Cyber Resilience Review

The Cyber Resilience Review (CRR)[1] is an assessment method developed by the United States Department of Homeland Security (DHS).

The workshop typically takes 6–8 hours to complete and draws on a cross section of personnel from the critical infrastructure organization.

[5] The package includes an automated data answer capture and report generation tool, a facilitation guide, comprehensive explanation of each question, and a crosswalk of CRR practices to the criteria of the National Institute of Standards and Technology (NIST) Cybersecurity Framework.

DHS partnered with the CERT Division of the Software Engineering Institute at Carnegie Mellon University to design and deploy the CRR.

The goals and practices found in the assessment are derived from the CERT Resilience Management Model (CERT-RMM) Version 1.0.

Institutionalization means that cybersecurity practices become a deeper, more lasting part of the organization because they are managed and supported in meaningful ways.

The report also provides graphical summaries of the organization’s performance at the goal and domain levels, depicted in a heat-map matrix.

Organizations can also use CRR results to measure their perform in relation to the criteria of the NIST Cybersecurity Framework.

Logo of the US Department of Homeland Security Cyber Resilience Review
DHS Cyber Resilience Review Method Description and Self-Assessment User Guide