of compromise).
Q3. Legal and regulatory results should relate to the processes
and measures you describe in item 1.2. Examples might be the
percentage of business systems in compliance with legal and
regulatory requirements, the number of com-pliance breaches,
and the frequency of warnings/violation notices for
cybersecurity infractions.

7.5 Financial and Strategy Results: What are your cybersecurity-related

financial and strategy performance results?
(1) What are your fnancial and budgetary PERFORMANCE RESULTS for your CYBERSECURITY operations?
(2) What are your RESULTS for the impact of CYBERSECURITY costs on your organization’s overall fnancial
PERFORMANCE?

(3) What are your RESULTS for the achievement of your CYBERSECURITY strategy and ACTION PLANS?

Terms in SMALL CAPS are defined in the Glossary of Key Terms (pages 28–29).

Notes
7.5. Results should relate to the fnancial measures you report in from addressing information security events, cost/schedule
item 4.1 and the fnancial management approaches you report in variance in information security activities, and the impact of
item 2.2. the cost of cybersecurity breaches on your organization’s
other fnancial results.
Q1. Examples might include cybersecurity spending as a
percentage of the IT budget, cost performance to budget, Q3. Results for strategy and action plan achievement should
and lowering of costs as a result of increased effciency. relate to the strategic objectives and goals you report in item 2.1
and the action plan performance measures you report in item
Q2. Examples might include cost savings or losses avoided
2.2.
(e.g., fnes for nonconformance) produced by the information
security program or through costs incurred

24 Baldrige Cybersecurity Excellence Builder

CYBER Assessing Your Responses
1. For each item (e.g., 1.1, 1.2) in categories 1–7 of the Baldrige Cybersecurity Excellence Builder, use the process and results
rubrics on pages 26–27 to assign a descriptor (Reactive, Early, Developing, Mature, Leading, or Exemplary) for each
evaluation factor.
For processes (categories 1–6), the evaluation factors are approach, deployment, learning, and integration (ADLI):
• Approach consists of the methods used to carry out a process, the degree to which your approach is systematic (i.e.,
repeatable and based on reliable data and information), the appropriateness of these methods to the item questions
and your operating environment, and the effectiveness of your use of the methods.
• Deployment is the extent to which your approach is applied consistently and the extent to which it is used by all
appropriate work units.
• Learning is the refnement of your approach through cycles of evaluation and improvement, the encouragement of
breakthrough change to your approach through innovation, and the sharing of refnements and innovations with other
relevant work units and processes in your organization.
• Integration is the extent to which your approach is aligned with the organizational needs identifed in the Organi-zational
Context section and in other process items. Integration also includes the extent to which your measures, information, and
improvement systems are complementary across processes and work units; and the extent to which your plans,
processes, results, analyses, learning, and actions are harmonized across processes and work units to support
organization-wide goals.
For results (category 7), the evaluation factors are levels, trends, comparisons, and integration (LeTCI; “let’s see”).
• Levels are your current performance on a meaningful measurement scale.
• Trends are your rate of performance improvement or continuation of good performance in areas of importance (i.e.,
the slope of data points over time).
• Comparisons are your performance relative to that of other, appropriate organizations, such as competitors or
organizations similar to yours, and your performance relative to industry leaders or relevant benchmarks.
• Integration is the extent to which your results address important performance requirements relating to customers,
products/services, markets, processes, and action plans identifed in the Organizational Context section and in the process
items (categories 1–6). It also includes the extent to which your results refect harmonization across your processes and
work units to support organization-wide goals.
2. Indicate the importance (high, medium, or low) of each item to the successful management of cybersecurity within
your organization.
3. Prioritize your actions.
Celebrate your strengths of your cybersecurity risk management program, and build on them to improve what you do well.
Sharing the things you do well with the rest of your organization can speed improvement.
Prioritize your opportunities for improvement; you cannot do everything at once. Think about what is most important for
your organization as a whole at this time, balancing the differing needs and expectations of your stakeholders, and decide
what to work on frst. Look at the next level in the rubric for how you might improve. Develop an action plan, implement it,
and measure your progress.

Assessing Your Responses 25

 =
Assessment Rubric

=
26

=
= CYBER

=
Process (Categories 1–6)
Maturity Evaluation Factor

Level Approach Deployment Learning Integration

CYBERSECURITY-related CYBERSECURITY-related APPROACHES Improvement in CYBERSECURITY-related There is no coordination among

policies/operations are not used consistently in appropriate policies/operations is achieved mainly in CYBERSECURITY-related policies/operations
are characterized by organizational units or by CUSTOMERS, reaction to immediate needs or problems. in different parts of your organization or
Reactive activities created to fx PARTNERS, and suppliers, as appropriate. between CYBERSECURITY-related policies/
problems rather than by operations and those of the rest of the
PROCESSES. organization; individual areas or work
units operate independently.
CYBERSECURITY-related KEY CYBERSECURITY-related APPROACHES CYBERSECURITY-related policies/operations CYBERSECURITY-related APPROACHES are
policies/operations are are beginning to be used consistently in are in the early stages of a transition ALIGNED with other areas or work units,
Early beginning to be carried appropriate organizational units and by from reacting to problems to a general and with organization-wide APPROACHES,
out with well-ordered, CUSTOMERS, PARTNERS, and suppliers, as improvement orientation. largely through joint problem solving.
repeatable APPROACHES. appropriate.
Some elements of KEY CYBERSECURITY-related APPROACHES CYBERSECURITY-related policies/operations CYBERSECURITY-related APPROACHES are
CYBERSECURITY-related are used consistently in appropriate are beginning to be SYSTEMATICALLY beginning to be ALIGNED among work
Developing policies/operations organizational units and by CUSTOMERS, evaluated and improved. units and with your organization’s basic
are characterized by PARTNERS, and suppliers, as appropriate, needs.
EFFECTIVE, well-ordered, although some are in the early stages of
repeatable APPROACHES. use.
Many elements of KEY CYBERSECURITY-related APPROACHES CYBERSECURITY-related policies/operations CYBERSECURITY-related APPROACHES are
CYBERSECURITY-related are used consistently in appropriate are SYSTEMATICALLY evaluated for ALIGNED among work units and with
Mature policies/operations organizational units and by CUSTOMERS, improvement, and learnings are shared, your organization’s overall needs.
are characterized by PARTNERS, and suppliers, as appropriate, with some INNOVATION.
Baldrige Cybersecurity Excellence Builder

EFFECTIVE, well-ordered, although use may vary in some areas or

repeatable APPROACHES. work units.
Most elements of KEY CYBERSECURITY-related APPROACHES CYBERSECURITY-related policies/operations CYBERSECURITY-related policies/
CYBERSECURITY-related are used consistently in most appropriate seek and achieve effciencies through operations in different units work mainly
Leading policies/operations organizational units by CUSTOMERS, analysis, INNOVATION, and the sharing of in harmony with each other and with
are characterized by PARTNERS, and suppliers, as appropriate, information and knowledge. current and future organizational needs
EFFECTIVE, well-ordered, with no signifcant gaps. defned by your organization.
repeatable APPROACHES.
All elements of KEY CYBERSECURITY-related APPROACHES Fact-based, SYSTEMATIC evaluation and CYBERSECURITY-related policies/
CYBERSECURITY-related are used consistently in all appropriate improvement and organizational LEARNING operations in different units work in
Exemplary policies/operations organizational units and by CUSTOMERS, through INNOVATION are KEY tools; total harmony with each other and with
are characterized by PARTNERS, and suppliers, as appropriate. CYBERSECURITY-related policies/operations current and future organizational needs
EFFECTIVE, well-ordered, are characterized by refnement and INNO- defned by your organization.
repeatable APPROACHES. VATION, backed by ANALYSIS and sharing.
Assessment Rubric

Results (Category 7)
Maturity Evaluation Factor

Level Levels Trends Comparisons Integration

CYBERSECURITY-related CYBERSECURITY-related RESULTS are not Available comparative information is not CYBERSECURITY-related RESULTS that are
RESULTS are frequently tracked over time or have not improved. tracked. important to your organization’s ongoing
Reactive missing, poor, or not success are not tracked.
used.

A few CYBERSECURITY- Some TREND data are tracked, and some Little or no available comparative A few CYBERSECURITY-related RESULTS
related RESULTS are show improvement over time. information is tracked. that are important to your organization’s
Early tracked, and they show ongoing success are tracked.
early good performance
LEVELS.

Some CYBERSECURITY- Some TREND data are tracked, and most Some available comparative information is Many CYBERSECURITY-related RESULTS
related RESULTS are show improvement over time. tracked. that are important to your organization’s
Developing tracked, and they show ongoing success are tracked.
good performance
LEVELS.

Many CYBERSECURITY- CYBERSECURITY-related RESULTS Some CYBERSECURITY-related RESULTS show Many CYBERSECURITY-related RESULTS
related RESULTS are show improvement or sustained high good PERFORMANCE relative to available that are important to your organization’s
Mature tracked, and they show PERFORMANCE over time in some areas information on competitors, other relevant ongoing success are tracked. RESULTS are
good PERFORMANCE of importance to your organization’s organizations, or BENCHMARKS. beginning to be used in decision making.
LEVELS. ongoing success.
Most CYBERSECURITY- Most CYBERSECURITY-related RESULTS Many CYBERSECURITY-related RESULTS show Most CYBERSECURITY-related RESULTS
related RESULTS are show improvement or sustained high good PERFORMANCE relative to available that are important to your organization’s
Leading tracked, and they show PERFORMANCE over time in most areas information on competitors, other relevant ongoing success are tracked. The RESULTS
good-to-excellent of importance to your organization’s organizations, or BENCHMARKS. are used in decision making.
performance LEVELS. ongoing success.
The full array of The full array of CYBERSECURITY-related CYBERSECURITY-related RESULTS indicate Most CYBERSECURITY-related RESULTS
CYBERSECURITY-related RESULTS is TRENDED over time, indicating top PERFORMANCE relative to information that are important to your organization’s
Exemplary RESULTS is tracked, improvement or sustained high on other organizations or BENCHMARKS. ongoing success are tracked, including
indicating top PERFORMANCE in all areas of importance PROJECTIONS of future RESULTS. The
PERFORMANCE. to your organization’s ongoing success. RESULTS are used in decision making.
27
CYBER Glossary of Key Terms
The terms below are those in SMALL CAPS in the Baldrige Cybersecurity Excellence Builder
categories and assessment rubric.

ACTION PLANS. Specifc actions that your organization takes EFFECTIVE. How well a process or a measure addresses its
to reach its strategic objectives. These plans specify the intended purpose.
resources committed to and the time horizons for accom-
plishing the plans. See also STRATEGIC OBJECTIVES. ETHICAL BEHAVIOR. The actions your organization takes
to ensure that all its decisions, actions, and stakeholder
ALIGNMENT. A state of consistency among plans, pro- interactions conform to its moral and professional principles of
cesses, information, resource decisions, workforce capability conduct. These principles should support all applicable laws
and capacity, actions, results, and analyses that support key and regulations and are the foundation for your organization’s
organization-wide goals. See also INTEGRATION. culture and values.
APPROACH. The methods your organization uses to carry GOALS. Future conditions or performance levels that your
out its processes. organization intends or desires to attain. See also PERFOR-
MANCE PROJECTIONS.
BENCHMARKS. Processes and results that represent the
best practices and best performance for similar activities, GOVERNANCE. The system of management and controls
inside or outside your organization’s industry. exercised in the stewardship of your organization.
COLLABORATORS. Organizations or individuals who HIGH PERFORMANCE. Ever-higher levels of overall orga-
cooperate with your organization to support a particular activity nizational and individual performance, including quality,
or event or who cooperate intermittently when their short-term productivity, innovation rate, and cycle time.
goals are aligned with or are the same as yours. See also
PARTNERS. HOW. The systems and processes that your organization
uses to achieve its mission requirements.
CORE COMPETENCIES. Your organization’s areas of
greatest expertise; those strategically important capabilities IDENTIFY. Develop the organizational understanding to
that are central to fulflling your mission or that provide an manage cybersecurity risk to systems, assets, data, and
advantage in your marketplace or service environment. capabilities. Identify is one of the fve functions included in the
Cybersecurity Framework Core. The others are Protect,
CUSTOMER. An actual or potential user of your Detect, Respond, and Recover.
organization’s products, programs, or services. See also
STAKEHOLDERS. INNOVATION. Making meaningful change to improve
products/services, processes, or organizational effectiveness
CUSTOMER ENGAGEMENT. Your customers’ investment and create new value for stakeholders. The outcome of
in or commitment to your brand and product offerings. innovation is a discontinuous or breakthrough change.
CYBERSECURITY. The process of protecting INTEGRATION. The harmonization of plans, processes,
information and assets by preventing, detecting, and information, resource decisions, workforce capability and
responding to attacks. capacity, actions, results, and analyses to support key
organization-wide goals. See also ALIGNMENT.
CYBERSECURITY EVENT. A cybersecurity change that
may have an impact on organizational operations (including KEY. Major or most important; critical to achieving your
mission, capabilities, or reputation). A cybersecurity incident is intended outcome.
an event that has been determined to have such an effect,
prompting the need for response and recovery. KNOWLEDGE ASSETS. Your organization’s accumulated
intellectual resources; the knowledge possessed by your
DEPLOYMENT. The extent to which your organization organization and its workforce in the form of information,
applies an approach in relevant work units throughout your ideas, learning, understanding, memory, insights, cognitive
organization. and technical skills, and capabilities.

DETECT. Develop and implement the appropriate activities LEARNING. New knowledge or skills acquired through
to identify the occurrence of a cybersecurity event. Detect is evaluation, study, experience, and innovation.
one of the fve functions included in the Cybersecurity
Framework Core. The others are Identify, Protect, Respond, LEVELS. Numerical information that places or positions your
and Recover. organization’s results and performance on a meaningful
measurement scale.

28 Baldrige Cybersecurity Excellence Builder

MEASURES AND INDICATORS. Numerical information STRATEGIC ADVANTAGES. Those marketplace benefts
that quantifes the input, output, and performance dimen-sions that exert a decisive infuence on your organization’s likeli-
of processes, products, programs, projects, services, and the hood of future success. These advantages are frequently
overall organization (outcomes). sources of current and future competitive success relative to
other providers of similar products/services.
MISSION. Your organization’s overall function.
STRATEGIC CHALLENGES. Those pressures that exert a
PARTNERS. Key organizations or individuals who are work- decisive infuence on your organization’s likelihood of future
ing in concert with your organization to achieve a common goal success. These challenges are frequently driven by your
or improve performance. Typically, partnerships are formal organization’s anticipated competitive position in the future
arrangements. See also COLLABORATORS. relative to other providers of similar products/services.
PERFORMANCE. Outputs and their outcomes obtained from STRATEGIC OBJECTIVES. The aims or responses that
processes, products/services, and customers that permit you to your organization articulates to address major change or
evaluate and compare your organization’s results to improvement, competitiveness or social issues, and business
performance projections, standards, past results, goals, and other advantages. See also ACTION PLANS.
organizations’ results.
SYSTEMATIC. Well-ordered, repeatable, and exhibiting the
PERFORMANCE EXCELLENCE. An integrated approach to use of data and information so that learning is possible.
organizational performance management that results in (1)
delivery of ever-improving value to customers and stake- TRENDS. Numerical information that shows the direction
holders, contributing to ongoing organizational success; (2) and rate of change of your organization’s results or the
improvement of your organization’s overall effectiveness and consistency of its performance over time.
capabilities; and (3) learning for the organization and for people
in the workforce. VALUE. The perceived worth of a product, process, asset, or
function relative to its cost and possible alternatives.
PERFORMANCE PROJECTIONS. Estimates of your
organi-zation’s future performance. See also GOALS. VALUES. The guiding principles and behaviors that embody
how your organization and its people are expected to operate.
PROCESS. Linked activities with the purpose of producing
a product or service for a customer (user) within or outside
your organization. VISION. Your organization’s desired future state.

PROTECT. Develop and implement the appropriate VOICE OF THE CUSTOMER. Your process for
safeguards to ensure delivery of critical infrastructure capturing customer-related information.
services. Protect is one of the fve functions included in the
WORK PROCESSES. Your organization’s most
Cybersecurity Framework Core. The others are Identify,
important internal value-creation processes.
Detect, Respond, and Recover.
WORKFORCE. All people actively supervised by your
RECOVER. Develop and implement the appropriate activities
organization and involved in accomplishing your organiza-
to maintain plans for resilience and to restore any capabilities
tion’s work, including paid employees (e.g., permanent, part-
or services that were impaired due to a cyberse-curity event.
time, temporary, and telecommuting employees, as well as
Recover is one of the fve functions included in the
contract employees supervised by your organization) and
Cybersecurity Framework Core. The others are Identify,
volunteers, as appropriate.
Protect, Detect, and Respond.
WORKFORCE CAPABILITY. Your organization’s ability
RESPOND. Develop and implement the appropriate
to accomplish its work processes through its people’s knowl-
activities to take action regarding a detected cybersecurity
edge, skills, abilities, and competencies.
event. Respond is one of the fve functions included in the
Cybersecurity Framework Core. The others are Identify, WORKFORCE CAPACITY. Your organization’s ability to
Protect, Detect, and Recover. ensure suffcient staffng levels to accomplish its work
processes and deliver your products/services to customers,
RESULTS. Outputs and outcomes achieved by your
including the ability to meet seasonal or varying demand
organization.
levels.
SEGMENT. One part of your organization’s customer,
WORKFORCE ENGAGEMENT. The extent of workforce
market, product offering, or workforce base.
members’ emotional and intellectual commitment to accom-
SENIOR LEADERS. Your organization’s senior plishing your organization’s work, mission, and vision.
management group or team.

STAKEHOLDERS. All groups that are or might be affected by

your organization’s actions and success. See also CUSTOMER.

Glossary of Key Terms 29

CYBER User Tools
Benefits of Using the Baldrige Cybersecurity Excellence
Builder, by Organizational Role
Role/Function Benefit of/Reason for Using the Baldrige Cybersecurity Excellence Builder

• Understand how internal and external cybersecurity should support organizational (business)
Board and objectives, including support for customers
• Understand current and planned workforce engagement processes and their success
Executive • Understand opportunities to improve cybersecurity in alignment with organizational objectives
Management
• Understand the potential exposure of the organization’s assets to various risks
• Align cybersecurity policy and practices with the organization’s mission, vision, and values
Chief • Understand how cybersecurity affects organizational information management practices and
culture
Information • Improve communication and engagement with organizational leaders and the cybersecurity
Officer
workforce
(CIO)
• Understand how cybersecurity affects the organization’s culture and environment
• Support the organization’s commitment to legal and ethical behavior
• Create and apply cybersecurity policy and practices to support the organization’s mission, vision,
and values
Chief Information • Respond to rapid or unexpected organizational or external changes
Security Officer • Support continuous improvement through periodic use of the self-assessment tool
(CISO) • Support organizational understanding of compliance with various contractual and/or regulatory
requirements
• Understand the effectiveness of workforce communication, learning, and engagement, as well as
operational considerations for cybersecurity
• Improve understanding of business requirements and mission objectives and their priorities
IT Process • Determine the effectiveness of IT processes and potential improvements
Management • Understand how aspects of cybersecurity are integrated with organizational change management
processes
• Discern the impact of cybersecurity on internal/external customers, partners, and workforce
Risk Management • Improve understanding of how workforce engagement in cybersecurity and communication to the
workforce about cybersecurity impact the organization’s overall risk posture
• Improve management of and communication about risk related to external suppliers and partners
• Understand legal/ethical behavior on the part of the workforce, as well as the overall cultural
environment
Legal/ • Understand how the organization applies cybersecurity-related policies and operations to ensure
Compliance Roles responsible governance, including legal, regulatory, and community concerns
• Understand how the organization integrates external suppliers and partners into cybersecurity risk
management, including contractual obligations for partners’ cybersecurity protection and reporting
• Understand leaders’ expectations
Employees • Be better prepared for changes in cybersecurity capability and capacity needs
• Beneft from a workplace culture and environment characterized by open communication, high
(Workforce)
performance, and engagement in cybersecurity matters
• Learn to fulfll their cybersecurity roles and responsibilities

30 Baldrige Cybersecurity Excellence Builder

 Examples of Key Linkages in the Baldrige Cybersecurity Excellence Builder
User Tools

The questions in the Organizational Context, the process categories (1–6), and the results category (7) are closely linked. These linkages help you manage your cybersecurity risk
policies and operations as a system by aligning your processes and results with your organization’s unique characteristics and situation. Some examples of these linkages follow.

To accomplish this … … define these elements … … have these systematic processes in place … … and track these results.

2.1: How you include cybersecurity in

Create and carry your organizational strategy
C.2b: Strategic Context 7.5, Q3: Your results for
out an effective 2.2: How you implement cybersecurity-
Many other sections in C.1 and C.2 achievement of your cybersecurity
cybersecurity related elements of your strategy
strategy and action plans
strategy 4.1: How you measure, analyze, and
improve cybersecurity performance

1.1, Q4: How leaders communicate with

Engage your and engage the workforce regarding
overall cybersecurity 7.3, Q2: Your results for workforce
C.1a(3): Your overall workforce profle
workforce in 5.2: How you engage your overall engagement
cybersecurity workforce in support of cybersecurity
policies and operations

1.1, Q1: How leaders deploy the mission,

vision, and values to suppliers 7.1, Q7: Your results for suppliers’
understanding and fulfllment of
Ensure an 2.1, Q5: How you decide which key
their cybersecurity roles and
effective, effcient C.1b(3): Your suppliers for your cybersecurity processes to accomplish
responsibilities
cybersecurity cybersecurity operations internally and externally
7.1, Q8: Your results for
supply network 4.2, Q4: How you share cybersecurity
management of your cybersecurity
best practices
supply network
6.2b: Supply-Network Management
C.1a(2): Product Offerings
Protect your C.1a(4): Your organization’s major 6.1(b): How you protect your assets
and systems 7.1, Q1: Your results for the
assets and physical and virtual assets, and your
protection of assets and systems
systems priorities for protecting them 2.1: Your cybersecurity strategy
C.1b: Organizational Relationships
7.1, Q2: Your results for the
Detect C.1a(4): Your organization’s major detection of cybersecurity events
6.1(c): How you detect cybersecurity
cybersecurity physical and virtual assets, and your 7.1, Q5: Effectiveness and
events
events priorities for protecting them effciency results for your
cybersecurity operations
Recover from C.1a(4): Your organization’s major 7.1, Q4: Your results for
physical and virtual assets, and your 6.1(e): How you recover from
cybersecurity priorities for protecting them cybersecurity events recovering from cybersecurity
events C.1b: Organizational Relationships events
31
Crosswalk: Baldrige Cybersecurity Excellence
Builder and Cybersecurity Framework
Related Sections in the Cybersecurity Framework
Baldrige Cybersecurity Excellence 2.4, Figure 2: Notional Information Appendix A: Framework Core

Builder Categories and Items and Decision Flows Functions and Categories1
C Organizational Context
C.1 Organizational Description Executive Level ID-AM, ID-BE, ID-SC
C.2 Organizational Situation Executive Level; Changes in Current ID-BE, ID-RM
and Future Risk
1 Leadership
1.1 Leading for Cybersecurity Executive Level ID-BE, RC-CO
1.2 Governance and Societal Executive Level ID-GV, RS-CO
Responsibilities
2 Strategy
2.1 Strategy Development Business/Process Level; Mission Priority and ID-BE, ID-GV, ID-RA,
Risk Appetite and Budget; Changes in Current ID-RM, ID-SC
and Future Risk
2.2 Strategy Implementation Business/Process Level; Mission Priority and ID-BE, ID-GV, ID-RA,
Risk Appetite and Budget; Changes in ID-RM
Current and Future Risk
3 Customers
3.1 Customer Expectations Business/Process Management; ID-BE
Implementation/Operations Level
3.2 Customer Engagement Business/Process Management; ID-AM, PR-AT,
Implementation/Operations Level RS-CO, RC-CO
4 Measurement, Analysis, and Knowledge Management
4.1 Measurement, Analysis, and Implementation Progress DE-AE, DE-DP,
Improvement of Performance RS-IM, RC-IM
4.2 Knowledge Management Business/Process Management; ID-RA, DE-AE,
Implementation/Operations Level RS-CO
5 Workforce
5.1 Workforce Environment Business/Process Management; ID-AM, ID-GV, PR-IP,
Implementation/Operations Level DE-DP, RS-CO
5.2 Workforce Engagement Business/Process Management; PR-AT, PR-IP, RS-CO
Implementation/Operations Level
6 Operations
6.1 Work Processes Implementation/Operations Level PR-AC, PR-DS, PR-IP,
PR-MA, DE-AE, DE-CM,
DE-DP, RS-RP, RS-AN,
RS-IM, RS-MI, RC-RP, RC-IM
6.2 Operational Effectiveness Implementation/Operations Level ID-AM, ID-BE, ID-SC,
PR-AT, PR-IP

1The Cybersecurity Framework functions are Identify (ID), Protect (PR), Detect (DE), Respond (RS), and Recover (RC). For defnitions of these functions, see
the glossary. For a detailed explanation of the categories within these functions, see the Cybersecurity Framework (www.nist.gov/cyberframework).

(Continued on the next page)

32 Baldrige Cybersecurity Excellence Builder

Crosswalk (continued)
Related Sections in the Cybersecurity Framework
Baldrige Cybersecurity Excellence 2.4, Figure 2: Notional Information and Decision Appendix A: Framework Core

Builder Categories and Items Flows Functions and Categories1

7 Results
7.1 Cybersecurity Process Implementation Progress PR-AC, PR-DS, PR-IP,
Results PR-MA, DE-AE, DE-CM,
DE-DP, RS-RP, RS-AN,
RS-IM, RS-MI, RC-RP, RC-IM
7.2 Customer Results Implementation Progress ID-BE, ID-AM, PR-AT,
RS-CO, RC-CO
7.3 Workforce Results Implementation Progress ID-AM, ID-GV, PR-IP, DE-DP,
RS-CO, PR-AT, PR-IP, RS-CO
7.4 Leadership and Implementation Progress ID-BE, ID-GV, ID-RA,
Governance Results ID-RM, RC-CO
7.5 Financial and Strategy Results Implementation Progress ID-BE

User Tools 33
Self-Analysis Worksheet
For a spreadsheet version of this worksheet, see www.nist.gov/baldrige/products-services/baldrige-cybersecurity-initiative.
Reactive, Early, Developing, Mature, High, Medium,
Leading, or Exemplary? or Low?
Process (Categories 1–6) Approach Deployment Learning Integration Importance

1 Leadership

1.1 Leading for Cybersecurity: How do your

senior and cybersecurity leaders lead your
cybersecurity policies and operations?
1.2 Governance and Societal Responsibilities:
How do you govern your cybersecurity
policies and operations and make
cybersecurity-related societal
contributions?
2 Strategy
2.1 Strategy Development: How do you
include cybersecurity considerations in
your strategy development?
2.2 Strategy Implementation: How do you
implement the cybersecurity-related
elements of your strategy?
3 Customers
3.1 Customer Expectations: How do you listen
to your customers and determine their
cybersecurity-related satisfaction?
3.2 Customer Engagement: How do you build
relationships with internal and external
customers around cybersecurity?
4 Measurement, Analysis, and Knowledge Management
4.1 Measurement, Analysis, and Improvement
of Performance: How do you measure,
analyze, and then improve cybersecurity-
related performance?
4.2 Knowledge Management: How do you
manage your organization’s cybersecurity-
related knowledge assets?
5 Workforce
5.1 Workforce Environment: How do
you build an effective and supportive
environment for your cybersecurity
workforce?
5.2 Workforce Engagement: How do
you engage your workforce for high
performance in support of cybersecurity
policies and operations?
(Continued on the next page)

34 Baldrige Cybersecurity Excellence Builder

Self-Analysis Worksheet (continued)
Reactive, Early, Developing, Mature, High, Medium,
Leading, or Exemplary? or Low?
Process (Categories 1–6) Approach Deployment Learning Integration Importance

6 Operations

6.1 Work Processes: How do you design,

manage, and improve your key
cybersecurity work processes?
6.2 Operational Effectiveness: How do you
ensure effective management of your
cybersecurity operations?

Reactive, Early, Developing, Mature, High, Medium,

Leading, or Exemplary? or Low?
Results (Category 7) Levels Trends Comparisons Integration Importance

7.1 Cybersecurity Process Results: What

are your cybersecurity performance and
process effectiveness results?
7.2 Customer Results: What are your
customer-focused cybersecurity
performance results?
7.3 Workforce Results: What are your
workforce-focused cybersecurity
performance results?
7.4 Leadership and Governance Results:
What are your cybersecurity leadership
and governance results?
7.5 Financial and Strategy Results: What are
your cybersecurity-related fnancial and
strategy results?

BALDRIGE EXCELLENCE FRAMEWORK®, BALDRIGE PERFORMANCE EXCELLENCE PROGRAM and Design ®, MALCOLM BALDRIGE
NATIONAL QUALITY AWARD®, and PERFORMANCE EXCELLENCE ® are federally registered trademarks of the U.S. Department of Commerce,
National Institute of Standards and Technology. The unauthorized use of these trademarks and service marks is prohibited.

User Tools 35
You’ve used the Baldrige Cybersecurity Excellence Builder
to assess your organization’s cybersecurity program.
WHAT’S NEXT? LOADING

Tell Us about Your Experience

Submit feedback on the Baldrige Cybersecurity Excellence Builder at www.nist.gov/baldrige/products-
services/ baldrige-cybersecurity-initiative.

Learn More about the Baldrige Cybersecurity Initiative

See www.nist.gov/baldrige/products-services/baldrige-cybersecurity-initiative to learn more about this initiative.

Learn More about the Cybersecurity Framework

The Framework for Improving Critical Infrastructure Cybersecurity (www.nist.gov/cyberframework) is
voluntary guidance, based on existing standards, guidelines, and practices, for organizations to better
manage and reduce cybersecurity risk.

Download the Baldrige Excellence Builder

The Baldrige Excellence Builder (www.nist.gov/baldrige/products-services/baldrige-excellence-builder)
includes key questions for improving your organization’s overall performance. It is based on the Baldrige
Excellence Framework’s Criteria for Performance Excellence.

Purchase the Baldrige Excellence Framework Booklet

The Baldrige Excellence Framework (Business/Nonprofit, Education, or Health Care;
www.nist.gov/baldrige/ products-services/baldrige-excellence-framework) is a comprehensive
guide to organizational performance excellence.

Attend the Quest for Excellence© Conference

At Quest (www.nist.gov/baldrige/qe) and other Baldrige conferences, you will learn best
performance management practices from Baldrige Award recipients.

Contact the Baldrige Program

We’ll answer your questions on these and other products and services.
www.nist.gov/baldrige | 301.975.2036 | baldrige@nist.gov

#BaldrigeCyber
www.nist.gov/baldrige
National Institute of Standards and Technology (NIST)
The mission of NIST, an agency of the U.S. Department of Commerce, is to promote U.S. innovation
and industrial competitiveness by advancing measurement science, standards, and technology in ways
that enhance economic security and improve our quality of life.

Baldrige Performance Excellence Program

Created by Congress in 1987, the Baldrige Program is a unique public-private partnership that is
dedicated to helping organizations improve their performance and succeed in the global marketplace. The
program administers the Presidential Malcolm Baldrige National Quality Award. In collaboration with the
greater Baldrige community, we address critical national needs through
• a systems approach to achieving organizational excellence;
• organizational self-assessment tools and analysis of organizational strengths
and opportunities for improvement by a team of trained experts;
• training, executive education, conferences, and workshops on proven best
management practices and on using the Baldrige Excellence Framework to improve;
• Baldrige-based approaches to cybersecurity risk management and community excellence; and
• support for and partnership with the Alliance for Performance Excellence
(www.baldrigealliance.org), a national network of Baldrige-based programs.

Applied Cybersecurity Division, Information Technology Laboratory

As one of the major research components of NIST, the Information Technology Laboratory has the broad
mission to promote U.S. innovation and industrial competitiveness by advancing measurement science,
standards, and technology through research and development in information technology, mathematics,
and statistics. The Applied Cybersecurity Division (www.nist.gov/itl/applied- cybersecurity) implements
practical cybersecurity and privacy through outreach and effective application of standards and best
practices necessary for the U.S. to adopt cybersecurity capabilities. The Division:
• develops cybersecurity standards and guidelines in an open, transparent, and collaborative way;
• does cybersecurity testing and measurement—from developing test suites and methods
to validating cryptographic modules; and
• advances applied cybersecurity—applications of NIST’s research, standards, and testing
and measurement work.

Foundation for the Malcolm Baldrige National Quality Award

The mission of the Baldrige Foundation (www.baldrigefoundation.org) is to ensure the long-term financial
growth and viability of the Baldrige Performance Excellence Program and to support organizational
performance excellence in the United States and throughout the world.

For more information:

www.nist.gov/baldrige | 301.975.2036 | baldrige@nist.gov

CONNECT WITH BALDRIGE

@BaldrigeProgram #Baldrige

03/2019

T1554
Photo credits: ©Titima Ongkantong/Shutterstock, ©Aleksandr Danilenko/Shutterstock