The Cyber Resilience Review (CRR) is a lightweight assessment method that was created by the U.S. Department of Homeland Security (DHS) for the purpose of evaluating the cybersecurity and service continuity practices of critical infrastructure owners and operators. However, private sector organizations and foreign government bodies leverage the same CRR to evaluate enterprise programs and practices across a range of ten domains including risk management, incident management, service continuity, and others. 

The CRR assessment strives to identify how an organization aligns its cybersecurity management activities to the performance or production of its critical services. The assessment consists of 299 questions, and is typically delivered in a 12 - 16 hour workshop led by a qualified facilitator over a period of two consecutive days. Our facilitator elicits answers from the organization’s personnel in cybersecurity, operations, physical security, and business continuity. Throughout the assessment workshop, your organization's team members will work together to record answers to the assessment kit (available at no charge), which will then be used to generate a complete 176-page analysis and report. Learn more about assessment topics and structure in "Assessment approach" below. 

Certified Information Security facilitates your Cyber Resilience Review hands-on assessment

Performing a CRR against the NIST CSF is an ideal way to get started with establishing or improving enterprise-wide cyber security governance and best practices based on the NIST Cybersecurity Framework. Certified Information Security's Cyber qualified security assessors have been trained by official DHS Security assessors to facilitate private (not involving the DHS) CRR question-based assessments for organizations otherwise not eligible for DHS facilitation. Small teams often choose to attend regularly-scheduled public group assessment workshops, while larger teams typically opt to reserve discounted private on-site/virtual assessments.

Facilitated Assessment Workshop details:

• Duration = 2 days, 8:30 - 4:30
• CISA Cyber Resilience Review Assessment Package* 
• Catering included when attending live on-location: 
  • Morning refreshments and snack
  • Lunch
  • Afternoon refreshments
• Hotel and/or Travel: Not included

* Self-assessment package is available at https://www.cisa.gov/sites/default/files/publications/1_CRR_v4.0_Self-Assessment-Reader_April_2020.pdf)

1. The Cyber Resilience Review (CRR) assessment measures your organizations' current organizational cyber resilience, and provides a custom gap analysis of its cybersecurity maturity, and provides recommendations for improvement based on recognized best practices. 
   
   
2. A 176-page assessment report is generated upon assessment completion that summarizes the assessment findings and gaps, and provides general guidelines or activities as to how your organization can improve its cybersecurity posture and preparedness in each category as recommended in various cybersecurity practices such as the CERT® Resilience Management Model (CERT-RMM), National Institute of Standard and Technology (NIST 800-53), and other cybersecurity standards.
   
   
3. The CRR assessment allows an organization to compare its capabilities to the criteria of the NIST Cybersecurity Framework*. This comparison is provided in the report's "NIST Cybersecurity Framework Summary" and explains where improvements can be made.
   
   
4. A NIST Cybersecurity Framework (NIST CSF) reference crosswalk mapping the relationship of the CRR goals and practices to the NIST CSF categories and subcategories is included in the CRR Assessment report as well.

*The NIST Cybersecurity Framework was created through collaboration between industry and government, and consists of standards, guidelines, and practices to promote the protection of organizations and critical infrastructure. Learn more about the NIST Cybersecurity framework here. 

The CRR is an interview-based assessment of an organization’s cybersecurity management program. It seeks to understand the cybersecurity management of services, and their associated assets, that are critical for an organization’s mission success. The CRR focuses on protection and sustainment practices within key areas that typically contribute to the overall cyber resilience of an organization. The assessment measures essential cybersecurity capabilities and behaviors to provide meaningful indicators of an organization’s operational resilience during normal operations and during times of operational stress.

The CRR is derived from the CERT^® Resilience Management Model (CERT^®-RMM), which was developed by the CERT Division at Carnegie Mellon University's Software Engineering Institute. The CERT-RMM is a capability-focused maturity model for process improvement, and it reflects best practices from industry and government for managing operational resilience across the disciplines of security management, business continuity management, and information technology operations management.

^®CERT is a registered mark owned by Carnegie Mellon University.

This CRR assessment measures and compares your organization's capabilities to the NIST Cybersecurity Framework (CSF) Functions, Categories, and Subcategories. While not required, participants will naturally achieve far greater value from the assessment exercise if they have a solid understanding of the NIST Cybersecurity Framework.

Certified Information Security provides comprehensive coverage of the NIST CSF in its "Certified NIST CSF Lead Implementer" training program, which is available via live instructor-led facilitation, as well as via convenient online on-demand delivery.