The CRR is a no-cost, voluntary, non-technical assessment to evaluate an organization’s operational resilience and cybersecurity practices. The CRR may be conducted as a self-assessment or as an on-site assessment facilitated by DHS cybersecurity professionals. The CRR assesses enterprise programs and practices across a range of ten domains including risk management, incident management, service continuity, and others. The assessment is designed to measure existing organizational resilience as well as provide a gap analysis for improvement based on recognized best practices.
On This Page:
Development of the CRR
Relationship to the Cybersecurity Framework
Flexibility of the Approach
Two Options: Self-Assessment or Facilitated Session
CRR Final Report
Protection of Information
This package includes the entire CRR self-assessment, including the fillable assessment form and report generator. All assessments will require this file to be completed.
CRR Method Description and User Guide
This guide contains the overall description of the CRR along with detailed steps and explanations for how to conduct a CRR self-assessment at an organization.
CRR Question Set with Guidance
This document contains the entire CRR self-assessment question set along with guidance on how to interpret and answer each of the questions contained within the self-assessment package.
CRR NIST Framework Crosswalk
This document provides a cross-reference chart for each of the categories in the
NIST Cybersecurity Framework and how they align to the CRR and other references.
CRR Information Sheet
This is a brief fact sheet on the CRR summarizing the process.
The Department of Homeland Security (DHS) partnered with the Computer Emergency Response Team (CERT) Division of Carnegie Mellon University’s Software Engineering Institute to create the CRR. The CRR is a derivative of the CERT Resilience Management Model (RMM) (http://cert.org/resilience/rmm.html) tailored to the needs of critical infrastructure owners and operators.
While the CRR predates the establishment of the Cybersecurity Framework, the inherent principles and recommended practices within the CRR align closely with the central tenets of the Cybersecurity Framework. The CRR enables an organization to assess its capabilities relative to the Cybersecurity Framework and a crosswalk document that maps the CRR to the NIST Framework is included as a component of the CRR Self-Assessment Package. Though the CRR can be used to assess an organization’s capabilities, the Framework is based on a different underlying framework and as a result an organization’s self-assessment of CRR practices and capabilities may fall short of or exceed corresponding practices and capabilities in the Framework. A mapping of the CRR to the Cybersecurity Framework is available here: CRR NIST Framework Crosswalk.
One of the foundational principles of the CRR is that an organization deploys its assets (people, information, technology, and facilities) in support of specific operational missions or critical services. Applying this principle, the CRR seeks to understand an organization’s capabilities in performing, planning, managing, measuring, and defining operational resilience practices and behaviors through an examination of the following ten domains:
- Asset Management
- Controls Management
- Configuration and Change Management
- Vulnerability Management
- Incident Management
- Service Continuity Management
- Risk Management
- External Dependency Management
- Training and Awareness
- Situational Awareness
The CRR is designed to be a universal assessment method that can evaluate the resilience capabilities of a wide range of organizations both in terms of different critical services or critical infrastructure sectors and in terms of organizational size and maturity. Enterprises with highly defined and mature operational resilience capabilities, practices, and procedures can utilize the CRR to assess their practices and identify gaps just as easily as enterprises with less defined or mature capabilities. Ultimately it is up to the individual organization to determine which of the CRR domains and practices are most relevant to that organization.
Organizations have two options in conducting a CRR: a self-assessment available free for download from this website, or a facilitated session involving on-site DHS representatives trained in the use of the assessment. The self-assessment tool can be found here: CRR Self-Assessment Package and in the resources section listed above, along with additional guidance and supplementary information. For information regarding the scheduling of an in-person facilitated session please contact firstname.lastname@example.org.
The CRR, whether through the self-assessment tool or facilitated session, will generate a report as a final product. The report contains all of the questions and answers contained within the assessment along with relevant options for consideration. These options for consideration are based on recognized standards and best practices. Additionally the final report contains an overall mapping of the relative maturity of the organizational resilience processes in each of the ten domains.
DHS collects no information through the CRR Self-Assessment Package. During the on-site facilitated sessions, all information gathered is subject to the rules of the Protected Critical Infrastructure Information (PCII) Program. This program was established by DHS as a means to enable secure, voluntary information sharing between critical infrastructure and the government. PCII protections mean that homeland security partners can be confident that sharing their information with the government will not expose sensitive or proprietary data. For more information on the PCII Program please visit their webpage at http://dhs.gov/pcii.
For more information, contact CSE@hq.dhs.gov.