Cyber Resilience Review

Last updated

The Cyber Resilience Review (CRR) [1] is an assessment method developed by the United States Department of Homeland Security (DHS). It is a voluntary examination of operational resilience and cyber security practices offered at no cost by DHS to the operators of critical infrastructure and state, local, tribal, and territorial governments. The CRR has a service-oriented approach, meaning that one of the foundational principles of the CRR is that an organization deploys its assets (people, information, technology, and facilities) to support specific operational missions (or services). The CRR is offered in a facilitated workshop format and as a self-assessment package. [2] The workshop version of the CRR is led by a DHS facilitator at a critical infrastructure facility. The workshop typically takes 6–8 hours to complete and draws on a cross section of personnel from the critical infrastructure organization. All information collected in a facilitated CRR is protected from disclosure by the Protected Critical Infrastructure Information Act of 2002. This information cannot be disclosed through a Freedom of Information Act request, used in civil litigation, or be used for regulatory purposes. [3] The CRR Self-Assessment Package [4] allows an organization to conduct an assessment without the need for direct DHS assistance. It is available for download from the DHS Critical Infrastructure Cyber Community Voluntary Program website. [5] The package includes an automated data answer capture and report generation tool, a facilitation guide, comprehensive explanation of each question, and a crosswalk of CRR practices to the criteria of the National Institute of Standards and Technology (NIST) Cybersecurity Framework. [6] [7] The questions asked in the CRR and the resulting report are the same in both versions of the assessment. DHS partnered with the CERT Division of the Software Engineering Institute at Carnegie Mellon University to design and deploy the CRR. The goals and practices found in the assessment are derived from the CERT Resilience Management Model (CERT-RMM) Version 1.0. [8] The CRR was introduced in 2009 and received a significant revision in 2014. [9]

Contents

Architecture

The CRR comprises 42 goals and 141 specific practices extracted from the CERT-RMM and organized in 10 domains): [10]

  1. Asset Management
  2. Controls Management
  3. Configuration and Change Management
  4. Vulnerability Management
  5. Incident Management
  6. Service Continuity Management
  7. Risk Management
  8. External Dependency Management
  9. Training and Awareness
  10. Situational Awareness

Each domain is composed of a purpose statement, a set of specific goals and associated practice questions unique to the domain, and a standard set of Maturity Indicator Level (MIL) questions. The MIL questions examine the institutionalization of practices within an organization. The performance of an organization is scored against a MIL scale. [11] This scale depicts capability divided into five levels: MIL1-Incomplete, MIL2-Performed, MIL3-Managed, MIL4-Measured, and MIL5-Defined. Institutionalization means that cybersecurity practices become a deeper, more lasting part of the organization because they are managed and supported in meaningful ways. When cybersecurity practices become more institutionalized—or “embedded”—managers can have more confidence in the practices’ predictability and reliability. The practices also become more likely to be sustained during times of disruption or stress to the organization. Maturity can also lead to a tighter alignment between cybersecurity activities and the organization’s business drivers. For example, in more mature organizations, managers will provide oversight to the particular domain and evaluate the effectiveness of the security activities the domain comprises. The number of goals and practice questions varies by domain, but the set of MIL questions and the concepts they encompass are the same for all domains. All CRR questions have three possible responses: “Yes,” “No,” and “Incomplete. The CRR measures performance of an organization at the practice, goal, domain, and MIL levels. Scores are calculated for each of individual model elements and in aggregated totals. The scoring rubric establishes the following:

  1. Practices can be observed in one of three states: performed, incomplete, and not performed.
  2. A domain goal is achieved only if all of the practices related to the goal are achieved.
  3. A domain is fully achieved only if all the goals in the domain are achieved.

If the above conditions are met, the organization is said to be achieving the domain in a performed state: the practices that define the domain are observable, but no determination can be made about the degree to which these practices are

  1. repeatable under varying conditions
  2. consistently applied
  3. able to produce predictable and acceptable outcomes
  4. retained during times of stress

These conditions are tested for by applying a common set of 13 MIL questions to the domain, but only after MIL1 is achieved. Consistent with the architecture of the MIL scale, MILs are cumulative; to achieve a MIL in a specific domain, an organization must perform all of the practices in that level and in the preceding MILs. For example, an organization must perform all of the domain practices in MIL1 and MIL2 to achieve MIL2 in the domain.

Logo of the US Department of Homeland Security Cyber Resilience Review DHS CRR logo PRINT.jpg
Logo of the US Department of Homeland Security Cyber Resilience Review
DHS Cyber Resilience Review Method Description and Self-Assessment User Guide CRR Self-Assessment User Guide.jpg
DHS Cyber Resilience Review Method Description and Self-Assessment User Guide

Results

CRR participants receive a comprehensive report containing results for each question in all domains. The report also provides graphical summaries of the organization’s performance at the goal and domain levels, depicted in a heat-map matrix. This detailed representation allows organizations to target improvement at a fine-grained level. Organizations participating in facilitated CRRs receives an additional set of graphs depicting the performance of their organization compared to all other prior participants. The CRR report includes a potential path toward improving the performance of each practice. These options for consideration are primarily sourced from the CERT-RMM and NIST special publications. Organizations can also use CRR results to measure their perform in relation to the criteria of the NIST Cybersecurity Framework. This correlation feature was introduced in February 2014. [12]

See also

Related Research Articles

<span class="mw-page-title-main">Software Engineering Institute</span> Federally funded research center in Pittsburgh, Pennsylvania, United States

Software Engineering Institute (SEI) is a federally funded research and development center in Pittsburgh, Pennsylvania, United States. Founded in 1984, the institute is now sponsored by the United States Department of Defense and the Office of the Under Secretary of Defense for Research and Engineering, and administrated by Carnegie Mellon University. The activities of the institute cover cybersecurity, software assurance, software engineering and acquisition, and component capabilities critical to the United States Department of Defense.

<span class="mw-page-title-main">National Cyber Security Division</span>

The National Cyber Security Division (NCSD) is a division of the Office of Cyber Security & Communications, within the United States Department of Homeland Security's Cybersecurity and Infrastructure Security Agency. Formed from the Critical Infrastructure Assurance Office, the National Infrastructure Protection Center, the Federal Computer Incident Response Center, and the National Communications System, NCSD opened on June 6, 2003. The NCSD mission is to collaborate with the private sector, government, military, and intelligence stakeholders to conduct risk assessments and mitigate vulnerabilities and threats to information technology assets and activities affecting the operation of the civilian government and private sector critical cyber infrastructures. NCSD also provides cyber threat and vulnerability analysis, early warning, and incident response assistance for public and private sector constituents. NCSD carries out the majority of DHS’ responsibilities under the Comprehensive National Cybersecurity Initiative. The FY 2011 budget request for NCSD is $378.744 million and includes 342 federal positions. The current director of the NCSD is John Streufert, former chief information security officer (CISO) for the United States Department of State, who assumed the position in January 2012.

Software assurance (SwA) is a critical process in software development that ensures the reliability, safety, and security of software products. It involves a variety of activities, including requirements analysis, design reviews, code inspections, testing, and formal verification. One crucial component of software assurance is secure coding practices, which follow industry-accepted standards and best practices, such as those outlined by the Software Engineering Institute (SEI) in their CERT Secure Coding Standards (SCS).

Information security standards or cyber security standards are techniques generally outlined in published materials that attempt to protect the cyber environment of a user or organization. This environment includes users themselves, networks, devices, all software, processes, information in storage or transit, applications, services, and systems that can be connected directly or indirectly to networks.

A cybersecurity regulation comprises directives that safeguard information technology and computer systems with the purpose of forcing companies and organizations to protect their systems and information from cyberattacks like viruses, worms, Trojan horses, phishing, denial of service (DOS) attacks, unauthorized access and control system attacks. While cybersecurity regulations aim to minimize cyber risks and enhance protection, the uncertainty arising from frequent changes or new regulations can significantly impact organizational response strategies.

A chief information security officer (CISO) is a senior-level executive within an organization responsible for establishing and maintaining the enterprise vision, strategy, and program to ensure information assets and technologies are adequately protected. The CISO directs staff in identifying, developing, implementing, and maintaining processes across the enterprise to reduce information and information technology (IT) risks. They respond to incidents, establish appropriate standards and controls, manage security technologies, and direct the establishment and implementation of policies and procedures. The CISO is also usually responsible for information-related compliance. The CISO is also responsible for protecting proprietary information and assets of the company, including the data of clients and consumers. CISO works with other executives to make sure the company is growing in a responsible and ethical manner.

The Institute for Information Infrastructure Protection (I3P) is a consortium of national cyber security institutions, including academic research centers, U.S. federal government laboratories, and nonprofit organizations, all of which have long-standing, widely recognized expertise in cyber security research and development (R&D). The I3P is managed by The George Washington University, which is home to a small administrative staff that oversees and helps direct consortium activities.

The EINSTEIN System is a network intrusion detection and prevention system that monitors the networks of US federal government departments and agencies. The system is developed and managed by the Cybersecurity and Infrastructure Security Agency in the United States Department of Homeland Security (DHS).

A resilient control system is one that maintains state awareness and an accepted level of operational normalcy in response to disturbances, including threats of an unexpected and malicious nature".

<span class="mw-page-title-main">Risk Management Framework</span>

The National Institute for Standards and Technology's (NIST) Risk Management Framework (RMF) is a United States federal government guideline, standard and process for risk management to help secure information systems developed by National Institute of Standards and Technology. The Risk Management Framework (RMF), illustrated in the diagram to the right, provides a disciplined and structured process that integrates information security, privacy and risk management activities into the system development life cycle.

Control system security, or industrial control system (ICS) cybersecurity, is the prevention of interference with the proper operation of industrial automation and control systems. These control systems manage essential services including electricity, petroleum production, water, transportation, manufacturing, and communications. They rely on computers, networks, operating systems, applications, and programmable controllers, each of which could contain security vulnerabilities. The 2010 discovery of the Stuxnet worm demonstrated the vulnerability of these systems to cyber incidents. The United States and other governments have passed cyber-security regulations requiring enhanced protection for control systems operating critical infrastructure.

<span class="mw-page-title-main">DHS Cyber Security Division</span>

The Cyber Security Division (CSD) is a division of the Science and Technology Directorate (S&T Directorate) of the United States Department of Homeland Security (DHS). Within the Homeland Security Advanced Research Projects Agency, CSD develops technologies to enhance the security and resilience of the United States' critical information infrastructure from acts of terrorism. S&T supports DHS component operational and critical infrastructure protections, including the finance, energy, and public utility sectors, as well as the first responder community.

<span class="mw-page-title-main">National Cybersecurity and Critical Infrastructure Protection Act of 2013</span>

The National Cybersecurity and Critical Infrastructure Protection Act of 2013 is a bill that would amend the Homeland Security Act of 2002 to require the Secretary of the Department of Homeland Security (DHS) to conduct cybersecurity activities on behalf of the federal government and would codify the role of DHS in preventing and responding to cybersecurity incidents involving the Information Technology (IT) systems of federal civilian agencies and critical infrastructure in the United States.

Cyber resilience refers to an entity's ability to continuously deliver the intended outcome, despite cyber attacks. Resilience to cyber attacks is essential to IT systems, critical infrastructure, business processes, organizations, societies, and nation-states. A related term is cyberworthiness, which is an assessment of the resilience of a system from cyber attacks. It can be applied to a range of software and hardware elements.

<span class="mw-page-title-main">External dependencies management assessment</span>

The External Dependencies Management Assessment is a voluntary, in-person, facilitated assessment created by the United States Department of Homeland Security. The EDM Assessment is intended for the owners and operators of critical infrastructure organizations in the United States. It measures and reports on the ability of the subject organization to manage external dependencies as they relate to the supply and operation of information and communications technology (ICT). This area of risk management is also sometimes called Third Party Risk Management or Supply Chain Risk Management.

NIST Cybersecurity Framework (CSF) is a set of guidelines for mitigating organizational cybersecurity risks, published by the US National Institute of Standards and Technology (NIST) based on existing standards, guidelines, and practices. The framework "provides a high level taxonomy of cybersecurity outcomes and a methodology to assess and manage those outcomes", in addition to guidance on the protection of privacy and civil liberties in a cybersecurity context. It has been translated to many languages, and is used by several governments and a wide range of businesses and organizations.

The Center for Internet Security (CIS) is a US 501(c)(3) nonprofit organization, formed in October 2000. Its mission statement professes that the function of CIS is to " help people, businesses, and governments protect themselves against pervasive cyber threats."

<span class="mw-page-title-main">Cybersecurity and Infrastructure Security Agency</span> Agency of the United States Department of Homeland Security

The Cybersecurity and Infrastructure Security Agency (CISA) is a component of the United States Department of Homeland Security (DHS) responsible for cybersecurity and infrastructure protection across all levels of government, coordinating cybersecurity programs with U.S. states, and improving the government's cybersecurity protections against private and nation-state hackers.

The Cybersecurity Maturity Model Certification (CMMC) is an assessment framework and assessor certification program designed to increase the trust in measures of compliance to a variety of standards published by the National Institute of Standards and Technology.

Operational collaboration is a cyber resilience framework that leverages public-private partnerships to reduce the risk of cyber threats and the impact of cyberattacks on United States cyberspace. This operational collaboration framework for cyber is similar to the Federal Emergency Management Agency (FEMA)'s National Preparedness System which is used to coordinate responses to natural disasters, terrorism, chemical and biological events in the physical world.

References

  1. "Cyber Resilience Review Fact Sheet" (PDF). Retrieved 27 February 2015.
  2. "Cyber Resilience Review (CRR)" . Retrieved 27 February 2015.
  3. "PCII Fact Sheet" (PDF). Retrieved 27 February 2015.
  4. "Cyber Resilience Review (CRR)" . Retrieved 27 February 2015.
  5. "DHS Cyber Community Voluntary Program" . Retrieved 27 February 2015.
  6. "NIST Cybersecurity Framework Sheet". NIST. 12 November 2013. Retrieved 27 February 2015.
  7. "Cyber Resilience Review-NIST Cybersecurity Framework Crosswalk" (PDF). Retrieved 27 February 2015.
  8. Caralli, R., Allen, J.,& White, D. (2010) "CERT Resilience Management Model Version 1". Software Engineering Institute, Carnegie Mellon University. 30 April 2010.
  9. Mehravari, N.(2014) "Resilience Management Through the Use of CERT-RMM and Associated Success Stories" (PDF). Software Engineering Institute, Carnegie Mellon University.
  10. "Cyber Resilience Method Description and User Guide" (PDF). Retrieved 28 February 2015.
  11. Butkovic, M.,& Caralli, R. (2013) "Advancing Cybersecurity Capability Measurement Using the CERT-RMM Maturity Indicator Level Scale". Software Engineering Institute, Carnegie Mellon University. 30 April 2010.
  12. Strassman, P. 2014 September 8 "Cyber Resilience Review". Strassmann's Blog.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.