Cyber Resilience Review (CRR)

What is Cyber Resilience Review (CRR)

The Cyber Resilience Review (CRR) assessment is a tool that measures a company’s cyber resilience. An organization can examine its capabilities against v1.1 of the National Institute of Standards and Technology (NIST) Cybersecurity Framework using CRR results represented in terms of the NIST CSF (CSF).

The CRR Assessment (CRR) is a simple, interview-based assessment approach developed by the Department of Homeland Security (DHS) to analyze critical infrastructure owners and operators’ cybersecurity and service continuity processes. The CRR Assessment has 299 questions divided into 10 areas of practice topics. Each area contains critical qualities that help an organization’s cyber resilience. Although the number of goals and practice questions vary by area, all domains have the same set of Maturity Indicator Level (MIL) questions and ideas. The MIL questions look at how processes within an organization become institutionalized.

The CRR is a “point-in-time” assessment, it shows a company’s capabilities at a specific moment in time—the period of the evaluation. Its goal is to learn how to manage the cybersecurity of business services and their associated assets, which are crucial to an organization’s mission achievement. The CRR assesses critical cybersecurity capabilities and behaviors in order to give useful indications of an organization’s operational resilience in both normal and stressful situations.

What are the requirements for CRR?

Critical Service Scope

The CRR has a service-oriented approach, meaning that it is intended to assess the organization’s management of a specific mission critical service. Scoping the assessment is critical in order to decide which specific areas need assessing. Answers to the CRR questions must be provided in relation to a specific service and the assets that underpin that service.

A critical service must be selected, and is defined as:

A set of activities an organization carries out in the performance of a duty or in the production of a product that is so critical to the organization’s success that its disruption would severely impact continued operations or success in meeting the organization’s mission.

Organizations typically have a set of critical services that define their mission. The selection of a critical service for assessment—rather than assessing the organization as a whole—helps to scope the assessment and tie the results to the organization’s mission.

Some organizations and their usual critical services that might be chosen as part of a CRR Assessment are listed below:

• clearing and settlement for banks and other financial institutions, as well as mortgage application processing
• suppliers of emergency services, such as 911 call takers and dispatchers
• electrical power plants: production and delivery of electricity
• hospitals: clinical services, monitoring of prescriptions
• government agencies: case management, benefit administration
• machining operations, order processing – manufacturing businesses
• air traffic control and fuel management at airports

Asset Types

People, information, technology, and facilities are the four categories that the CRR divides assets into. Many questions call for a separate answer for each of the four assets, while others pertain to all of them.

The four asset types are:

• People – the staff (both internal and external to the organization) such as people that support data centers or otherwise use information and communications technology to operate and monitor the service.
• Information – account information, technology asset configuration files, operational data, customer information and other information necessary for the delivery of the service.
• Technology – computers (hardware), software, control systems, or other technology including external information systems used by the organization to deliver the service.
• Facilities – offices buildings, data centers and other physical structures supporting the delivery of the service.

Maturity Indicator Level (MIL)

The CRR Assessment utilizes one standard set of Maturity Indicator Level (MIL) questions. The MIL questions examine the institutionalization of CRR practices within an organization. Institutionalization means that cybersecurity practices become a deeper, more lasting part of the organization because they are managed and supported in meaningful ways. When cybersecurity practices become more institutionalized—or “embedded”—managers can have more confidence in the practices’ predictability and reliability. The practices also become more likely to be sustained during times of disruption or stress to the organization.

A Maturity Indicator Level (MIL) is assigned to each CRR domain. It represents a consolidated view of performance. The MIL scale itself uses 6 maturity levels, each with rigorous, defined components:

MIL0 Incomplete -> MIL1 Performed -> MIL2 Planned -> MIL3 Managed -> MIL4 Measured -> MIL5 Defined

MIL0 Incomplete – As judged by responses to the applicable CRR questions in the domain, all practices in the domain are not fully implemented.

MIL1 Performed – As judged by responses to the appropriate CRR questions, all practices that support the goals in a domain are being carried out.

MIL2 Planned – All CRR-related practices are not only carried out, but also supported by planning, policy, stakeholders, and necessary standards and guidelines.

MIL3 Managed – All practices in a domain are carried out, planned, and have the necessary governance architecture in place, as well as being effectively staffed, funded, and risk managed.

MIL4 Measured – A domain’s practices are carried out, planned, managed, monitored, and regulated. A measurable process or practice is evaluated for efficacy on a regular basis, compared to its practice description and plan, and discussed with higher-level management on a regular basis.

MIL5 Defined – All practices in a domain are performed, planned, controlled, measured, and consistent across all stakeholders that have a stake in the practice’s success. At MIL5, a process or practice is established by the organization, customized by individual operating units, and backed up by improvement data gathered by and shared among operating units for the organization’s overall benefit.

MIL Progression

An organization can only achieve a certain MIL if it has achieved all lower MILs in the preceding progression. To put it another way, even if an organization meets all of the MIL2 standards, if it fails to take all of the MIL1 cybersecurity steps in a domain, it will not be able to reach MIL2.

Why should you be CRR compliant?

The CRR gives a greater knowledge of an organization’s cybersecurity posture, as well as increased awareness of the importance of effective cybersecurity management within the enterprise.

The CRR is a comprehensive assessment providing a final report that maps:

• the relative maturity of organizational resilience processes across all ten domains, 
• a validation of management success, 
• a catalyst for dialogue among stakeholders from various functional areas within your organization, 
• and a review of the most critical capabilities for ensuring critical service continuity during times of operational stress and crisis.

How to achieve CRR compliance?

The CRR is designed to be a universal assessment instrument for evaluating the resilience capabilities of a wide range of businesses, regardless of which important services they provide or which critical infrastructure sectors, organizational size, or maturity. Businesses with well-defined and mature operational resilience capabilities, processes, and procedures can use the CRR just as effectively to assess and identify gaps as those with less defined and mature capabilities. It is ultimately up to each company to determine which CRR domains and practices are most relevant to them.

Centraleyes has integrated the CRR into its cutting-edge platform allowing companies to seamlessly run through the assessment process. The platform offers you a smart questionnaire, real-time customized scoring, and prioritized remediation guidance to fully implement the CRR controls based on your desired MIL level.

Benefits of using Centraleyes to implement CRR

• Our automated platform helps organizations evaluate their cyber hygiene, with respect to the organization’s cyber resilience, against known security standards and best practices in a repeatable, strategic, and disciplined manner
• We guide organizations through a collaborative smart questionnaire to assess their current security controls to improve the cyber resilience
• Centraleyes provides an intuitive dashboard with automated remediation and a unique breakdown screen that presents the assessment details and results in a user-friendly format
• As the assessment is completed, the remediation center is updated in real-time, providing actionable steps for the organization to implement. The organization will be able to manipulate and filter data in order to analyze the results with varying levels of granularity.

Using the Centraleyes platform, with its CRR integration, results in saving hundreds of hours and resources, more accurate and measurable data, and peace of mind.

Read more: 
https://www.cisa.gov/uscert/resources/assessments