U.S. Flag Official website of the Department of Homeland Security

Cyber Resilience Review (CRR)

The CRR is a no-cost, voluntary, non-technical assessment to evaluate an organization’s operational resilience and cybersecurity practices. The CRR may be conducted as a self-assessment or as an on-site assessment facilitated by DHS cybersecurity professionals. The CRR assesses enterprise programs and practices across a range of ten domains including risk management, incident management, service continuity, and others. The assessment is designed to measure existing organizational resilience as well as provide a gap analysis for improvement based on recognized best practices.

On This Page:
Development of the CRR
Relationship to the Cybersecurity Framework
Ten Domains
Flexibility of the Approach
Two Options: Self-Assessment or Facilitated Session
CRR Final Report
Protection of Information
Resources

Development of the CRR

The Department of Homeland Security (DHS) partnered with the CERT Division of Carnegie Mellon University’s Software Engineering Institute to create the CRR. The CRR is a derivative of the CERT Resilience Management Model (RMM) (http://cert.org/resilience/rmm.html) tailored to the needs of critical infrastructure owners and operators.

Back to Top

Relationship to the Cybersecurity Framework

While the CRR predates the establishment of the Cybersecurity Framework, the inherent principles and recommended practices within the CRR align closely with the central tenets of the Cybersecurity Framework. The CRR enables an organization to assess its capabilities relative to the Cybersecurity Framework and a crosswalk document that maps the CRR to the NIST Framework is included as a component of the CRR Self-Assessment Package. Though the CRR can be used to assess an organization’s capabilities, the Framework is based on a different underlying framework and as a result an organization’s self-assessment of CRR practices and capabilities may fall short of or exceed corresponding practices and capabilities in the Framework. A mapping of the CRR to the Cybersecurity Framework is available here: CRR NIST Framework Crosswalk.

Back to Top

Ten Domains

One of the foundational principles of the CRR is that an organization deploys its assets (people, information, technology, and facilities) in support of specific operational missions or critical services. Applying this principle, the CRR seeks to understand an organization’s capabilities in performing, planning, managing, measuring, and defining operational resilience practices and behaviors through an examination of the following ten domains:

  1. Asset Management
  2. Controls Management
  3. Configuration and Change Management
  4. Vulnerability Management
  5. Incident Management
  6. Service Continuity Management
  7. Risk Management
  8. External Dependency Management
  9. Training and Awareness
  10. Situational Awareness

Back to Top

Flexibility of the Approach

The CRR is designed to be a universal assessment method that can evaluate the resilience capabilities of a wide range of organizations both in terms of different critical services or critical infrastructure sectors and in terms of organizational size and maturity. Enterprises with highly defined and mature operational resilience capabilities, practices, and procedures can utilize the CRR to assess their practices and identify gaps just as easily as enterprises with less defined or mature capabilities. Ultimately it is up to the individual organization to determine which of the CRR domains and practices are most relevant to that organization.

Back to Top

Two Options: Self-Assessment or Facilitated Session

Organizations have two options in conducting a CRR: a self-assessment available free for download from this website, or a facilitated session involving on-site DHS representatives trained in the use of the assessment. The self-assessment tool can be found here: CRR Self-Assessment Package and at the bottom of this page, along with additional guidance and supplementary information. For information regarding the scheduling of an in-person facilitated session please contact cse@hq.dhs.gov.

Back to Top

CRR Final Report

The CRR, whether through the self-assessment tool or facilitated session, will generate a report as a final product. The report contains all of the questions and answers contained within the assessment along with relevant options for consideration. These options for consideration are based on recognized standards and best practices. Additionally the final report contains an overall mapping of the relative maturity of the organizational resilience processes in each of the ten domains.

Back to Top

Protection of Information

DHS collects no information through the CRR Self-Assessment Package. During the on-site facilitated sessions, all information gathered is subject to the rules of the Protected Critical Infrastructure Information (PCII) Program. This program was established by DHS as a means to enable secure, voluntary information sharing between critical infrastructure and the government. PCII protections mean that homeland security partners can be confident that sharing their information with the government will not expose sensitive or proprietary data. For more information on the PCII Program please visit their webpage at http://dhs.gov/pcii.

Back to Top

Resources

CRR Self-Assessment Package
CRR Question Set with Guidance
CRR NIST Framework Crosswalk
CRR Method Description and User Guide
CRR Information Sheet

For more information, contact CSE@hq.dhs.gov.

Back to Top

Back to Top