NIST Free security assessment tool

By John Gates, on May 11th, 2022

The National Institute of Standards and Technology (NIST) has issued a PDF of a cybersecurity self-assessment tool. The Baldrige Cybersecurity Excellence Builder v1.1 2019 is a self-assessment tool to help organizations better understand the effectiveness of their cybersecurity risk management efforts.

 

NIST requested public comments on the draft document, which blended the best of two globally recognized and widely used NIST resources: the organizational performance evaluation strategies from the Baldrige Performance Excellence Program and the risk management mechanisms of the Cybersecurity Framework.

 

Shown below are the benefits of using the Baldrige Cybersecurity Excellence Builder by Organizational Role

                   Role/Function Benefit of/Reason for Using the Baldrige Cybersecurity Excellence Builder
 

 

 

 

 

Board and Executive Management

 

 

 

 

• Understand how internal and external cybersecurity should support organizational (business) objectives, including support for customers

• Understand current and planned workforce engagement processes and their success

• Understand opportunities to improve cybersecurity in alignment with organizational objectives

• Understand the potential exposure of the organization’s assets to various risks

• Align cybersecurity policy and practices with the organization’s mission, vision, and values

 

 Chief Information Officer (CIO)

• Understand how cybersecurity affects organizational information management practices and culture

• Improve communication and engagement with organizational leaders and the cybersecurity workforce

• Understand how cybersecurity affects the organization’s culture and environment

  

 

Chief Information Security Officer (CISO)

• Support the organization’s commitment to legal and ethical behavior

• Create and apply cybersecurity policy and practices to support the organization’s mission, vision, and values

• Respond to rapid or unexpected organizational or external changes

• Support continuous improvement through periodic use of the self-assessment tool

• Support organizational understanding of compliance with various contractual and/or regulatory requirements

• Understand the effectiveness of workforce communication, learning, and engagement, as well as operational considerations for cybersecurity

 IT Process Management • Improve understanding of business requirements and mission objectives and their priorities

• Determine the effectiveness of IT processes and potential improvements

• Understand how aspects of cybersecurity are integrated with organizational change management processes

Risk Management • Discern the impact of cybersecurity on internal/external customers, partners, and workforce

• Improve understanding of how workforce engagement in cybersecurity and communication to the workforce about cybersecurity impact the organization’s overall risk posture

• Improve management of and communication about risk related to external suppliers and partners

Legal/ Compliance Roles • Understand legal/ethical behavior on the part of the workforce, as well as the overall cultural environment

• Understand how the organization applies cybersecurity-related policies and operations to ensure responsible governance, including legal, regulatory, and community concerns

• Understand how the organization integrates external suppliers and partners into cybersecurity risk management, including contractual obligations for partners’ cybersecurity protection and reporting

Employees (Workforce) • Understand leaders’ expectations

• Be better prepared for changes in cybersecurity capability and capacity needs

• Benefit from a workplace culture and environment characterized by open communication, high performance, and engagement in cybersecurity matters

• Learn to fulfill their cybersecurity roles and responsibilities

 

When Deputy Secretary of Commerce Bruce Andrews announced the release of the draft document he said: “The Baldrige Cybersecurity Excellence Builder answers a call from many organizations to provide a way for them to measure how effectively they are using the Cybersecurity Framework. The Builder will strengthen the already powerful Cybersecurity Framework so that organizations can better manage their cybersecurity risks.”

 

Using the Builder, organizations of all sizes and types can:

  • determine cybersecurity-related activities that are important to business strategy and the delivery of critical services
  • prioritize investments in managing cybersecurity risk
  • assess the effectiveness and efficiency in using cybersecurity standards, guidelines and practices
  • assess the cybersecurity results
  • identify priorities for improvement

 

Cybersecurity Framework

The Cybersecurity Framework was developed by NIST through a collaborative process involving industry, academia and government agencies. NIST was directed by an executive order to create the framework specifically for managing cybersecurity risks related to critical infrastructure, but a broad array of public and private sector organizations now use it. The framework provides a risk-based approach for cybersecurity through five core functions—identify, protect, detect, respond and recovery.

 

According to a report by the information technology research company Gartner, the framework is currently used by 30 percent of US organizations, and a number expected to rise in the following years. The Builder guides users through a process that details their organization’s distinctive characteristics and strategic situations that relate to cybersecurity. It’s then followed by a series of questions to help define the organization’s current approaches to cybersecurity in the areas of leadership, strategy, customers, workforce and operations, as well as the results achieved with them.

 

Assessment

 

Finally, an assessment rubric lets users determine their organization’s cybersecurity maturity level—classified as “reactive,” “early,” “mature,” or “role model.” The completed evaluation can then lead to an action plan to upgrade cybersecurity practices and management, implement those improvements, and measure the progress and effectiveness of the process. Designed to be a key part of an organization’s continuous improvement efforts, the Builder should be used periodically to maintain the highest possible level of cybersecurity readiness.

 

In phase 1, the draft for Baldrige Cybersecurity Excellence Builder was developed through a collaboration between NIST, and NIST’s Applied Cybersecurity Division with input from private sector representatives.

 

In phase 2, currently pending funding, would involve voluntary assessments by independent experts, sharing of best practices, and voluntary recognition for exceptional performance.

 

Hardening

Each organization needs to configure its servers as reflected by NIST’s security requirements. The techniques for securing different types of operating systems can vary greatly. After planning and installing the OS, NIST offers 3 issues that need to be addressed when configuring server OS:

 

  1. Remove or disable unnecessary services, applications, and network protocols
  2. Configure OS and User Authentication
  3. Configure Resource Control Appropriately

 

These are the most basics issues one should consider in order to protect a server. The practical part of each step includes hundreds of specific actions affecting each object in the server OS. Building the right policy and then enforcing it is a rather demanding and complex task. Special resources should be invested into it both in money, time, and experience.  Automating server hardening is mandatory to really achieve a secure baseline. CHS by CalCom is the perfect solution for this painful issue. CHS will transform your hardening project to be effortless while ensuring that your servers are constantly hardened regarding the dynamic nature of the infrastructure.