- Work Areas
Welcome to CERT
New Publications
About CERT
Our mission at the CERT Division is to anticipate and solve the nation's cybersecurity challenges.
- Training
- About Us
Cyber Risk and Resilience Management
Mapping the FFIEC Cybersecurity Assessment Tool (CAT) to the CRR
To help financial institutions assess their cyber resilience, we mapped FFIEC CAT statements to Cyber Resilience Review (CRR) questions.
Cyber Risk and Resilience Management
Managing Third Party Risks to Financial Services Organizations
A resilience-based approach can help financial services organizations manage cyber risks from outsourcing and comply with federal cybersecurity regulations.
Cyber Risk and Resilience Management
CERT-RMM version 1.2 is now available
Version 1.2 of the CERT - Resilience Management Model features improved usability and other enhancements.
Cyber Risk and Resilience Management
SEI Book Series in Software Engineering
Our SEI researchers write books covering software engineering topics for this series of books published by Addison-Wesley Professional.
Cyber Risk and Resilience Management
Report Applies Operational Resilience to Threat Intelligence
This SEI report discusses a framework for preparing intelligence that complements commonly used intelligence frameworks such as Intelligence Preparation of the Battlefield (IPB).
Cyber Risk and Resilience Management
OCTAVE Course
Take a three-day course or eLearning course to learn to perform information security risk assessments using the OCTAVE method.
Cyber Risk and Resilience Management
Engage with Us
There are many opportunities for you to engage with us. We offer workshops, training, appraisals, and even opportunities to develop derivative models based on the CERT-RMM.
Cyber Risk and Resilience Management
CERT Is Hiring
Your top-notch skills and knowledge can help us make a difference in our nation’s cybersecurity. Explore our career opportunities today.
Our Mission: We enable organizations to manage operational risks and ensure mission success by performing research, designing and developing models and techniques, and deploying capabilities that improve organizations' security and resilience posture.
Organizations cannot plan for every disruption. They need to be able to handle changes in their risk environment at a moment's notice and with a predictable level of performance. Organizations can no longer expect to prevent every cyber attack. They must be ready to continue operations and meet their mission when disruption occurs. To accomplish this mission, organizations must take a structured approach to managing security risks, business continuity, and information technology operations within the context of their business objectives. Our team of researchers, cyber risk specialists, and security governance experts works diligently to define best practices and provide methods for managing operational risk and resilience.
Using a resilience approach, organizations focus on managing risk to critical assets by optimizing both protection and continuity strategies to prepare for a broad range of outcomes. How can your organization become resilient?
We provide frameworks and models to improve your organization's security posture.
Our tools and methods, such as CERT-RMM, OCTAVE, SGMM, and ES-C2M2, are used to measure an organization's capabilities, identify improvements gaps, and enable data-driven decisions.
We help you understand risk and resilience issues and how to address them.
We offer workshops, training courses, and services to help you measure your current competency, set improvement targets, and establish plans and actions to close any identified gaps.
We research new ways to manage cyber risks.
We are currently researching new security and resilience improvement capabilities, how to prioritize security spending, the growing impact of cyber risk insurance, and approaches to improving cybersecurity governance.Engage with Us
There are multiple opportunities for you to engage with us. We offer workshops, training, appraisals, and even opportunities to develop derivative models based on the CERT-RMM.
Publications & Media
- 05/16/2017 SEI Cyber Minute: Enterprise Risk Management Watch Summer Fowler in this SEI Cyber Minute as she discusses "Enterprise Risk Management".
- 04/06/2017 SEI Cyber Minute: Defending Against DDOS Attacks Watch Rachel Kartch in this SEI Cyber Minute as she discusses "Defending Against DDOS Attacks".
- 02/23/2017 The CISO Academy In this paper, the authors describe the project that led to the creation of the U.S. Postal Service's CISO Academy.
- 01/31/2017 Software Solutions Symposium 2017 - Informational Brochure The Software Solutions Symposium is a forum for learning about emerging technologies and practical solutions that you can apply today for help with systemic software issues such as assurance, cost, and schedule. March 20-23, 2017. Arlington, VA
- 11/03/2016 A Scorecard for Cyber Resilience: What We Have Observed In this presentation the speakers discuss the Cyber Resilience Review (CRR).
A Mapping of the Federal Financial Institutions Examination Council (FFIEC) Cybersecurity Assessment Tool (CAT) to the Cyber Resilience Review (CRR)
To help financial organizations assess cyber resilience, this technical note maps the FFIEC Cybersecurity Assessment Tool (CAT) to Cyber Resilience Review (CRR) questions.
Managing Third-party Risk in Financial Services Organizations: A Resilience-Based Approach
Applying key concepts from resilience management can help financial services organizations to manage cybersecurity risks from outsourcing and other third-party relationships and comply with federal regulations.
Intelligence Preparation for Operational Resilience (IPOR)
This SEI report describes Intelligence Preparation for Operational Resilience (IPOR), a framework for preparing intelligence that complements commonly used intelligence frameworks such as Intelligence Preparation of the Battlefield (IPB).
CYBURGH, PA
The SEI and the Pittsburgh Technology Council sponsored the CYBURGH, PA, a one-day event where Pittsburgh organizations met to discuss pain points, barriers, and solutions related to cybersecurity. Its program is applicable to all audiences: corporations, small business, academic institutions and public sector, especially those interested in learning how to develop a secure cyber domain for their organization.
Structuring the Chief Information Security Officer Organization
In this September 2015 technical note, the authors describe how they defined a CISO team structure and functions for a national organization using sources such as CISOs, policies, and lessons learned from cybersecurity incidents.
CERT Resilience Management Model: A Maturity Model for Managing Operational Resilience
In this book, the authors present best practices for managing the security and survivability of people, information, technology, and facilities.
Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2)
In this webinar, watch James Stevens discuss the "Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2)" from the SEI Virtual Event, CERT Operational Resilience: Manage, Protect and Sustain.
Related Training
- Introduction to the CERT Resilience Management Model
- CERT Resilience Management Model Appraisal Boot Camp
- CERT Resilience Management Model (CERT-RMM) Users Group Workshop Series
- Assessing Information Security Risk Using the OCTAVE Approach
- Assessing Information Security Risk Using the OCTAVE Approach - eLearning
- Managing Enterprise Information Security: A Practical Approach for Achieving Defense-in-Depth
- Twenty Questions to Assess Your Program's Chances of Success
- Practical Risk Management: Principles and Methods
- Legal
- Terms of Use
- Privacy Statement
- Intellectual Property
Contact Us