Baldrige Cypersecurity Excellence Builder - Supporting Statement

OMB Control No. # 0693-0033 – NIST Generic Clearance for Program Evaluation Data Collections

Baldrige Cybersecurity Excellence Builder Tool – Feedback - Information Collection

FOUR STANDARD SURVEY QUESTIONS

1. Explain who will be surveyed and why the group is appropriate to survey.

This collection of information will be an open call to industry experts in cybersecurity to provide feedback on the draft tool “Baldrige Cybersecurity Excellence Builder.” A draft copy of the tool has been uploaded into ROCIS for review and reference. The tool has been designed in collaboration with U.S. Chief Information Officer Tony Scott and the National Institute of Standard and Technology’s (NIST’s) Applied Cybersecurity Division, which is responsible for the NIST Cybersecurity Framework. “Baldrige Cybersecurity Excellence Builder” is intended to be a self-assessment tool integrating Baldrige concepts with the NIST Cybersecurity Framework. Deputy Secretary of Commerce Bruce Andrews has said that the intention of the “Baldrige Cybersecurity Excellence Builder” is to provide a way for industry to measure how effectively they are using the Cybersecurity Framework.

The Baldrige Performance Excellence Program (BPEP) now needs feedback to determine if the tool does what it is intended to do and/or needs improvement before it is finalized and released, hopefully in 2017. The purpose of this PRA request is to allow us to seek feedback from the public on the draft tool through the attached collection instrument (http://patapsco.nist.gov/Baldrige/baldrigefeedback/.

2. Explain how the survey was developed including consultation with interested parties, pre-testing, and responses to suggestions for improvement.

The information collection is a call for feedback, with the questions intended to provide BPEP with actionable information on how to improve the Baldrige Cybersecurity Excellence Builder. Such a call for feedback follows the plan that NIST’s Applied Cybersecurity Division has established to request feedback from the community. That division has gone through multiple cycles of feedback and improvement on its own framework and their real-world experiences provided great insight.

3. Explain how the survey will be conducted, how customers will be sampled if fewer than all customers will be surveyed, expected response rate, and actions your agency plans to take to improve the response rate.

A link to the collection instrument (i.e., call for feedback) will go out via email to the entire Baldrige community, as well as the NIST community. The call for feedback will also be advertised in the Federal Register and on social media (namely Twitter and through community members who regularly repost Baldrige news announcements on LinkedIn). In addition, the call for feedback will be made by U.S. Chief Information Officer Tony Scott and Deputy Secretary of Commerce Bruce Andrews at various meetings, including the Internet Security Alliance meeting in Washington, DC.

Until the collection instrument is approved under the PRA, people interested in reviewing the Baldrige Cybersecurity Excellence Builder and offering feedback will click on the link to it, download it, and review it. They then will follow the simple, one-sentence instruction to email feedback to [email protected]. There is no set format for how feedback should be received (e.g., in a certain font, or style), as we want this feedback process to be as simple as possible for the responders. Once the collection instrument is approved, the link to the collection instrument will be posted next to the email address above.

We don’t have a sense yet on how much feedback we will receive from various communities. If we do not receive enough actionable or positive feedback, we may not publish the Baldrige Cybersecurity Excellence Builder, or we may seek help from our cybersecurity experts to increase the call for feedback. In order for us to publish the Baldrige Cybersecurity Excellence Builder, we need the feedback to ensure that the tool is value added for the cyber community.

3. Describe how the results of the survey will be analyzed and used to generalize the results to the entire customer population.

The results of the information collection will be used to determine if the draft Baldrige Cybersecurity Excellence Builder should be published or improved. Feedback received and improvements will be documented in an electronic file for current and future revisions. People who give feedback may by contacted for clarifications or to expand on their suggestions.