Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Other (Initial Public Draft)

Baldrige Cybersecurity Excellence Builder: Key questions for improving your organization's cybersecurity performance

Date Published: September 2016
Comments Due: December 15, 2016 (public comment period is CLOSED)
Email Questions to:


National Institute of Standards and Technology


The Baldrige Cybersecurity Excellence Builder (BCEB) is a voluntary self-assessment tool that enables organizations to better understand the effectiveness of their cybersecurity risk management efforts. It helps leaders of organizations identify opportunities for improvement based on their cybersecurity needs and objectives, as well as their larger organizational needs, objectives, and outcomes. Using this self-assessment, you can:

  • determine cybersecurity-related activities that are important to your business strategy and critical service delivery;
  • prioritize your investments in managing cybersecurity risk;
  • determine how best to enable your workforce, customers, suppliers, partners, and collaborators to be risk conscious and security aware, and to fulfill their cybersecurity roles and responsibilities;
  • assess the effectiveness and efficiency of your use of cybersecurity standards, guidelines, and practices;
  • assess the cybersecurity results you achieve; and
  • identify priorities for improvement.

Like the Framework for Improving Critical Infrastructure Cybersecurity (Cybersecurity Framework) and the Baldrige Excellence Framework, the BCEB is not a one-size-fits-all approach. It is adaptable and scalable to your organization's needs, goals, capabilities, and environment. It does not prescribe how you should structure your organization's cybersecurity policies and operations. Through interrelated sets of open-ended questions, it encourages you to use the approaches that best fit your organization.

Specifically, feedback is sought on:

  • the relative value of different parts of the BCEB for assessing your cybersecurity risk management efforts,
  • perceived gaps in the BCEB, and
  • the user-friendliness of the BCEB.

Feedback on this draft will be incorporated into the version 1 release, scheduled for early 2017.



Cybersecurity Framework; risk management; risk assessment; Baldrige Excellence Management Program; self-assessment.
Control Families

Assessment, Authorization and Monitoring; Risk Assessment


(Draft) Baldrige Cybersecurity Excellence Builder (pdf)

Supplemental Material:
Baldrige Cybersecurity Initiative Homepage
Press Release

Related NIST Publications:

Document History:
09/15/16: Other (Draft)
04/02/17: Other (Final)


Security and Privacy

general security & privacy