The CRR is a no-cost, voluntary, non-technical assessment to evaluate an organization’s operational resilience and cybersecurity practices. The CRR may be conducted as a self-assessment or as an on-site assessment facilitated by DHS cybersecurity professionals. The CRR assesses enterprise programs and practices across a range of ten domains including risk management, incident management, service continuity, and others. The assessment is designed to measure existing organizational resilience as well as provide a gap analysis for improvement based on recognized best practices.
On This Page:
Development of the CRR
Relationship to the Cybersecurity Framework
Flexibility of the Approach
Two Options: Self-Assessment or Facilitated Session
CRR Final Report
Protection of Information
This package includes the entire CRR self-assessment, including the fillable assessment form and report generator. All assessments will require this file to be completed.
CRR Method Description and User Guide [pdf]
This guide contains the overall description of the CRR along with detailed steps and explanations for how to conduct a CRR self-assessment at an organization.
CRR Question Set with Guidance [pdf]
This document contains the entire CRR self-assessment question set along with guidance on how to interpret and answer each of the questions contained within the self-assessment package.
CRR NIST Framework Crosswalk [pdf]
This document provides a cross-reference chart for each of the categories in the
NIST Cybersecurity Framework and how they align to the CRR and other references.
CRR Information Sheet [pdf]
This is a brief fact sheet on the CRR summarizing the process.
CRR Resource Guides
The Cyber Resilience Review (CRR) resource guides were developed to help organizations implement practices identified as considerations for improvement in a CRR report.The guides were developed for organizations that have participated in a CRR, but are useful to any organization interested in implementing or maturing operational resilience capabilities for critical cyber dependent services. The CRR captures an understanding and qualitative measurement of an organization’s operational resilience and its ability to manage operational risks to critical services and their associated assets.
Each resource guide can be used and downloaded independently. Organizations using more than one resource guide will be able to make use of complementary materials and suggestions.
The CRR Resource Guides in the series are:
- Asset Management [pdf]: The Asset Management guide focuses on the processes used to identify, document, and manage the organization’s assets.
- Controls Management [pdf]: The Controls Management guide focuses on the processes used to define, analyze, assess, and manage the organization’s controls.
- Configuration and Change Management [pdf]: The Configuration and Change Management Guide focuses on the processes used to ensure the integrity of an organization’s assets.
- Vulnerability Management [pdf]: The Vulnerability Management Guide focuses on the processes used to identify, analyze, and manage vulnerabilities within the organization’s operating environment.
- Incident Management [pdf]: The Incident Management Guide focuses on the processes used to identify and analyze events, declare incidents, determine a response and improve an organization’s incident management capability.
- Service Continuity Management [pdf]: The Service Continuity Management Guide focuses on processes used to ensure the continuity of an organization’s essential services.
- Risk Management [pdf]: The Risk Management Guide focuses on process used to identify, analyze, and manage risks to an organization’s critical services.
- External Dependencies Management [pdf]: The External Dependencies Management Guide focuses on processes used to establish an appropriate level of controls to manage the risks that are related to the critical service’s dependence on the actions of external entities.
- Training and Awareness [pdf]: The Training and Awareness Guide focuses on processes used to develop skills and promote awareness for people with roles that support the critical service.
- Situational Awareness [pdf]: The Situational Awareness Guide focuses on processes used to discover and analyze information related to the immediate operational stability of the organization’s critical services and to coordinate such information across the enterprise.
The Department of Homeland Security (DHS) partnered with the Computer Emergency Response Team (CERT) Division of Carnegie Mellon University’s Software Engineering Institute to create the CRR. The CRR is a derivative of the CERT Resilience Management Model (RMM) (http://cert.org/resilience/rmm.html) tailored to the needs of critical infrastructure owners and operators.
While the CRR predates the establishment of the Cybersecurity Framework, the inherent principles and recommended practices within the CRR align closely with the central tenets of the Cybersecurity Framework. The CRR enables an organization to assess its capabilities relative to the Cybersecurity Framework and a crosswalk document that maps the CRR to the NIST Framework is included as a component of the CRR Self-Assessment Package. Though the CRR can be used to assess an organization’s capabilities, the Framework is based on a different underlying framework and as a result an organization’s self-assessment of CRR practices and capabilities may fall short of or exceed corresponding practices and capabilities in the Framework. A mapping of the CRR to the Cybersecurity Framework is available here: CRR NIST Framework Crosswalk.
One of the foundational principles of the CRR is that an organization deploys its assets (people, information, technology, and facilities) in support of specific operational missions or critical services. Applying this principle, the CRR seeks to understand an organization’s capabilities in performing, planning, managing, measuring, and defining operational resilience practices and behaviors through an examination of the following ten domains:
- Asset Management
- Controls Management
- Configuration and Change Management
- Vulnerability Management
- Incident Management
- Service Continuity Management
- Risk Management
- External Dependency Management
- Training and Awareness
- Situational Awareness
The CRR is designed to be a universal assessment method that can evaluate the resilience capabilities of a wide range of organizations both in terms of different critical services or critical infrastructure sectors and in terms of organizational size and maturity. Enterprises with highly defined and mature operational resilience capabilities, practices, and procedures can utilize the CRR to assess their practices and identify gaps just as easily as enterprises with less defined or mature capabilities. Ultimately it is up to the individual organization to determine which of the CRR domains and practices are most relevant to that organization.
Organizations have two options in conducting a CRR: a self-assessment available free for download from this website, or a facilitated session involving on-site DHS representatives trained in the use of the assessment. The self-assessment tool can be found here: CRR Self-Assessment Package and in the resources section listed above, along with additional guidance and supplementary information. For information regarding the scheduling of an in-person facilitated session please contact firstname.lastname@example.org.
The CRR, whether through the self-assessment tool or facilitated session, will generate a report as a final product. The report contains all of the questions and answers contained within the assessment along with relevant options for consideration. These options for consideration are based on recognized standards and best practices. Additionally the final report contains an overall mapping of the relative maturity of the organizational resilience processes in each of the ten domains.
DHS collects no information through the CRR Self-Assessment Package. During the on-site facilitated sessions, all information gathered is subject to the rules of the Protected Critical Infrastructure Information (PCII) Program. This program was established by DHS as a means to enable secure, voluntary information sharing between critical infrastructure and the government. PCII protections mean that homeland security partners can be confident that sharing their information with the government will not expose sensitive or proprietary data. For more information on the PCII Program please visit their webpage at http://dhs.gov/pcii.
For more information, contact CSE@hq.dhs.gov.