NIST CSF self-assessments
The National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) provides guidance for organizations regarding how to better manager and reduce cybersecurity risk by examining the effectiveness of investments in cybersecurity. This framework provides flexible guidance that allows for the unique risks that organizations face take centerstage (as much as is needed) with regard to their cybersecurity profile.
A big part of NIST CSF is being able to determine where your organization’s cybersecurity posture is in relation to the CSF. For this purpose, NIST added self-assessing as a new section to the Framework for Improving Critical Infrastructure Cybersecurity in 2018, available here.
This article will detail self-assessments for CSF. We will explore what self-assessments are, the benefits of self-assessment, what to do before you self-assess, the steps of conducting a full self-assessment, questions to include in the self-assessment questionnaire and self-assessment resources.
What are self-assessments?
Self-assessments are intended to show how your cybersecurity program matches up with the NIST CSF. According to NIST, self-assessments are a way to measure an organization’s cybersecurity maturity.
To help organizations with self-assessments, NIST published a guide for self-assessment questionnaires called the Baldrige Cybersecurity Excellence Builder. This will help organizations make tough decisions in assessing their cybersecurity posture.
The benefits of self-assessment
It should be noted that as well as conducting self-assessments, the NIST CSF are voluntary guidance for organizations. With this said, organizations should consider conducting a self-assessment of their cybersecurity posture for the benefits it conveys alone. These benefits include:
- Identifying successes and highlighting opportunities for improvement
- Jump-starting improvement initiatives
- Energizing change initiatives
- Energizing the workforce
- Assessing performance against both the NIST CSF and the competition
- Better alignment of resources with organization objectives
What to do before self-assessment
Before you begin your organization’s self-assessment, you need to do a little legwork to in order to produce as accurate an assessment as possible. This entails gaining an understanding of the following:
- Your organization’s objectives
- The relationship between your objectives and the NIST CSF cybersecurity objectives
- How these objectives are both implemented and managed
Questions to use for self-assessment
The Baldrige Cybersecurity Excellence Builder can be used as a guide to craft a thoughtful questionnaire. It categorizes questions by subject matter and offers guide questions for each category.
The following will present general, flexible questions for each category. This list is by no means complete, as a good self-assessment considers all aspects of an organization’s cybersecurity posture and needs to fit the organization as much as possible. Accordingly, a solid self-assessment should fill out this questionnaire outline with hand-crafted questions that apply to the organization’s specific cybersecurity posture and needs.
These questions can be found in the Baldrige Cybersecurity Excellence Builder, here.
- 1.1. Cybersecurity Leadership: How do your senior and cybersecurity leaders lead your cybersecurity policies and operations?
- 1.2. Governance and Societal Responsibilities: How do you govern your cybersecurity policies and operations and make cybersecurity-related societal contributions?
- 2.1. Strategy Development: How do you include cybersecurity considerations in your strategy development?
- 2.2. Strategy Implementation: How do you implement the cybersecurity-related elements of your strategy?
- 3.1. Customer Expectations: How do you listen to your customers and determine their cybersecurity-related satisfaction?
- 3.2. Customer Engagement: How do you build relationships with internal and external customers around cybersecurity?
4. Measurement, Analysis and Knowledge Management
- 4.1. Measurement, Analysis and Improvement of Performance: How do you measure, analyze, and then improve cybersecurity-related performance?
- 4.2. Knowledge Management: How do you manage your organization’s cybersecurity-related knowledge and assets?
- 5.1. Workforce Environment: How do you build an effective and supportive environment for your cybersecurity workforce?
- 5.2. Workforce Engagement: How do you engage your workforce for high performance in support of cybersecurity policies and operations?
- 6.1. Work Processes: How do you design, manage, and improve your key cybersecurity work processes?
- 6.2. Operational Effectiveness: How do you ensure effective management of your cybersecurity operations?
- 7.1. Cybersecurity Process Results: What are your cybersecurity performance and process effectiveness results?
- 7.2. Customer Results: What are your customer-focused cybersecurity performance results?
- 7.3. Workforce Results: What are your workforce-focused cybersecurity performance results?
- 7.4. Leadership and Governance Results: What are your cybersecurity leadership and governance results?
- 7.5. Financial and Strategy Results: What are your cybersecurity-related financial and strategy performance results?
The Baldrige Cybersecurity Excellence Builder offers a process and results rubric to assess responses to the questions above. The first six categories are known as processes, and the rubric offers the following evaluation factors:
A descriptor needs to be assigned to each evaluation factor. These descriptors are:
For category 7, or results, the evaluation factors are:
For each item above, indicate the importance level — low, medium or high. Finally, prioritize the actions that need to be taken.
Sample question, answer and assessment
The following is a sample question, answer, and assessment for an organization with a rudimentary/low level of cybersecurity.
- 7.1. Cybersecurity Process Results: What are your cybersecurity performance and process effectiveness results? Please describe your organization’s approach, deployment, learning and integration.
- Approach: Problem-focused, reactive to incidents
- Deployment: There are prescribed approaches. We handle each situation on a case-by-case basis
- Learning: Learning is done on a reactive, as-needed basis
- Integration: There is no coordination and organization units operate independently
- Assessment: This organization is at a reactive maturity level. Much needs to be done to raise organizational maturity level
For more help and guidance regarding self-assessment, there are some resources which you may find helpful.
Self-assessing is an important part of the NIST CSF process. It helps measure the effectiveness of investment into cybersecurity programs as well as how much the cybersecurity program matches up with CSF. By using the steps of the self-assessment process coupled with the right questions for your organization’s self-assessment questionnaire, you can get the most out of your cybersecurity program within the boundaries of NIST CSF.
- Framework for Improving Critical Infrastructure Cybersecurity, NIST
- Baldrige Cybersecurity Excellence Builder, Baldrige Performance Excellence Program
- Getting Started with Baldrige, NIST
- NIST launches self-assessment tool for cybersecurity, FedScoop