The NIST Cybersecurity Framework is the leading global standard designed to assess an organization’s IT risk management performance profile and provide the foundation for corrective actions to address identified issues. It is estimated that thirty percent of large U. S. companies are presently using the Framework; and that fifty percent will be using the Framework by 2020. (Gartner, 2016) However, until now NIST has not put forward a companion assessment tool to use in implementing its guideline practices. This innovative research project is sponsored by NIST, the U.S. Government's standards and technology agency; and GSA, the Government's purchasing agency. It is designed to provide private and public organizations a formal assessment tool to more effectively apply NIST’s Cybersecurity Framework and to better understand their own IT supply chain vulnerabilities and the efficacy of their managerial/technical practices. In addition to sponsor support, this project is supported by our insurance industry partners, Zurich and Beecher Carlson.
The University of Maryland is serving as a neutral third party administering this assessment tool. It will be delivered through a secure portal to manage the data that are generated by this project. Our team is working with Amazon Web Services to ensure the security and high availability of our portal and its datasets. In addition, as a third party committed to your privacy and confidentiality, the University will not release your organization's data to any government agency. By being an early adopter of these new self-assessment tools, you will get valuable information about your organizational cyber risk profile and the relative importance of its key determinants.
The NIST Cybersecurity Framework identifies five categories (Identify, Protect, Detect, Respond, and Recover) that encompass the entire cybersecurity risk management process. Within each of the five categories, NIST identifies key performance factors, determined by NIST to be critical success factors for achieving effective cybersecurity risk management. By comparing your scores across the NIST categories, you will be able to measure the extent to which your organization has implemented the identified critical success factors in the five categories. You will also be able to see how well your organization’s performance level compares with your industry benchmark peers, as well as the entire universe of respondents. In addition to being able to print and share a copy of your performance report, we will provide you with easy to use tools to go deeper, and do more customized dives into your performance results with data visualization and analytics.
Finally, by participating, you will receive a special invitation to review our Phase 2 research results and gain insights into the relationship between an organization’s cyber risk management performance profile and its breach profile. This will be a unique opportunity.