Why are you starting with Cyber Security?

The daily news stories about stolen user information and intellectual property from both private and public organizations makes cyber security top of mind for most senior leaders.

There is little distinction between the public and private sectors when it comes to cyber security; Compromised data affects any organization’s ability to perform its mission and serve its customers.  It can also destroy an organization’s long term sustainability.

Recent Executive Order included a number of initiatives targeting US Federal Departments and Agencies:

  • Placing the responsibility for cyber security risk on the heads of federal agencies
  • Calling for a report on cyber security concerns facing critical infrastructure to be drafted within six months
  • Mandating government agencies, especially those in the civilian sector, consider opportunities to share cyber technology when feasible, a shared services approach to cyber

Additionally, the National Institute of Standards and Technology (NIST) published Special Publication 800-171, Protecting Controlled Unclassified Information (CUI) or “sensitive but unclassified” information in Nonfederal Information Systems and organizations in June 2015.

The goal of 800-171 is to provide direction to federal agencies to ensure that sensitive federal data and information is protected when processed, stored, and used outside of the federal government in non-federal information systems. More broadly, the controls specified in 800-171 will need to be addressed in those IT systems that store any CUI or sensitive but unclassified information provided by the federal government[1].

Private corporations that hold such information are expected to implement the controls in 800-171 by the end of 2017.

Forums action for cyber security

Couple the above with the fact that those who perpetrate cyber-attacks are constantly adjusting their tactics and using ever more sophisticated approaches, there is a great deal of urgency both in the public and private sectors to act in timely, reasonable, and prudent ways to protect both public and private information systems.

For companies not directly affected by 800-171, there is no less urgency due to the reputation risks associated with information security breaches or the stealing of their proprietary designs, algorithms, product plans, etc. (Example: The recent Equifax breach)

The NFPPC felt given the above, cyber security/resilience is both timely and necessary as the focus of our first public-private collaboration.  We will focus the collaboration so as to determine what this means to any size organization such that they understand what they need to do to improve their cyber resilience.

[1] https://www.hitachi-systems-security.com/nist-800-171-assessment/

Framework for Improving Critical Infrastructure Cybersecurity Update

DEPARTMENT OF COMMERCE National Institute of Standards and Technology Proposed Update to the Framework for Improving Critical Infrastructure Cybersecurity AGENCY: National Institute of Standards and Technology, Commerce. ACTION: Notice, request for comments. SUMMARY: The National Institute of Standards and Technology (NIST) requests comments on a proposed update to the Framework for Improving Critical Infrastructure Cybersecurity (the ‘‘Framework’’). The voluntary Framework consists of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks. The Framework was published on February 12, 2014, after a year-long, open process involving private and public sector organizations, including extensive input and public comments. It has been used with increasing frequency and in a variety of ways by organizations of all sizes, areas of interest, and based inside and outside the United States.

This Request for Comments (RFC) is meant to facilitate coordination with, ‘‘private sector personnel and entities, critical infrastructure owners and operators, and other relevant industry organizations’’ as directed by the Cybersecurity Enhancement Act of 2014.1 The proposed update to the Framework is available for review at http://www.nist.gov/cyberframework. Responses to this RFC will be posted at http://www.nist.gov/cyberframework and will inform NIST’s planned update to the Framework.

DATES: Comments must be received by 5:00 p.m. Eastern time on April 10, 2017. ADDRESSES: Written comments may be submitted by mail to Edwin Games, National Institute of Standards and Technology, 100 Bureau Drive, Stop 8930, Gaithersburg, MD 20899. Online submissions in electronic form may be sent to cyberframework@nist.gov in any of the following formats: HTML; ASCII; Word; RTF; or PDF. Please submit comments only and include your name, organization’s name (if any), and cite ‘‘Comments on Draft Update of the Framework for Improving Critical Infrastructure Cybersecurity’’ in all correspondence. Comments containing references, studies, research, and other empirical data that are not widely published should include copies of the referenced materials. The proposed update to the Framework is available for review at http://www.nist.gov/ cyberframework.

All comments received in response to this RFC will be posted at http:// www.nist.gov/cyberframework without change or redaction, so commenters should not include information they do not wish to be posted (e.g., personal or confidential business information). Comments that contain profanity, vulgarity, threats, or other inappropriate language will not be posted or considered.  FOR FURTHER INFORMATION CONTACT: For questions about this RFC contact: Adam Sedgewick, U.S. Department of Commerce, 1401 Constitution Avenue NW., Washington, DC 20230, telephone (202) 482–0788, email Adam.Sedgewick@nist.gov. Please direct media inquiries to NIST’s Office of Public Affairs at (301) 975–2762. SUPPLEMENTARY INFORMATION: The national and economic security of the United States depends on the reliable functioning of critical infrastructure,2 which has become increasingly dependent on information technology. Cyber attacks and publicized weaknesses reinforce the need for improved capabilities for defending against malicious cyber activity. This is a long-term challenge.

The Secretary of Commerce was tasked to direct the Director of NIST to lead the development of a voluntary framework to reduce cyber risks to critical infrastructure (the ‘‘Framework’’).3 The Framework consists of standards, methodologies, procedures and processes that align policy, business, and technological approaches to address cyber risks. The Framework was developed by NIST using information collected through the Request for Information (RFI) that was published in the Federal Register on February 25, 2013 (78 FR 13024), a series of open public workshops, and a 45-day public comment period announced in the Federal Register on October 29, 2013 (78 FR 64478). It was published on February 12, 2014, after a year-long, open process involving private and public sector organizations, including extensive input and public comments, and announced in the Federal Register on February 18, 2014 (79 FR 9167). Responses to subsequent RFIs, as announced through the Federal Register (79 FR 50891 and 80 FR 76934), and workshops encouraged NIST to update the Framework. The Cybersecurity Framework incorporates voluntary consensus standards and industry best practices to the fullest extent possible and is consistent with voluntary international

consensus-based standards when such international standards advance the objectives of the Cybersecurity Enhancement Act of 2014. The Framework is designed for compatibility with existing regulatory authorities and regulations, although it is intended for voluntary adoption. Given the diversity of sectors in the Nation’s critical infrastructure, the Framework development process was designed to build on cross-sector security standards and guidelines that are immediately applicable or likely to be applicable to critical infrastructure. The process also was intended to increase visibility and use of those standards and guidelines, and to find potential areas for improvement (e.g., where standards/guidelines are nonexistent) that need to be addressed through future collaboration with industry and industry-led standards bodies. While the focus of the Framework is on the Nation’s critical infrastructure, it was developed in a manner to promote wide adoption of practices to increase risk management-based cybersecurity across all industry sectors and by all types of organizations. NIST has worked closely with industry groups, associations, non- profits, government agencies, and international standards bodies to increase awareness of the Framework. NIST has promoted the use of the Framework as a basic, flexible, and adaptable tool for managing and reducing cybersecurity risks.

The Framework was designed as a communication tool. It is applicable for leaders at all levels of an organization. For these reasons, NIST has engaged a wide diversity of stakeholders in Framework education. NIST has also issued several RFIs, held workshops, and encouraged direct communication with potential and current users of the Framework. Based on the information received from the public via these channels and the work that it has carried out on cybersecurity—including its collaborative efforts with the private sector—NIST has developed a draft update of the Framework (termed ‘‘Version 1.1’’ or ‘‘V1.1’’), available at http://www.nist.gov/cyberframework. This draft update seeks to clarify, refine, and enhance the Framework, and make it easier to use, while retaining its flexible, voluntary, and cost-effective nature. The update also will be fully compatible with the February 2014 version of the Framework in that either version may be used by organizations without degrading communication or functionality.

Request for Comments NIST is soliciting public comments on this proposed update. Specifically, NIST is interested in comments that address updated features of the Framework. These features seek to: • Clarify Implementation Tier use and relationship to Profiles, • Enhance guidance for applying the Framework for supply chain risk management, • Provide guidance on metrics and measurements using the Framework, • Update the FAQs to support understanding and use of Framework, and • Update the Informative References. NIST also will consider comments on other aspects of the Framework update. All comments will be made available to the public. These comments will be analyzed and will be one focus of a public workshop to be held in May 2017.

Details about that workshop, which also will feature user experiences with the Framework, will be announced on the NIST Cybersecurity Framework Web site at: https://www.nist.gov/ cyberframework. To receive notice about the workshop, please contact: cyberframework@nist.gov. After the May 2017 workshop and considering the comments received on this draft update, NIST intends to issue a final version of Framework V1.1 along with an updated Roadmap4 document that describes recommended activities in work areas that are related and complimentary to the Framework. Kevin Kimball, NIST Chief of Staff. [FR Doc. 2017–01599 Filed 1–24–17; 8:45 am] BILLING CODE 3510–13–P

1 See 15 U.S.C. 272(e)(1)(A)(i). The Cybersecurity Enhancement Act of 2014 (S.1353) became public law 113–274 on December 18, 2014.

2 For the purposes of this RFC the term ‘‘critical infrastructure’’ has the meaning given the term in 42 U.S.C. 5195c(e): ‘‘systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.’’ 3See Executive Order 13636, Improving Critical Infrastructure Cybersecurity (Feb. 12, 2013),

 

Malcom Baldrige Criteria

This commentary taken from the NIST web site provides brief summaries of the Baldrige Criteria for Performance Excellence categories and items. It also includes examples and guidance to supplement the notes that follow each Criteria item in the Baldrige Excellence Framework booklet. For additional free content, and to purchase the booklet.

Baldrige Criteria for Performance Excellence Categories and Items

The “why” behind the Criteria, as well as examples and guidance to supplement the notes that follow each Criteria item in the Baldrige Excellence Framework booklet. Purchase the Framework pdf

Organizational Profile

Your Organizational Profile provides a framework for understanding your organization. It also helps you guide and prioritize the information you present in response to the Criteria items in categories 1–7.

The Organizational Profile gives you critical insight into the key internal and external factors that shape your operating environment. These factors, such as your organization’s vision, values, mission, core competencies, competitive environment, and strategic challenges and advantages, impact the way your organization is run and the decisions you make. As such, the Organizational Profile helps you better understand the context in which you operate; the key requirements for current and future business success; and the needs, opportunities, and constraints placed on your management systems

P.1 Organizational Description

Purpose

This item addresses the key characteristics and relationships that shape your organizational environment. The aim is to set the context for your organization.

Commentary

Understand your organization. The use of such terms as vision, values, mission, and core competencies varies depending on the organization, and you may not use one or more of these terms. Nevertheless, you should have a clear understanding of the essence of your organization, why it exists, and where your senior leaders want to take it in the future. This clarity enables you to make and implement strategic decisions affecting your organization’s future.

Understand your core competencies. A clear identification and thorough understanding of your organization’s core competencies are central to success now and in the future and to competitive performance. Executing your core competencies well is frequently a marketplace differentiator. Keeping your core competencies current with your strategic directions can provide a strategic advantage, and protecting intellectual property contained in your core competencies can support your organization’s future success.

Understand your regulatory environment. The regulatory environment in which you operate places requirements on your organization and affects how you run it. Understanding this environment is key to making effective operational and strategic decisions. Furthermore, it allows you to identify whether you are merely complying with the minimum requirements of applicable laws, regulations, and standards of practice or exceeding them, a hallmark of leading organizations and a potential source of competitive advantage.

Identify governance roles and relationships. Leading organizations have well‐defined governance systems with clear reporting relationships. It is important to clearly identify which functions are performed by your senior leaders and, as applicable, by your governance board and parent organization. Board independence and accountability are frequently key considerations in the governance structure.

Understand the role of suppliers. In most organizations, suppliers play critical roles in processes that are important to running the business and to maintaining or achieving a sustainable competitive advantage. Supply‐chain requirements might include on‐time or just‐in‐time delivery, flexibility, variable staffing, research and design capability, process and product innovation, and customized manufacturing or services.

P.2 Organizational Situation

Purpose

This item asks about the competitive environment in which your organization operates, including your key strategic challenges and advantages. It also asks how you approach performance improvement and learning. The aim is to help you understand your key organizational challenges and your system for establishing and preserving your competitive advantage.

Commentary

Know your competitors. Understanding who your competitors are, how many you have, and their key characteristics is essential for determining your competitive advantage in your industry and marketplace. Leading organizations have an in‐depth understanding of their current competitive environment, including key changes taking place.

Sources of comparative and competitive data might include industry publications, benchmarking activities, annual reports for publicly traded companies and public organizations, conferences, local networks, and industry associations.

Know your strategic challenges. Operating in today’s highly competitive marketplace means facing strategic challenges that can affect your ability to sustain performance and maintain your competitive position. These challenges might include the following:

  • Your operational costs (e.g., materials, labor, or geographic location)
  • Expanding or decreasing markets
  • Mergers or acquisitions by your organization and your competitors
  • Economic conditions, including fluctuating demand and local and global economic downturns
  • The cyclical nature of your industry
  • The introduction of new or substitute products
  • Rapid technological changes
  • New competitors entering the market
  • The availability of skilled labor
  • The retirement of an aging workforce

Know your strategic advantages. Understanding your strategic advantages is as important as understanding your strategic challenges. They are the sources of competitive advantage to capitalize on and grow while you continue to address key challenges. These advantages might include the following:

  • Industry innovation leadership
  • Customer service recognition
  • Brand recognition
  • Agility
  • Supply-chain integration
  • Price leadership
  • Reputation for quality and reliability
  • Environmental (“green”) stewardship
  • Social responsibility and community involvement

Prepare for disruptive technologies. A particularly significant challenge, if it occurs to your organization, is being unprepared for a disruptive technology that threatens your competitive position or your marketplace. In the past, such technologies have included personal computers replacing typewriters; cell phones challenging traditional and pay phones; fax machines capturing business from overnight delivery services; and e‐mail, social media, and smart phones challenging all other means of communication. Today, organizations need to be scanning the environment inside and outside their immediate industry to detect such challenges at the earliest possible point in time.
go to top of page

Leadership (Category 1)

This category asks how senior leaders’ personal actions and your governance system guide and sustain your organization.

1.1 Senior Leadership

Purpose

This item asks about the key aspects of your senior leaders’ responsibilities, with the aim of creating an organization that is successful now and in the future.

Commentary

The role of senior leaders. Senior leaders play a central role in setting values and directions, communicating, creating and balancing value for all stakeholders, and creating an organizational focus on action, including transformational change in the organization’s structure and culture, when needed. Success requires a strong orientation to the future and a commitment to improvement, innovation and intelligent risk taking, and organizational sustainability. Increasingly, this requires creating an environment for empowerment, agility, change, and learning.

Role‐model senior leaders. In highly respected organizations, senior leaders are committed to establishing a culture of customer engagement, developing the organization’s future leaders, and recognizing and rewarding contributions by workforce members. They personally engage with key customers. Senior leaders enhance their personal leadership skills. They participate in organizational learning, the development of future leaders, succession planning, and recognition opportunities and events that celebrate the workforce. Development of future leaders might include personal mentoring or participation in leadership development courses. Role-model leaders recognize the need for transformational change when warranted and then lead the effort through to full fruition.

1.2 Governance and Societal Responsibilities

Purpose

This item asks about key aspects of your governance system, including the improvement of leaders and the leadership system. It also asks how the organization ensures that everyone in the organization behaves legally and ethically, how it fulfills its societal responsibilities, and how it supports its key communities.

Commentary

Organizational governance. This item addresses the need for a responsible, informed, transparent, and accountable governance or advisory body that can protect the interests of key stakeholders (including stockholders) in publicly traded, private, and nonprofit organizations. This body should have independence in review and audit functions, as well as a function that monitors organizational and CEOs’ or chief administrators’ performance.

Legal compliance, ethics, and risks. An integral part of performance management and improvement is proactively addressing (1) the need for ethical behavior, (2) all legal and regulatory requirements, and (3) risk factors. Ensuring high performance in these areas requires establishing appropriate measures or indicators that senior leaders track. You should be sensitive to issues of public concern, whether or not these issues are currently embodied in laws and regulations. Role‐model organizations look for opportunities to excel in areas of legal and ethical behavior.

Public concerns. Public concerns that charitable and government organizations should anticipate might include the cost of programs and operations, timely and equitable access to their offerings, and perceptions about their stewardship of resources.

Conservation of natural resources. Conservation might be achieved through the use of “green” technologies, reduction of your carbon footprint, replacement of hazardous chemicals with water‐based chemicals, energy conservation, use of cleaner energy sources, or recycling of by‐products or wastes.

Societal responsibility. Societal responsibility implies going beyond a compliance orientation. Opportunities to contribute to the well-­being of environmental, social, and economic systems and opportunities to support key communities are available to organizations of all sizes. The level and breadth of these contributions will depend on the size of your organization and your ability to contribute. Increasingly, decisions to engage with an organization include consideration of its social responsibility.

Community support. Your organization should consider areas of community involvement that are related to its core competencies. Examples of organizational community involvement include

  • partnering with schools and school boards to improve education;
  • partnering with health care providers to improve health in the local community by providing education and volunteer services to address public health issues; and
  • partnering to influence trade, business, and professional associations to engage in beneficial, cooperative activities, such as voluntary standards activities or sharing best practices to improve overall U.S. global competitiveness and ethical and societal well‐being.

Examples specifically for nonprofit organizations include partnering with other nonprofit organizations or businesses to improve the overall performance and stewardship of public and charitable resources.
go to top of page

Strategy (Category 2)

This category asks how you develop strategic objectives and action plans, implement them, change them if circumstances require, and measure progress.

The category stresses that your organization’s long‐term organizational success and competitive environment are key strategic issues that need to be integral parts of your overall planning. Making decisions about your organization’s core competencies and work systems is an integral part of ensuring your organization’s success now and in the future, and these decisions are therefore key strategic decisions.

While many organizations are increasingly adept at strategic planning, executing plans is still a significant challenge. This is especially true given market demands to be agile and be prepared for unexpected change, such as volatile economic conditions or disruptive technologies that can upset an otherwise fast‐paced but more predictable marketplace. This category highlights the need to focus not only on developing your plans, but also on your capability to execute them.

The Baldrige framework emphasizes three key aspects of organizational excellence that are important to strategic planning:

  • Customer‐focused excellence is a strategic view of excellence. The focus is on the drivers of customer engagement, new markets, and market share—key factors in competitiveness, profitability, and long-term organizational success.
  • Operational performance improvement and innovation contribute to short‐ and longer‐term productivity growth and cost/price competitiveness. Building operational capability—including speed, responsiveness, and flexibility—is an investment in strengthening your organizational fitness.
  • Organizational learning and learning by workforce members are necessary strategic considerations in today’s fast‐paced environment. The Criteria emphasize that improvement and learning need to be embedded in work processes. The special role of strategic planning is to align work systems and learning initiatives with your organization’s strategic directions, thereby ensuring that improvement and learning prepare you for and reinforce organizational priorities.

This category asks how you

  • consider key elements of a strategic planning process, including strategic opportunities, challenges, and advantages, and the potential need for transformational change in organizational structure or culture;
  • optimize the use of resources, ensure the availability of a skilled workforce, and bridge short‐ and longer‐term requirements that may entail capital expenditures, technology development or acquisition, supplier development, and new partnerships or collaborations; and
  • ensure that implementation will be effective—that there are mechanisms to communicate requirements and achieve alignment on three levels: (1) the organization and executive level, (2) the key work system and work process level, and (3) the work unit and individual job level.

The requirements in this category encourage strategic thinking and acting in order to develop a basis for a distinct competitive position in the marketplace. These requirements do not imply the need for formal planning departments, specific planning cycles, or a specified way of visualizing the future. They do not imply that all your improvements could or should be planned in advance. An effective improvement system combines improvements of many types and degrees of involvement. This requires clear strategic guidance, particularly when improvement alternatives, including major change or innovation, compete for limited resources. In most cases, setting priorities depends heavily on a cost, opportunity, and threat rationale. However, you might also have critical requirements, such as societal responsibilities, that are not driven by cost considerations alone.

2.1 Strategy Development

Purpose

This item asks how you establish a strategy to address your organization’s challenges and leverage its advantages and how you make decisions about key work systems and core competencies. It also asks about your key strategic objectives and their related goals. The aim is to strengthen your overall performance, competitiveness, and future success.

Commentary

A context for strategy development. This item calls for basic information on the planning process and for information on all key influences, risks, challenges, and other requirements that might affect your organization’s future opportunities and directions—taking as long term a view as appropriate and possible from the perspectives of your organization and your industry or marketplace. This approach is intended to provide a thorough and realistic context for developing a customer‐ and market‐focused strategy to guide ongoing decision making, resource allocation, and overall management.

A future‐oriented basis for action. This item is intended to cover all types of businesses, for‐profit and nonprofit organizations, competitive situations, strategic issues, planning approaches, and plans. The requirements explicitly call for a future‐oriented basis for action. Even if your organization is seeking to create an entirely new business, you still need to set and test the objectives that define and guide critical actions and performance.

Competitive leadership. This item emphasizes competitive leadership, which usually depends on revenue growth and operational effectiveness. Competitive leadership requires a view of the future that includes not only the markets or segments in which you compete but also how you compete. How to compete presents many options. Deciding how to compete requires that you understand your and your competitors’ strengths and weaknesses and also involves decisions on taking intelligent risks in order to gain or retain market leadership. Although no specific time horizons are included, the thrust of this item is sustained competitive leadership.

Work systems. Efficient and effective work systems require

  • effective design;
  • a prevention orientation;
  • linkage to customers, suppliers, partners, and collaborators;
  • a focus on value creation for all key stakeholders; operational performance improvement; cycle time reduction; and evaluation, continuous improvement, innovation, and organizational learning; and
  • regular review to evaluate the need for fundamental changes in the way work is accomplished.

Work systems must also be designed in a way that allows your organization to be agile and protect intellectual property. In the simplest terms, agility is the ability to adapt quickly, flexibly, and effectively to changing requirements. Depending on the nature of your strategy and markets, agility might mean the ability to change rapidly from one product to another, respond rapidly to changing demands or market conditions, or produce a wide range of customized services. Agility and protection of intellectual property also increasingly involve decisions to outsource, agreements with key suppliers, and novel partnering arrangements.

2.2 Strategy Implementation

Purpose

This item asks how you convert your strategic objectives into action plans to accomplish the objectives and how you assess progress relative to these action plans. The aim is to ensure that you deploy your strategies successfully and achieve your goals.

Commentary

Developing and deploying action plans. Accomplishing action plans requires resources and performance measures, as well as alignment among the plans of your work units, suppliers, and partners. Of central importance is how you achieve alignment and consistency—for example, via work systems, work processes, and key measurements. Also, alignment and consistency provide a basis for setting and communicating priorities for ongoing improvement activities—part of the daily work of all work units. In addition, performance measures are critical for tracking performance.

Performing analyses to support resource allocation. You can perform many types of analyses to ensure that financial resources are available to support the accomplishment of your action plans while you meet current obligations. For current operations, these efforts might include the analysis of cash flows, net income statements, and current liabilities versus current assets. For investments to accomplish action plans, the efforts might include analysis of discounted cash flows, return on investment, or return on invested capital.

Analyses also should evaluate the availability of people and other resources to accomplish your action plans while continuing to meet current obligations. Financial resources must be supplemented by capable people and the necessary facilities and support.

The specific types of analyses performed will vary from organization to organization. These analyses should help you assess the financial viability of your current operations and the potential viability of and risks associated with your action plan initiatives.

Creating workforce plans. Action plans should include human resource or workforce plans that are aligned with and support your overall strategy. Examples of possible plan elements are

  • a redesign of your work organization and jobs to increase workforce empowerment and decision making;
  • initiatives to promote greater labor‐management cooperation, such as union partnerships;
  • consideration of the impacts of outsourcing on your current workforce and initiatives;
  • initiatives to prepare for future workforce capability and capacity needs;
  • initiatives to foster knowledge sharing and organizational learning;
  • modification of your compensation and recognition systems to recognize team, organizational, stock market, customer, or other performance attributes; and
  • education and training initiatives, such as developmental programs for future leaders, partnerships with universities to help ensure the availability of an educated and skilled workforce, and training programs on new technologies important to the future success of your workforce and organization.

Projecting your future environment. An increasingly important part of strategic planning is projecting the future competitive and collaborative environment. This includes the ability to project your own future performance, as well as that of your competitors. Such projections help you detect and reduce competitive threats, shorten reaction time, and identify opportunities. Depending on your organization’s size and type, the potential need for new core competencies, the maturity of markets, the pace of change, and competitive parameters (e.g., price, costs, or the innovation rate), you might use a variety of modeling, scenarios, or other techniques and judgments to anticipate the competitive and collaborative environment.

Projecting and comparing your performance. Projections and comparisons in this item are intended to improve your organization’s ability to understand and track dynamic, competitive performance factors. Projected performance might include changes resulting from new business ventures, entry into new markets, the introduction of new technologies, product innovations, or other strategic thrusts that might involve a degree of intelligent risk.

Through this tracking, you should be better prepared to take into account your organization’s rate of improvement and change relative to that of competitors or comparable organizations and relative to your own targets or stretch goals. Such tracking serves as a key diagnostic tool for you to use in deciding to start, accelerate, or discontinue initiatives and to implement needed organizational change.

go to top of page

Customers (Category 3)

This category asks how you engage customers for long‐term marketplace success, including how you listen to the voice of the customer, build customer relationships, and use customer information to improve and to identify opportunities for innovation.

The category stresses customer engagement as an important outcome of an overall learning and performance excellence strategy. Your customer satisfaction and dissatisfaction results provide vital information for understanding your customers and the marketplace. In many cases, the voice of the customer provides meaningful information not only on your customers’ views but also on their marketplace behaviors and on how these views and behaviors may contribute to your organization’s current and future success in the marketplace.

3.1 Voice of the Customer

Purpose

This item asks about your processes for listening to your customers and determining their satisfaction and dissatisfaction. The aim is to capture meaningful information in order to exceed your customers’ expectations.

Commentary

Customer listening. Selection of voice‐of‐the‐customer strategies depends on your organization’s key business factors.  Most organizations listen to the voice of the customer via multiple modes. Some frequently used modes include focus groups with key customers, close integration with key customers, interviews with lost and potential customers about their purchasing or relationship decisions, customer comments posted on social media, win/loss analysis relative to competitors and other organizations providing similar products, and survey or feedback information.

Actionable information. This item emphasizes how you obtain actionable information from customers. Information is actionable if you can tie it to key product offerings and business processes and use it to determine the cost and revenue implications of setting particular improvement goals and priorities for change.

Listening/learning and business strategy. In a rapidly changing technological, competitive, economic, and social environment, many factors may affect customer expectations and loyalty and your interface with customers in the marketplace. This makes it necessary to continually listen and learn. To be effective, listening and learning need to be closely linked with your overall business strategy.

Social media. Customers are increasingly turning to social media to voice their impressions of your products and customer support. They may provide this information through social interactions you mediate or through independent or customer‐initiated means. All of these can be valuable sources of information for your organization. Organizations need to become familiar with vehicles for monitoring and tracking this information.

Customer and market knowledge. Knowledge of customers, customer groups, market segments, former customers, and potential customers allows you to tailor product offerings, support and tailor your marketing strategies, develop a more customer‐focused workforce culture, develop new business, evolve your brand image, and ensure long-term organizational success.

Customers’ satisfaction with competitors. A key aspect of determining customers’ satisfaction and dissatisfaction is determining their comparative satisfaction with competitors, competing or alternative offerings, and/or organizations providing similar products. Such information might be derived from win/loss analyses, your own comparative studies, or independent studies. The factors that lead to customer preference are critically important in understanding factors that drive markets and potentially affect your organization’s longer‐term competitiveness and success.

3.2 Customer Engagement

Purpose

This item asks about your processes for determining and customizing product offerings that serve your customers and markets; for enabling customers to seek information and support; and for identifying customer groups and market segments. The item also asks how you build relationships with your customers and manage complaints. The aim of these efforts is to improve marketing, build a more customer‐focused culture, and enhance customer loyalty.

Commentary

Engagement as a strategic action. Customer engagement is a strategic action aimed at achieving such a degree of loyalty that the customer will advocate for your brand and product offerings. Achieving such loyalty requires a customer‐focused culture in your workforce based on a thorough understanding of your business strategy and your customers’ behaviors and preferences.

Customer relationship strategies. A relationship strategy may be possible with some customers but not with others. The relationship strategies you do have may need to be distinctly different for each customer, customer group, and market segment. They may also need to be distinctly different during various stages of the customer life cycle.

Brand management. Brand management is aimed at positioning your product offerings in the marketplace. Effective brand management leads to improved brand recognition and customer loyalty. Brand management is intended to build the customer’s emotional attachment for the purpose of differentiating yourself from the competition and building loyalty.

Complaint management. Complaint aggregation, analysis, and root‐cause determination should lead to effective elimination of the causes of complaints and to the setting of priorities for process and product improvements. Successful outcomes require effective deployment of information throughout your organization.

go to top of page

Measurement, Analysis, and Knowledge Management (Category 4)

In the simplest terms, category 4 is the “brain center” for the alignment of your operations with your strategic objectives. It is the main point within the Criteria for all key information on effectively measuring, analyzing, and improving performance and managing organizational knowledge to drive improvement, innovation, and organizational competitiveness. Central to this use of data and information are their quality, security, and availability, as well as the reliability and security of your information system hardware and software. Furthermore, since information, analysis, and knowledge management might themselves be primary sources of competitive advantage and productivity growth, this category also includes such strategic considerations.

4.1 Measurement, Analysis, and Improvement of Organizational Performance

Purpose

This item asks how you select and use data and information for performance measurement, analysis, and review in support of organizational planning and performance improvement. The item serves as a central collection and analysis point in an integrated performance measurement and management system that relies on financial and nonfinancial data and information. The aim of performance measurement, analysis, review, and improvement is to guide your process management toward the achievement of key organizational results and strategic objectives, anticipate and respond to rapid or unexpected organizational or external changes, and identify best practices to share.

Commentary

Aligning and integrating your performance management system. Alignment and integration are key concepts for successfully implementing and using your performance measurement system. The Criteria view alignment and integration in terms of how widely and how effectively you use that system to meet your needs for organizational performance assessment and improvement and to develop and execute your strategy.

Alignment and integration include how measures are aligned throughout your organization and how they are integrated to yield organization‐wide data and information. Organization-wide data and information are key inputs to organizational performance reviews and strategic decision making. Alignment and integration also include how your senior leaders deploy performance measurement requirements to track work group and process‐level performance on key measures that are targeted for their organization‐wide significance or for improvement.

Using comparative data. The use of comparative data and information is important to all organizations. The major premises for their use are the following:

  • Your organization needs to know where it stands relative to competitors and to best practices.
  • Comparative information and information obtained from benchmarking often provide the impetus for significant (“breakthrough”) improvement or transformational change.
  • Comparing performance information frequently leads to a better understanding of your processes and their performance.
  • Comparative performance projections and competitors’ performance may reveal organizational advantages as well as challenge areas where innovation is needed.

Comparative information may also support business analysis and decisions relating to core competencies, partnering, and outsourcing.

Selecting and using comparative data. Effective selection and use of comparative data and information require you to determine needs and priorities and establish criteria for seeking appropriate sources for comparisons—from within and outside your industry and markets.

Effective use of comparative data and information allows you to set stretch goals and to promote major nonincremental (“breakthrough”) improvements in areas most critical to your competitive strategy.

Reviewing performance. The organizational review called for in this item is intended to cover all areas of performance. This includes not only current performance but also projections of your future performance. The expectation is that the review findings will provide a reliable means to guide both improvements and opportunities for innovation that are tied to your key objectives, core competencies, and measures of success. Review findings may also alert you to the need for transformational change in your organization’s structure and work systems. Therefore, an important component of your organizational review is the translation of the review findings into actions that are deployed throughout your organization and to appropriate suppliers, partners, collaborators, and key customers.

Analyzing performance. Analyses that you conduct to gain an understanding of performance and needed actions may vary widely depending on your organization’s type, size, competitive environment, and other factors. Here are some examples of possible analyses:

  • How product improvements or new products correlate with key customer indicators, such as satisfaction, loyalty, and market share
  • Return on investment for intelligent risks that you pursue
  • Cost and revenue implications of customer‐related problems and effective problem resolution
  • Interpretation of market share changes in terms of customer gains and losses and changes in customer engagement
  • Trends in key operational performance indicators, such as productivity, cycle time, defect levels, waste reduction, carbon footprint, and new product introduction
  • Relationships among learning by workforce members, organizational learning, and the value added per employee
  • Financial benefits derived from improvements in workforce capacity, safety, absenteeism, and turnover
  • Benefits and costs associated with education and training
  • Benefits and costs associated with improved organizational knowledge management and sharing
  • The relationship between knowledge management and innovation
  • How the ability to identify and meet workforce capability and capacity needs correlates with retention, motivation, and productivity
  • Cost and revenue implications of workforce‐related problems and effective problem resolution
  • Individual or aggregate measures of productivity and quality relative to competitors’ performance
  • Cost trends relative to competitors’ trends
  • Relationships among product quality, operational performance indicators, and overall financial performance trends as reflected in indicators such as operating costs, revenues, asset utilization, and value added per employee
  • Allocation of resources among alternative improvement projects based on cost/benefit implications or environmental and societal impact
  • Net earnings or savings derived from improvements in quality, operational, and workforce performance
  • Comparisons among business units showing how quality and operational performance affect financial performance
  • Contributions of improvement activities to cash flow, working capital use, and shareholder value
  • Impacts of customer loyalty on profit
  • Cost and revenue implications of new market entry, including product-line and geographic expansion
  • Market share versus profits
  • Trends in economic, market, and stakeholder indicators of value and the impact of these trends on long-term organizational success

Aligning analysis, performance review, and planning. Individual facts and data do not usually provide an effective basis for setting organizational priorities. This item emphasizes the need for close alignment between your analysis and your organizational performance review and between your performance review and your organizational planning. This ensures that analysis and review are relevant to decision making and that decisions are based on relevant data and information. In addition, your historical performance, combined with assumptions about future internal and external changes, allows you to develop performance projections. These projections may serve as a key planning tool.

Understanding causality. Action depends on understanding causality among processes and between processes and results. Process actions and their results may have many resource implications. Organizations have a critical need to provide an effective analytical basis for decisions because resources for innovation and improvement are limited.

4.2 Knowledge Management, Information, and Information Technology

Purpose

This item asks how you build and manage your organization’s knowledge assets and ensure the quality, security, and availability of data, information, software, and hardware, normally and in the event of an emergency. The aim of this item is to improve organizational efficiency and effectiveness and stimulate innovation.

Commentary

Knowledge management. The focus of your knowledge management is on the knowledge that your people need to do their work; improve processes, products, and services; and innovate to add value for the customer and your organization.

Organizational learning. One of the many issues facing organizations today is how to manage, use, evaluate, and share their ever‐increasing organizational knowledge. Leading organizations benefit from the knowledge assets of their workforce, customers, suppliers, collaborators, and partners, who together drive organizational learning and innovation.

Information management. Managing information can require a significant commitment of resources as the sources of data and information grow dramatically. The continued growth of information within organizations’ operations—as part of organizational knowledge networks; through the web and social media; and in business‐to‐business, organization‐to‐organization, and business‐to­-consumer communications—challenges organizations’ ability to ensure reliability and availability in a user‐friendly format. The ability to blend and correlate disparate types of data, such as video, text, and numbers, provides opportunities for a competitive advantage.

Data and information availability. Data and information are especially important in business or organizational networks, partnerships, and supply chains. You should take into account this use of data and information and recognize the need for rapid data validation, reliability assurance, and security, given the frequency and magnitude of electronic data transfer and the challenges of cybersecurity.

Emergency availability. You should carefully plan how you will continue to provide an information technology infrastructure, data, and information in the event of either a natural or man‐made disaster. These plans should consider the needs of all your stakeholders, including the workforce, customers, suppliers, partners, and collaborators. The plans also should be coordinated with your overall plan for business continuity (item 6.2) and cybersecurity.

go to top of page

Workforce (Category 5)

This category addresses key workforce practices—those directed toward creating and maintaining a high‐performance environment and toward engaging your workforce to enable it and your organization to adapt to change and succeed.

To reinforce the basic alignment of workforce management with overall strategy, the Criteria also cover workforce planning as part of overall strategic planning in category 2.

5.1 Workforce Environment

Purpose

This item asks about your workforce capability and capacity needs, how you meet those needs to accomplish your organization’s work, and how you ensure a supportive work climate. The aim is to build an effective environment for accomplishing your work and supporting your workforce.

Commentary

Workforce capability and capacity. Many organizations confuse the concepts of capability and capacity by adding more people with incorrect skills to compensate for skill shortages or by assuming that fewer highly skilled workers can meet capacity needs for processes requiring less skill or different skills but more people to accomplish. Having the right number of workforce contributors with the right skill set is critical to success. Looking ahead to predict those needs for the future allows for adequate training, hiring, relocation times, and preparation for work system changes.

Workforce support. Most organizations, regardless of size, have many opportunities to support their workforce. Some examples of services, facilities, activities, and other opportunities are personal and career counseling; career development and employability services; recreational or cultural activities; on‐site health care and other assistance; formal and informal recognition; non‐work‐related education; child and elder care; special leave for family responsibilities and community service; flexible work hours and benefits packages; outplacement services; and retiree benefits, including ongoing access to services.

5.2 Workforce Engagement

Purpose

This item asks about your systems for managing workforce performance and developing your workforce members to enable and encourage all of them to contribute effectively and to the best of their ability. These systems are intended to foster high performance, to address your core competencies, and to help accomplish your action plans and ensure your organization’s success now and in the future.

Commentary

High performance. The focus of this item is on a workforce capable of achieving high performance. High performance is characterized by flexibility, innovation, empowerment and personal accountability, knowledge and skill sharing, good communication and information flow, alignment with organizational objectives, customer focus, and rapid response to changing business needs and marketplace requirements.

Workforce engagement and performance. Many studies have shown that high levels of workforce engagement have a significant, positive impact on organizational performance. Research has indicated that engagement is characterized by performing meaningful work; having clear organizational direction and accountability for performance; and having a safe, trusting, effective, and cooperative work environment. In many organizations, employees and volunteers are drawn to and derive meaning from their work because it is aligned with their personal values.

Drivers of workforce engagement. Although satisfaction with pay and pay increases are important, these two factors generally are not sufficient to ensure workforce engagement and high performance. Some examples of other factors to consider are effective problem and grievance resolution; development and career opportunities; the work environment and management support; workplace safety and security; the workload; effective communication, cooperation, and teamwork; the degree of empowerment; job security; appreciation of the differing needs of diverse workforce groups; and organizational support for serving customers.

Factors inhibiting engagement. It is equally important to understand and address factors inhibiting engagement. You could develop an understanding of these factors through workforce surveys, focus groups, blogs, or exit interviews with departing workforce members.

Compensation and recognition. Compensation and recognition systems should be matched to your work systems. To be effective, compensation and recognition might be tied to demonstrated skills. Approaches might also include profit sharing; mechanisms for expressing simple “thank yous”; rewards for exemplary team or unit performance; and linkage to customer engagement measures, achievement of organizational strategic objectives, or other key organizational objectives.

Other indicators of workforce engagement. In addition to direct measures of workforce engagement through formal or informal surveys, other indicators include absenteeism, turnover, grievances, and strikes.

Workforce development needs. Depending on the nature of your organization’s work, workforce responsibilities, and stage of organizational and personal development, workforce development needs might vary greatly. These needs might include gaining skills for knowledge sharing, communication, teamwork, and problem solving; interpreting and using data; exceeding customer requirements; analyzing and simplifying processes; reducing waste and cycle time; working with and motivating volunteers; and setting priorities based on strategic alignment or cost‐benefit analysis.

Education needs might also include advanced skills in new technologies or basic skills, such as reading, writing, language, arithmetic, and computer skills.

Learning and development locations and formats. Learning and development opportunities might occur inside or outside your organization and could involve on‐the‐job, classroom, e‐learning, or distance learning, as well as developmental assignments, coaching, or mentoring.

Individual learning and development needs. To help people realize their full potential, many organizations prepare an individual development plan with each person that addresses his or her career and learning objectives.

Customer contact training. Although this item does not specifically ask you about training for customer contact employees, such training is important and common. It frequently includes gaining critical skills and knowledge about your products and customers, how to listen to customers, how to recover from problems or failures, and how to effectively manage and exceed customer expectations.

Knowledge transfer. Your organization’s knowledge management system should provide the mechanism for sharing your people’s and your organization’s knowledge to ensure that high performance is maintained through transitions. You should determine what knowledge is critical for your operations and then implement systematic processes for sharing this information. This is particularly important for implicit knowledge (i.e., knowledge personally retained by workforce members).

Learning and development effectiveness. Measures to evaluate the effectiveness and efficiency of your workforce and leader development and learning systems might address the impact on individual, unit, and organizational performance; the impact on customer‐related performance; and costs versus benefits.

go to top of page

Operations (Category 6)

This category asks how you focus on your organization’s work, product design and delivery, innovation, and operational effectiveness to achieve organizational success now and in the future.

6.1 Work Processes

Purpose

This item asks about the management of your key products, your key work processes, and innovation, with the aim of creating value for your customers and achieving current and future organizational success.

Commentary

Work process requirements. Your design approaches could differ appreciably depending on the nature of your product or service offerings—whether the products and services are entirely new, are variants, are customized, or involve major or minor work process changes. Your design approaches should consider the key requirements for your products and services. Factors that you might need to consider in work process design include safety, long‐term performance, environmental impact, your carbon footprint and “green” manufacturing, measurement capability, process capability, manufacturability, maintainability, variability in customer expectations requiring product or support options, supplier capability, and documentation.

Effective design must also consider the cycle time and productivity of production and delivery processes. This might involve detailed mapping of manufacturing or service processes and the redesign (“reengineering”) of those processes to achieve efficiency, as well as to meet changing customer requirements.

Work process design. Many organizations need to consider requirements for suppliers, partners, and collaborators at the work process design stage. Overall, effective design must take into account all stakeholders in the value chain. If many design projects are carried out in parallel or if your products utilize parts or supplies, equipment, personnel, and facilities that are used for other products or processes, coordination of resources might be a major concern, but it might also offer a means to significantly reduce unit costs and time to market.

Key product‐related and business processes. Your key work processes include your product- and service‐related processes and those nonproduct business processes that your senior leaders consider important to organizational success and growth. These processes frequently relate to your organization’s core competencies, strategic objectives, and critical success factors. Key business processes might include technology acquisition, information and knowledge management, mergers and acquisitions, global expansion, project management, and sales and marketing. For some nonprofit organizations, key business processes might include fundraising, media relations, and public policy advocacy. Given the diverse nature of these processes, the requirements and performance characteristics might vary significantly for different processes.

In‐process measures. This item refers specifically to in‐process measurements. These measurements require you to identify critical points in processes for measurement and observation. These points should occur as early as possible in processes to minimize problems and costs that may result from deviations from expected performance.

Key support processes. Your key work processes include those processes that support your daily operations and your product and service delivery but are not usually designed in detail with the products. Support process requirements do not usually depend significantly on product characteristics. Such requirements usually depend significantly on internal requirements, and they must be coordinated and integrated to ensure efficient and effective linkage and performance. Support processes might include processes for finance and accounting, facilities management, legal services, human resource services, public relations, and other administrative services.

Process performance. Achieving expected process performance frequently requires setting in‐process performance levels or standards to guide decision making. When deviations occur, corrective action is required to restore the performance of the process to its design specifications. Depending on the nature of the process, the corrective action could involve technology, people, or both. Proper corrective action involves changes at the source (root cause) of the deviation and should minimize the likelihood of this type of variation occurring again or elsewhere in your organization.

When customer interactions are involved, evaluation of how well the process is performing must consider differences among customers. This is especially true of professional and personal services. In some organizations, cycle times for key processes may be a year or longer, which may create special challenges in measuring day‐to‐day progress and identifying opportunities for reducing cycle times, when appropriate.

Process improvement. This item calls for information on how you improve processes to achieve better performance. Better performance means not only better quality from your customers’ perspectives, but also better financial and operational performance—such as productivity—from your other stakeholders’ perspectives. A variety of process improvement approaches are commonly used. Examples include

  • using the results of organizational performance reviews;
  • sharing successful strategies across your organization to drive learning and innovation;
  • performing process analysis and research (e.g., process mapping, optimization experiments, error proofing);
  • conducting technical and business research and development;
  • using quality improvement tools like Lean, Six Sigma, and Plan‐Do‐Check‐Act (PDCA);
  • benchmarking;
  • using alternative technology; and
  • using information from customers of the processes—within and outside your organization.

Process improvement approaches might use financial data to evaluate alternatives and set priorities. Together, these approaches offer a wide range of possibilities, including a complete redesign (“reengineering”) of processes.

Innovation management. In an organization that has a supportive environment for innovation, there are likely to be many more ideas than the organization has resources to pursue. This leads to two critical decision points in the innovation cycle: (1) commensurate with resources, prioritizing opportunities to pursue those opportunities with the highest likelihood of a return on investment (intelligent risks) and (2) knowing when to discontinue projects and reallocate the resources either to further development of successful projects or to new projects.

6.2 Operational Effectiveness

Purpose

This item asks how you ensure effective operations in order to have a safe workplace environment and deliver customer value. Effective operations frequently depend on managing your supply chain effectively and controlling the overall costs of your operations.

Commentary

Cost control. Cost and cycle-time reduction may be achieved through Lean process management strategies. Defect reduction and improved product yield may involve Six Sigma projects. It is crucial to utilize key measures for tracking all aspects of your operations management.

Supply‐chain management. For many organizations, supply‐chain management has become a key factor in achieving productivity and profitability goals and overall organizational success. Suppliers, partners, and collaborators are receiving increasing strategic attention as organizations reevaluate their core competencies. Supplier processes should fulfill two purposes: to help improve the performance of suppliers and partners and to help them contribute to improving your overall operations. Supply‐chain management might include processes for selecting suppliers, with the aim of reducing the total number of suppliers and increasing preferred supplier and partner agreements.

Workplace safety. All organizations, regardless of size, are required to meet minimum regulatory standards for workplace and workforce safety; however, high‐performing organizations have processes in place to ensure that they not only meet these minimum standards but also go beyond a compliance orientation to a safety-first commitment. This includes designing proactive processes, with input from people directly involved in the work, to ensure a safe working environment.

Emergency preparedness. Efforts to ensure the continuity of operations in an emergency should consider all facets of your operations that are needed to provide your products and services to customers, including supply-chain availability. The specific level of operations that you will need to provide will be guided by your mission and your customers’ needs and requirements. For example, a public utility is likely to have a higher need for services than organizations that do not provide an essential function. Nonprofit organizations whose mission is to respond to emergencies will have a high need for service readiness. You should also coordinate your continuity‐of-­operations efforts with your efforts to ensure the availability of data and information (item 4.2).

go to top of page>

Results (Category 7)

This category provides a systems focus that encompasses all results necessary to sustaining an enterprise: your key process and product results, your customer‐focused results, your workforce results, your leadership and governance system results, and your overall financial and market performance.

This systems focus maintains the purposes of the Baldrige Excellence Framework—superior value of offerings as viewed by your customers and the marketplace, superior organizational performance as reflected in your operational indicators, organizational learning, and learning by workforce members. Category 7 thus provides “real‐time” information (measures of progress) for evaluating, improving, and innovating processes and products, in alignment with your overall organizational strategy. While category 7 asks about results broadly, you should place a premium on monitoring outcomes that are the consequence of your operational performance and serve as predictors of future performance.

7.1 Product and Process Results

Purpose

This item asks about your key product and operational performance results, which demonstrate product and service quality and value that lead to customer satisfaction and engagement.

Commentary

Measures of product performance. This item emphasizes measures of product performance that serve as indicators of customers’ views and decisions relative to future purchases, interactions and relationships. These measures of product performance are derived from customer‐related information gathered in category 3.

Examples of product measures. Product and service measures appropriate for inclusion might be based on the following: internal quality measurements, field performance of products, defect levels, service errors, response times, and data collected from your customers by other organizations on ease of use or other attributes, as well as customer surveys on product and service performance.

Product performance and customer indicators. The correlation between product and service performance and customer indicators is a critical management tool with multiple uses:

(1) defining and focusing on key quality and customer requirements,
(2) identifying product and service differentiators in the marketplace, and (3) determining cause‐effect relationships between your product or service attributes and evidence of customer satisfaction and engagement. The correlation might reveal emerging or changing market segments, the changing importance of requirements, or even the potential obsolescence of offerings.

Process effectiveness and efficiency measures. Measures and indicators of process effectiveness and efficiency might include the following:

  • Work system performance that demonstrates improved cost savings or higher productivity by using internal and/or external resources
  • Reduced emission levels, carbon footprint, or energy consumption
  • Waste-stream reductions, by‐product use, and recycling
  • Internal responsiveness indicators, such as cycle times, production flexibility, lead times, setup times, and time to market
  • Improved performance of administrative and other support functions
  • Business‐specific indicators, such as innovation rates and increased product and process yields, Six Sigma initiative results, and acceptable product performance at the time of delivery
  • Supply‐chain indicators, such as reductions in inventory and incoming inspections, increases in quality and productivity, improvements in electronic data exchange, and reductions in supply‐chain management costs
  • Third‐party assessment results, such as ISO 9001 audits

Measures of organizational and operational performance. This item encourages you to develop and include unique and innovative measures to track key processes and operational improvement. Unique measures should consider cause‐effect relationships between operational performance and product quality or performance. All key areas of organizational and operational performance, including your organization’s readiness for emergencies, should be evaluated by measures that are relevant and important to your organization.

7.2 Customer-Focused Results

Purpose

This item asks about your customer‐focused performance results, which demonstrate how well you have been satisfying your customers and engaging them in loyalty‐building relationships.

Commentary

Your performance as viewed by your customers. This item focuses on all relevant data to determine and help predict your performance as viewed by your customers. Relevant data and information include the following:

  • Customer satisfaction and dissatisfaction
  • Retention, gains, and losses of customers and customer accounts
  • Customer complaints, complaint management, effective complaint resolution, and warranty claims
  • Customer‐perceived value based on quality and price
  • Customer assessment of access and ease of use (including courtesy in service interactions)
  • Customer advocacy for your brand and product offerings
  • Awards, ratings, and recognition from customers and independent rating organizations

Results that go beyond satisfaction. This item places an emphasis on customer‐focused results that go beyond satisfaction measurements, because customer engagement and relationships are better indicators and measures of future success in the marketplace and of organizational sustainability.

7.3 Workforce-Focused Results

Purpose

This item asks about your workforce‐focused performance results, which demonstrate how well you have been creating and maintaining a productive, caring, engaging, and learning environment for all members of your workforce.

Commentary

Workforce results factors. Results reported might include generic or organization‐specific factors. Generic factors might include safety, absenteeism, turnover, satisfaction, and complaints (grievances). For some measures, such as absenteeism and turnover, local or regional comparisons might be appropriate. Organization‐specific factors are those you assess to determine workforce climate and engagement. These factors might include the extent of training, retraining, or cross‐training to meet capability and capacity needs; the extent and success of workforce empowerment; the extent of union‐management partnering; or the extent of volunteer involvement in process and program activities.

Workforce capacity and capability. Results reported for indicators of workforce capacity and capability might include staffing levels across organizational units and certifications to meet skill needs. Additional factors may include organizational restructuring, as well as job rotations designed to meet strategic directions or customer requirements. Backlogs or reductions in backlogs could be indicators of capacity or capability challenges or improvements, respectively.

Workforce engagement. Results measures reported for indicators of workforce engagement and satisfaction might include improvement in local decision making, organizational culture, and workforce knowledge sharing. Input data, such as the number of cash awards, might be included, but the main emphasis should be on data that show effectiveness or outcomes. For example, an outcome measure might be increased workforce retention resulting from establishing a peer recognition program or the number of promotions into leadership positions that have resulted from the organization’s leadership development program.

7.4 Leadership and Governance Results

Purpose

This item asks about your key results in the areas of senior leadership and governance, which demonstrate the extent to which your organization is fiscally sound, ethical, and socially responsible.

Commentary

Importance of high ethical standards. Independent of an increased national focus on issues of governance and fiscal accountability, ethics, and leadership accountability, it is important for organizations to practice and demonstrate high standards of overall conduct. Governance bodies and senior leaders should track relevant performance measures regularly and emphasize this performance in stakeholder communications.

Results to report. Your results should include environmental, legal, and regulatory compliance; results of oversight audits by government or funding agencies; noteworthy achievements in these areas, as appropriate; and organizational contributions to societal well‐being and support for key communities.

Sanctions or adverse actions. If your organization has received sanctions or adverse actions under law, regulation, or contract during the past five years, you should summarize the incidents, their current status, and actions to prevent re-occurrence.

Measures of strategy implementation. Because many organizations have difficulty determining appropriate measures, measuring progress in accomplishing their strategy is a key challenge. Frequently, organizations can discern these progress measures by first defining the results that would indicate end‐goal success in achieving a strategic objective and then using that end‐goal to define intermediate measures.

7.5 Financial and Market Results

Purpose

This item asks about your key financial and market results, which demonstrate your financial sustainability and your marketplace achievements.

Commentary

Senior leaders’ role. Measures reported in this item are those usually tracked by senior leaders on an ongoing basis to assess your organization’s financial performance and viability.

Appropriate measures to report. In addition to the measures included in the note to 7.5a(1), appropriate financial measures and indicators might include revenues, budgets, profits or losses, cash position, net assets, debt leverage, cash‐to‐cash cycle time, earnings per share, financial operations efficiency (collections, billing, receivables), and financial returns. Marketplace performance measures might include measures of business growth, new products and markets entered, or the percentage of revenues derived from new products.

Cybersecurity Framework FTC

The NIST Cybersecurity Framework and the FTC
By: Andrea Arias | Aug 31, 2016  from FTC website

Andrea Arias Federal Trade Commission
Andrea Arias Federal Trade Commission

We often get the question, “If I comply with the NIST Cybersecurity Framework, am I complying with what the FTC requires?”  From the perspective of the staff of the Federal Trade Commission, NIST’s Cybersecurity Framework is consistent with the process-based approach that the FTC has followed since the late 1990s, the 60+ law enforcement actions the FTC has brought to date, and the agency’s educational messages to companies, including its recent Start with Security guidance.  Lets start with a little background.

How did the Cybersecurity Framework come about?

In February 2013, President Obama issued Executive Order 13636, “Improving Critical Infrastructure Cybersecurity,” which called on the Department of Commerce’s National Institute of Standards and Technology (NIST) to develop a voluntary risk-based Cybersecurity Framework for the nation’s critical infrastructure—that is, a set of industry standards and best practices to help organizations identify, assess, and manage cybersecurity risks.  NIST issued the resulting Framework in February 2014.

What is the Cybersecurity Framework?

Cybersecurity Framwork Function and Category
NIST Cyber Security Framework

The Framework provides organizations with a risk-based compilation of guidelines that can help them identify, implement, and improve cybersecurity practices.  The Framework does not introduce new standards or concepts; rather, it leverages and integrates cybersecurity practices that have been developed by organizations like NIST and the International Standardization Organization (ISO).

The Framework terms this compilation of practices as the “Core.”  This Core is composed of five concurrent and continuous functions—Identify, Protect, Detect, Respond, and Recover—that provide a strategic view of the lifecycle of an organization’s management of cybersecurity risk.  Each function is further divided into categories tied to programmatic needs and particular activities.  In addition, each category is broken down into subcategories that point to informative references.  Those references cite specific sections of standards, guidelines, and practices that illustrate a method to achieve the outcomes associated with each subcategory.

The five functions signify the key elements of effective cybersecurity.  Identify helps organizations gain an understanding of how to manage cybersecurity risks to systems, assets, data, and capabilities.  Protect helps organizations develop the controls and safeguards necessary to protect against or deter cybersecurity threats.  Detect are the steps organizations should consider taking to provide proactive and real-time alerts of cybersecurity-related events.  Respond helps organizations develop effective incident response activities.  And Recover is the development of continuity plans so organizations can maintain resilience—and get back to business—after a breach.

The Framework breaks down each of these functions into additional categories and then provides helpful guidance.  For example, as the chart above shows, the Identify function has five categories:  Asset Management; Business Environment; Governance; Risk Assessment; and Risk Management Strategy.  Under Governance, one of the four subcategories is that an organization should establish an organizational security policy.  The subcategory points organizations to standards such as COBIT, ISA, ISO/IEC, and NIST SP 800-53 Rev. 4 for information on how to implement a policy.

As the Framework recognizes, there’s no one-size-fits-all approach to managing cybersecurity risk.  Because organizations have unique risks—different threats, different vulnerabilities, and different risk tolerances—their approaches to risk management will vary.  But that’s the benefit of the Framework:  It’s not a checklist, but rather a compilation of industry-leading cybersecurity practices that organizations should consider in building their own cybersecurity programs.  For most organizations, critical infrastructure or not, the Framework may be well worth using solely for its stated goal of improving risk-based security.  But it also can deliver additional benefits—for example, encouraging effective collaboration and communication with company executives and industry organizations.  That’s because the Core provides a common language regarding cybersecurity issues that can help facilitate important discussions between an organization’s IT staff and its business people, some of whom may tune out when they hear technical terminology.

How does the Framework relate to the FTC’s work on data security?

As the nation’s consumer protection agency, the FTC is committed to protecting consumer privacy and promoting data security in the private sector.  The FTC has undertaken substantial efforts for well over a decade to promote data security in the private sector through civil law enforcement, business outreach and consumer education, policy initiatives, and recommendations to Congress to enact legislation in this area.  Section 5 of the FTC Act is the primary enforcement tool that the FTC relies on to prevent deceptive and unfair business practices in the area of data security.  Since 2001, the FTC has settled some 60 cases against companies the FTC alleges failed to provide reasonable protections for consumers’ personal information.

From the outset, the FTC has recognized that there is no such thing as perfect security, and that security is a continuing process of detecting risks and adjusting one’s security program and defenses.  For that reason, the touchstone of the FTC’s approach to data security has been reasonableness—that is, a company’s data security measures must be reasonable in light of the volume and sensitivity of information the company holds, the size and complexity of the company’s operations, the cost of the tools that are available to address vulnerabilities, and other factors.  Moreover, the FTC’s cases focus on whether the company has undertaken a reasonable process to secure data.

With that bit of background on the FTC’s data security program, let’s get back to the question, “If I comply with the Framework, am I complying with what the FTC requires?”  The Framework is not, and isn’t intended to be, a standard or checklist.  It’s meant to be used by an organization to determine its current cybersecurity capabilities, set individual goals, and establish a plan for improving and maintaining a cybersecurity program, but it doesn’t include specific requirements or elements.  In this respect, there’s really no such thing as “complying with the Framework.”  Instead, it’s important to remember that the Framework is about risk assessment and mitigation.  In this regard, the Framework and the FTC’s approach are fully consistent:  The types of things the Framework calls for organizations to evaluate are the types of things the FTC has been evaluating for years in its Section 5 enforcement to determine whether a company’s data security and its processes are reasonable.  By identifying different risk management practices and defining different levels of implementation, the NIST Framework takes a similar approach to the FTC’s long-standing Section 5 enforcement.

Indeed, the alleged lapses the FTC has challenged through its law enforcement actions correspond well with the Framework’s five Core functions.  Let’s review each of the Framework’s functions more fully.

Identify.  The purpose of the Identify function is to develop an understanding of cybersecurity risks to systems, assets, data, and capabilities, which in turn helps organizations focus and prioritize their security efforts, consistent with their risk management strategy and business needs.

The FTC has brought a number of cases alleging that companies had failed to take appropriate action to assess security risks and develop plans to address them.  These same types of activities fall within the Framework’s Identify function.  For example, in the complaints against CVS Caremark Corporation and Petco Animal Supplies, Inc., the FTC alleged that those companies failed to implement policies and procedures to safeguard consumers’ information.  These allegations align with the Framework’s guidance on establishing an organizational information security policy.

cybersecurity framework identify steps
NIST Cyber Security Framework Identify Steps

Likewise, in the complaints against HTC America, Inc. and TRENDnet, Inc., the FTC alleged that the companies did not have a process for receiving, addressing, or monitoring reports about security vulnerabilities.  These allegations are consistent with the Framework’s guidance that companies should consider having a method for receiving threat and vulnerability information from information-sharing forums and sources.

Ultimately, much like the Framework’s Identify function, the FTC’s cases have sought to ensure that companies are taking reasonable steps to identify vulnerabilities and threats to determine the risk to consumers’ personal information.

Protect.  The Framework’s Protect function provides guidance to help organizations develop and implement appropriate safeguards to ensure the delivery of critical services and to limit or contain the impact of a cybersecurity event.  This includes limiting access to assets and facilities, raising employees’ awareness and providing training, managing consumers’ information consistent with the organization’s risk strategy, maintaining security policies and information security components, and using technical security solutions to secure systems and assets.

cybersecurity framework protect steps
Cyber Security Framework Protect Steps

Many FTC cases highlight companies’ alleged failures to implement reasonable data security practices that the Framework emphasizes under the Protect function.  For example, in its action against Twitter, Inc., the FTC alleged that the company gave almost all of its employees administrative control over Twitter’s system.  According to the FTC’s complaint, by providing administrative access to so many employees, Twitter increased the risk that a compromise of any of its employees’ credentials could result in a serious breach.  This principle comports with the Framework’s guidance about managing access permissions, incorporating the principles of least privilege and separation of duties.

The FTC’s cases against Accretive Health, Inc. and Cbr Systems, Inc. also comport with the Framework’s guidance relating to protecting data-in-transit and formally managing assets throughout removal, transfers, and disposition.  In Accretive, the FTC alleged that an employee transported a laptop with personal information in a manner that made it vulnerable to theft or other misappropriation.  Likewise, in Cbr Systems, the FTC alleged that the company created unnecessary risks to personal information by transporting portable media with personal information in a manner that made it susceptible to theft or misappropriation.  In both cases, the laptops and the portable media were stolen, unnecessarily exposing thousands of people’s personal information.  These cases demonstrate why companies should have reasonable security policies for when data is in transit or being transferred.

As shown, many of the FTC’s cases involve companies’ failures to develop and implement reasonable safeguards to protect consumers’ information—measures that also would fall under the Framework’s Protect function.

Detect.  The Framework’s Detect function delineates various steps that organizations could take to develop and implement appropriate methods to identify the occurrence of a cybersecurity event in a timely manner.  This includes monitoring information systems and assets at discrete intervals, and maintaining and testing detection processes and procedures to ensure timely and adequate awareness of anomalous events.

cybersecurity framework detect steps
Cyber Security Framework Detect Steps

The FTC has brought several cases that highlight why it’s important to have processes in place to detect intrusions.  For example, in its action against Dave & Buster’s, Inc., the FTC alleged that the company didn’t use an intrusion detection system and didn’t monitor system logs for suspicious activity.  Likewise, in Franklin’s Budget Car Sales, Inc., the FTC alleged that the company didn’t inspect outgoing Internet transmissions to identify unauthorized disclosures of personal information.  Had these companies used tools to monitor activity on their networks, they could have reduced the risk of a data compromise or its breadth.  Their alleged deficiencies also didn’t comport with the Framework’s guidance within the Detect function about monitoring networks for potential cybersecurity events or for unauthorized personnel, connections, devices, and software.

Respond.  The Framework’s Respond function provides guidance on how to develop and implement appropriate actions in response to a detected cybersecurity event to effectively contain its impact.  This can include executing and maintaining response processes and procedures, coordinating with internal and external stakeholders, conducting analysis to ensure adequate response, containing and mitigating incidents, and incorporating lessons learned.

Many of the FTC’s cases have challenged companies’ failures to execute and maintain reasonable response processes and procedures.  For example, in its case against Wyndham Worldwide Corporation, the FTC alleged that the company failed to follow proper incident response procedures, including failing to monitor its computer network for malware used in a previous intrusion.  As a result of this and other failures, the FTC alleged that intruders were able to gain access to the company’s computer network on three separate occasions in a 21-month period, leading to the compromise of more than 619,000 payment card account numbers and more than $10.6 million in fraud loss.

Cybersecurity Framework Response
Cyber Security framework response steps

The FTC’s case against ASUSTeK Computer, Inc., demonstrates why it is important for companies to voluntarily share information with external stakeholders to achieve broader awareness of cybersecurity threats—guidance echoed by the Framework.  According to the complaint, ASUSTeK learned of a variety of vulnerabilities affecting its routers.  Despite this knowledge, ASUSTeK failed to provide adequate notice to consumers about these security risks, the steps consumers could have taken to mitigate them, and the availability of software updates that would correct or mitigate the vulnerabilities.  As a result, hackers located consumers’ routers and exploited the vulnerabilities to gain unauthorized access to over 12,900 connected storage devices.

Several of the FTC’s cases have sought to ensure that companies not only detect breaches, but also take appropriate steps when a breach happens.  This means that companies should contain events and communicate their occurrence with the appropriate parties.  The Framework’s Respond function has a similar goal.

Recover.  The Framework’s Recover function outlines steps organizations could take to develop, implement, and maintain plans for resilience and to restore capabilities or services that were impaired due to a cybersecurity event.  It includes incorporating lessons learned into future activities, and coordinating with internal and external parties.

The Recover function supports a return to normal operations after a cybersecurity event.  FTC orders demonstrate the importance of this function, emphasizing how consumer interests should factor into a company’s recovery plan.  For example, in Oracle Corporation, the order required the company to provide broad notice to its users about the settlement and how to address Java vulnerabilities.  Under the terms of the order, Oracle reached out to users not only through its website and social media, but also by working with external parties, such as antivirus vendors and browsers.  This is consistent with the Framework’s guidance under the Recover function that organizations should consider communicating recovery activities with internal and external parties, including coordinating centers, Internet Service Providers, victims, and vendors.

How can a company use the Framework and the FTC’s Start with Security guidance?

The Framework’s five Core functions can serve as a model for companies of all sizes to conduct risk assessments and mitigation, and can be used by companies to:  (1) establish or improve a data security program; (2) review current data security practices; or (3) communicate data security requirements with stakeholders.  And as the FTC’s enforcement actions show, companies could have better protected consumers’ information if they had followed fundamental security practices like those highlighted in the Framework.

In addition, given that the FTC’s enforcement actions align well with the Framework’s Core functions, companies should review the FTC’s publication, Start with Security, which summarizes lessons learned from the FTC’s data security cases and provides practical guidance to reduce cybersecurity risks.  Applying the risk management approach presented in the Framework with a reasonable level of rigor—as companies should do—and applying the FTC’s Start with Security guidance will raise the cybersecurity bar of the nation as a whole and lead to more robust protection of consumers’ data.

NIST SP 800-160 Review

Our Forum is very interested in your opinion of the NIST SP 800-160 second draft in the context of IT Service Management.

Provide NIST SP 800-160 Review

Some organizations have started to put the special publication into practice based on the first draft and are continuing efforts associated with changes within the second draft. This special publication is authored by Dr Ron Ross of NIST and can be found at the link provided below.

The Global Forum to Advance Cyber Resilience is interested in seeing how an organization utilizing the foundational building blocks associated with our International participants in cyber resilient IT Service Management (ITSM) can take advantage of the work to become more resilient.  Our focus is on this very large and internationally recognized homogeneous domain.    We are in the process of creating public and private collaborative events associated with this topic.  Contact us if you are interested.      Charlie Tupitza Acting CEO

Purpose:  The purpose of this activity is to gather information from subject matter experts who have taken the time to study the NIST SP 800-160 second draft and provide thought leadership to our Forum identifying its value, and how to best incorporate this value into the normal operations of an organization.  We intend to share this information with the NIST and other interested parties associated with our Forum. We are focused on the implications for organizations utilizing ITSM.

If you are interested in contributing thought leadership and/or participate in our private and public sector collaboration on this topic please follow the following instructions:

Please create a Word document with the following information about the SP 800-160 and submit via form below or email to <here> :

  • Your name and contact information
  • Background about yourself.
  • Organization name
  • Does your organization utilize ITIL?  to what extent?
  • Is there governance to do so such as the Defense Department directive to use the Defense Enterprise Service Management Framework (DESMF) or a service contract for internal or external customers?
  • Does your organization currently utilize the NIST SP 800-160?
  • Overall opinion of the NIST SP 800-160:
  • Suggested additions to the document for improvement:
  • Best attributes of the NIST SP 800-160:
  • Suggested change to the document:
  • How would do you think this should be used within an ITSM environment?
  • Comment on change management and transition implications.
  • Comment on continual improvement suggestions associated with use.
  • How would this be considered in the Strategy Phase of any product or service?
  • Implications for your organization as a member of a supply chain of products and or services:
  • May we make this information public?  If so would you like attribution, how?
  • May we submit this information with other submissions to the NIST for consideration?  If so with or without attribution?
  • Are you willing to participate in Focus Group activities associated with this topic?

NIST SP 800-160 second draft can can be found here

Dr Ron Ross’s Presentation on Managing Security Risk here

[huge_it_forms id=”2″]

nist sp 800-160
Click for NIST sp 800-160 second draft

NIST Respond and Recover RSA 2016

1 March 2016  I attended the working session the NIST put together at the RSA conference yesterday regarding input from the public for their guidance on response and recovery. There were about thirty people in attendance for about an hour and a half.  Kevin Stine and Donna Dodson along with several other NIST folks and their contractor for this project G2 Inc were there in support.

They seem to be approaching this from a general point of view.

Utilizing Service Management

This Forum is approaching response, recovery, and minimization of damage from a perspective of utilizing  IT Service Management Best practices so all in the discussion will be utilizing a common lexicon for the approach.  We will add the cyber perspective to that of incident response and recover and minimize impact. We will share these lessons with the NIST.   This approach will complement what they are doing.

Charlie Tupitza
Forum CEO

ARK Network Security Solutions

A Powerful Opportunity

“Cybersecurity standards represent the collective insight of thousands of cyber risk managers who know best the basic steps that every organization should take to protect itself from cyber harm.  What’s needed now are the specific cyber risk controls that clarify how to implement those standards to ensure maximum cybersecurity impact.  With its resilience focus, the Global Forum will offer participants a powerful opportunity to define and identify those controls – most especially for the “Respond” and “Recover” functions of the NIST Cybersecurity Framework.

Tom Finan ARK Network Security Solutions, Former Senior Cybersecurity Strategist and Counsel.

GENEDGE NIST MEP

GENEDGE Committed to Continuing Relationship

GENEDGE is committed to continuing our relationship with the Global Forum to Advance Cyber Resilience.  Cyber Security is a strategic technology segment for the Commonwealth of VA. 

Thank you for thinking of the NIST MEP system (of small to mid-sized manufactures) for inclusion in your foundation as well as the future business model for the Forum.

Bill Donohue President, Executive Director, GENEDGE, NIST MEP