The CRR is a non-technical assessment to evaluate an organization’s operational resilience and cyber security practices. The CRR may be conducted as a self-assessment or as an on-site assessment facilitated by cyber security professionals. The CRR assesses enterprise programs and practices across a range of ten domains including risk management, incident management, service continuity, and others. The assessment is designed to measure existing organizational resilience as well as provide a gap analysis for improvement based on recognized best practices.
The Department of Homeland Security (DHS) partnered with the Computer Emergency Response Team (CERT) Division of Carnegie Mellon University’s Software Engineering Institute to create the CRR. The CRR is a derivative of the CERT Resilience Management Model (RMM) (http://cert.org/resilience/rmm.html) tailored to the needs of critical infrastructure owners and operators.
CRR Self-Assessment Package: This package includes the entire CRR self-assessment, including the fillable assessment form and report generator. All assessments will require this file to be completed.
CRR Method Description and User Guide. This guide contains the overall description of the CRR along with detailed steps and explanations for how to conduct a CRR self-assessment at an organization.
CRR Question Set with Guidance This document contains the entire CRR self-assessment question set along with guidance on how to interpret and answer each of the questions contained within the self-assessment package.
CRR NIST Framework Crosswalk. This document provides a cross-reference chart for each of the categories in the NIST Cyber security Framework and how they align to the CRR and other references.
Executives are advised to give serious consideration to the use of the CRR to offer a high-level assessment of their organization’s resistance to cyber crime. The CRR offers a series of well-documented and structured questionnaires the offer a comprehensive reviews of the methods that should be employed in dealing with malware. Forms are provided that offer a checklist of actions that should be deployed in dealing with cyber criminal activities.
While the CRR predates the establishment of the Cybersecurity Framework, the inherent principles and recommended practices within the CRR align closely with the central tenets of the Cybersecurity Framework. The CRR enables an organization to assess its capabilities relative to the Cybersecurity Framework and a crosswalk document that maps the CRR to the NIST Framework is included as a component of the CRR Self-Assessment Package. Though the CRR can be used to assess an organization’s capabilities, the Framework is based on a different underlying framework and as a result an organization’s self-assessment of CRR practices and capabilities may fall short of or exceed corresponding practices and capabilities in the Framework.