Assessment Program Overview
A core component of the Cybersecurity and Infrastructure Security Agency (CISA) risk management mission is conducting security assessments in partnership with ICS stakeholders, including critical infrastructure owners and operators, ICS vendors, integrators, Sector-Specific Agencies, other Federal departments and agencies, SLTT governments, and international partners.
CISA works with these and other partners to assess various aspects of critical infrastructure (cybersecurity controls, control system architectures, and adherence to best practices supporting the resiliency, availability, and integrity of critical systems), and provides options for consideration to mitigate and manage risk.
CISA assessment products improve situational awareness and provide insight, data, and identification of control systems threats and vulnerabilities. Core assessment products and services include self-assessments using the Cybersecurity Evaluation Tool (CSET®), onsite field assessments, network design architecture reviews, and network traffic analysis and verification. The information gained from assessments also provides stakeholders with the understanding and context necessary to build effective defense-in-depth processes for enhancing cybersecurity.
Download PDF: FY 2016 Assessment Report
Download PDF: FY 2015 Assessment Report
Download PDF: FY 2014 Assessment Report
Private Sector Assessments
The CISA Assessment Team developed a Fact Sheet to explain the assessment offerings available to private sector entities.
Download PDF: Fact Sheet - Private Sector Assessments
The CISA Assessment Team developed a Fact Sheet to explain the assessment offerings available to Federal entities.
Download PDF: Fact Sheet - Federal Assessments
All information shared with NCCIC during the analysis and the report outcomes are confidential to the asset owner and protected by DHS as Protected Critical Infrastructure Information (PCII).
To schedule an assessment, please contact CISA Assessments at firstname.lastname@example.org, with "Assessment Request" in the Subject line.
Cyber Security Evaluation Tool
The Cyber Security Evaluation Tool (CSET®) is a Department of Homeland Security (DHS) product that assists organizations in protecting their key national cyber assets. It was developed by cybersecurity experts under the direction of the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), now an integral component of CISA. The tool provides users with a systematic and repeatable approach to assessing the security posture of their cyber systems and networks. It includes both high-level and detailed questions related to all industrial control and IT systems.
CSET® is a desktop software tool that guides users through a step-by-step process to assess their control system and information technology network security practices against recognized industry standards. The CSET output is a prioritized list of recommendations for improving the cybersecurity posture of the organization's enterprise and industrial control cyber systems. The tool derives the recommendations from a database of cybersecurity standards, guidelines, and practices. Each recommendation is linked to a set of actions that can be applied to enhance cybersecurity controls.
CSET® has been designed for easy installation and use on a stand-alone laptop or workstation. It incorporates a variety of available standards from organizations such as NIST, North American Electric Reliability Corporation (NERC), Transportation Security Administration (TSA), U.S. Department of Defense (DoD), and others. When the tool user selects one or more of the standards, CSET opens a set of questions to be answered. The answers to these questions are compared against a selected security assurance level, and a detailed report is generated that shows areas for potential cybersecurity improvement. CSET provides an excellent means to perform a self-assessment of the security posture of your control system environment.
- CSET contributes to an organization's risk management and decision-making process.
- Raises awareness and facilitates discussion on cybersecurity within the organization.
- Highlights vulnerabilities in the organization's systems and provides recommendations on ways to address the vulnerability.
- Identifies areas of strength and best practices being followed in the organization.
- Provides a method to systematically compare and monitor improvement in the cyber systems.
- Provides a common industry-wide tool for assessing cyber systems.
How to Obtain CSET
CSET 8.0 is available for download at the following link: Download CSET here