The Cyber Resilience Review* is a lightweight assessment method that was created by the U.S. Department of Homeland Security (DHS) for the purpose of evaluating the cybersecurity and service continuity practices of critical infrastructure owners and operators. However, private sector organizations and foreign government bodies leverage the same CRR to evaluate enterprise programs and practices across a range of ten domains including risk management, incident management, service continuity, and others.
The CRR assessment strives to identify how an organization aligns its cybersecurity management activities to the performance or production of its critical services. The assessment consists of 299 questions, and is typically delivered in a 12 - 16 hour workshop led by a qualified facilitator over a period of two consecutive days. Our specially-trained facilitator elicits answers from the organization’s personnel in cybersecurity, operations, physical security, and business continuity. Throughout the assessment workshop, your organization's participating team members will work together to record answers to the assessment kit (available at no charge), which will then be used to generate a complete 176-page analysis and report. Learn more about assessment topics and structure in "Assessment approach" below.
Performing a CRR against the NIST CSF is an ideal way to get started with establishing or improving enterprise-wide cyber security governance and best practices based on the NIST Cybersecurity Framework. Certified Information Security's Cyber qualified security assessors have been trained by official DHS Security assessors to facilitate private (not involving the DHS) Cyber Resilience Review question-based assessments for organizations otherwise not eligible for DHS facilitation. Small teams often choose to attend regularly-scheduled public group assessment workshops, while larger teams typically opt to reserve discounted private on-site/virtual assessments.
* Self-assessment package is available at https://www.cisa.gov/sites/default/files/publications/1_CRR_v4.0_Self-Assessment-Reader_April_2020.pdf)
*The NIST Cybersecurity Framework was created through collaboration between industry and government, and consists of standards, guidelines, and practices to promote the protection of organizations and critical infrastructure. Learn more about the NIST Cybersecurity framework here.
The CRR is an interview-based assessment of an organization’s cybersecurity management program. It seeks to understand the cybersecurity management of services, and their associated assets, that are critical for an organization’s mission success. The CRR focuses on protection and sustainment practices within key areas that typically contribute to the overall cyber resilience of an organization. The assessment measures essential cybersecurity capabilities and behaviors to provide meaningful indicators of an organization’s operational resilience during normal operations and during times of operational stress.
The CRR is derived from the CERT® Resilience Management Model (CERT®-RMM), which was developed by the CERT Division at Carnegie Mellon University's Software Engineering Institute. The CERT-RMM is a capability-focused maturity model for process improvement, and it reflects best practices from industry and government for managing operational resilience across the disciplines of security management, business continuity management, and information technology operations management.
Purpose: To identify, document, and manage assets during their lifecycle to ensure sustained productivity to support critical services.
The Asset Management domain establishes a method for an organization to plan, identify, document, and manage its assets. Assets are the raw materials that services need to operate. The Asset Management domain comprises seven goals and 30 practices.
Purpose: To identify, analyze, and manage controls in a critical service’s operating environment.
Internal control is a governance process used by an organization to ensure effective and efficient achievement of organizational objectives and to provide reasonable assurance of success. The Controls Management domain outlined in the CRR presents a way for the organization to identify control objectives and establish controls to meet those objectives. The Controls Management domain also addresses the importance of analyzing and assessing those controls to ensure that the process is constantly being improved. The Controls Management domain comprises four goals and 16 practices.
Configuration and Change Management
Purpose: To establish processes to ensure the integrity of assets, using change control and change control audits.
An organization’s asset infrastructure is constantly evolving as technology changes, information is updated, and new personnel are hired. The Configuration and Change Management domain addresses how an organization can implement processes and procedures that manage assets and ensure that changes made to those assets are minimally disruptive to the organization. The Configuration and Change Management domain comprises three goals and 23 practices.
Purpose: To identify, analyze, and manage vulnerabilities in a critical service’s operating environment.
Vulnerability is the susceptibility of an asset, and the associated critical service, to disruption. Vulnerabilities can result in operational risks and must be identified and managed to avoid disruptions to the critical service’s operating environment. A vulnerability management process identifies and analyzes vulnerabilities before they are exploited and informs the organization of threats that must be analyzed in the risk management process to determine whether they pose tangible risk to the organization based on the organization’s risk tolerance. The Vulnerability Management domain comprises four goals and 15 practice
Purpose: To establish processes to identify and analyze events, detect incidents, and determine an organizational response.
Disruptions to an organization’s operating environment regularly occur. The Incident Management domain examines an organization’s capability to recognize potential disruptions, analyze them, and determine how and when to respond. The Incident Management domain comprises five goals and 23 practices.
Service Continuity Management
Purpose: To ensure the continuity of essential operations of services and their associated assets if a disruption occurs as a result of an incident, disaster, or other event.
The process of assessing, prioritizing, planning and responding to, and improving plans to address disruptive events is known as service continuity. The goal of service continuity is to mitigate the impact of disruptive events by utilizing tested or exercised plans that facilitate predictable and consistent continuity of the critical services. The Service Continuity Management domain comprises four goals and 16 practices.
Purpose: To identify, analyze, and mitigate risks to critical service assets that could adversely affect the operation and delivery of services.
Risk management is a foundational activity for any organization and is practiced at all levels, from the executives down to individuals within business units. The CRR focuses on risks to cyber-dependent operations that have the potential to interrupt delivery of the critical service being examined. While the CRR focuses on operational risk, it is important to note that operational risk management requires a comprehensive approach to be effective. The Risk Management domain comprises five goals and 13 practices.
External Dependencies Management
Purpose: To establish processes to manage an appropriate level of controls to ensure the sustainment and protection of services and assets that are dependent on the actions of external entities.
The outsourcing of services, development, and production has become a normal and routine part of operations for many organizations because outsourcing can engage specialized skills and equipment at a cost savings over internal options. The External Dependencies Management domain of the CRR presents a method for an organization to identify and prioritize those external dependencies and then focuses on managing and maintaining those dependencies. The domain comprises five goals and 14 practices.
Training and Awareness
Purpose: The purpose of Training and Awareness is to develop skills and promote awareness for people with roles that support the critical service.
Training and awareness focuses on the processes by which an organization plans, identifies needs for, conducts, and improves training and awareness to ensure the organization’s operational cyber resilience requirements and goals are known and met. An organization plans for and conducts training and awareness activities that make staff members aware of their role in the organization’s cyber resilience concerns and policies. Staff members also receive specific training to enable them to perform their roles in managing organizational cyber resilience. The Training and Awareness domain comprises two goals and 11 practices.
Purpose: To actively discover and analyze information related to immediate operational stability and security and to coordinate such information across the enterprise to ensure that all organizational units are performing under a common operating picture.
Situational awareness activities are performed throughout the organization to provide timely and accurate information about the current state of operational processes. Activities must support communication with a variety of internal and external stakeholders to support the resilience requirements of the critical service. The Situational Awareness domain comprises three goals and eight practices.
®CERT is a registered mark owned by Carnegie Mellon University.
To conduct a CRR, the U.S Department of Homeland Security recommends involving a cross-functional team representing business, operations, security, information technology, and maintenance areas, including those responsible for:
|Event Date (MM-DD-YYYY)||12-08-2022 8:30 am|
|Event End Date||12-09-2022 4:30 pm|
|Cut off date||12-01-2022 5:00 pm|
|Cancel Registration Before Date||11-24-2022 11:59 pm|
|Individual Price||USD $2,495.00|
|Location||Remote attendance via ZOOM (Eastern Time)|
|#Registrants||Rate/Person (USD $)|
Allen Keele is the founder and CEO of Certified Information Security. He is a recognized subject matter expert, author, consultant, and management systems architect for enterprise risk management (ERM), governance/risk/compliance (GRC), information security management, business continuity management (BCM), fraud control. A 7-time published author, including “Exam Cram 2: CISA”, Mr. Keele also achieved over twenty-five professional accreditations including CISA, CISM, CISSP, ISO 31000 CICRA, ISO 27001 LI/LA, ISO 22301 CBCM, CFE, ISO 37301 CCP, NIST CSF LI, and a Bachelor of Business Administration degree in risk management from the University of Georgia.
Mr. Keele routinely works and collaborates with board members to educate and achieve buy-in for business-critical development and improvement. He presents to, and collaborates with, CEO's, CFO's, COO's, CRO's, CTO's, Chief Privacy Officers, Chief Information Officers/Security Officers, Chief Compliance Officers, Business Continuity Managers, Auditors, Fraud Risk Officers, Quality Managers, Procurement Managers, and HSE Managers to establish and integrate comprehensive and ISO-certifiable standards-based management systems and policies across functions throughout the enterprise. Mr. Keele brings a rare combination of risk management and compliance competence, real-world business experience, and a rigorous depth of certified technical skill to help organizations understand existing and emerging business needs, map these needs to proven and workable solutions strategies, and implement effective solutions strategies to achieve meaningful and measurable success.