Assessment Evaluation and Standardization (AES)

Assessment Evaluation and Standardization (AES)

In 2019, CISA launched the Assessment Evaluation and Standardization (AES) program to expand the availability of organizations and individuals qualified to administer cybersecurity assessments in accordance with CISA’s standards and in a manner that provides data back to CISA for risk management purposes.

Today, this program is only available for assessors affiliated with government entities (including federal civilian agencies, the Department of Defense, or State, Local, Tribal, and Territorial governments). CISA’s goal is to expand the AES program to enable assessors in the private sector to participate.


  • Produce a federal, and private sector, workforce of prepared and qualified assessors.
  • Ensure that assessors have the knowledge and skills necessary to conduct assessments according to the CISA standards and methodologies.
  • Ensure that assessment results are of high quality, consistent, and repeatable.


The HVA (High Value Assets) course empowers students to evaluate the federal government’s approach to managing risk, and provide an unbiased, third-party review of the government’s most critical HVA’s cybersecurity posture and operations. The course also verifies that successful students have the capability to inform respective agency leadership to fully understand and manage the risk which is inherent in its selected cybersecurity solution(s). The process depends on in-person interviews, documentation reviews, in-depth technical analysis, and resilience testing through vulnerability scanning and penetration testing. The assessment results in a detailed analysis of how the HVA’s individual security components integrate and operate, including how data is managed and secured. 

The CRR (Cyber Resilience Review) course and resulting examination focuses on operational resilience and cyber security best practices. The CRR has a service-oriented approach, meaning that one of the foundational principles of the CRR is that an organization deploys its assets (people, information, technology, and facilities) to support specific operational missions (or services). The CRR is offered in a facilitated workshop format and as a self-assessment package. Successful students will be well versed in executing both formats. Further students are informed on the Protected Critical Infrastructure Information Act of 2002, which limits the material collected in a facilitated CRR, which is protected from disclosure. Students gain mastery of automated data capture and report generation tools, a facilitation guide, comprehensive explanation of each question, and a crosswalk of CRR concepts to the corresponding National Institute of Standards and Technology (NIST) Cybersecurity Framework.

The EDM (External Dependencies Management) course gives students the capability to facilitate a assessment which is intended for system owners and operators of critical infrastructure organizations in the United States, which measures and reports on the ability of the subject organization to manage external dependencies, as they relate to the supply and operation of information and communications technology (ICT). This area of risk management is also sometimes called Third Party Risk Management or Supply Chain Risk Management.

The RVA (Risk and Vulnerability Assessment) course gives the tools students would need to develop an in-depth analysis which would detail what a sample attack path which a cyber threat actor could take, to compromise a given organization’s weaknesses. The attacks paths are representative of Tactics, Techniques, and Procedures (TTPs) which CISA has observed being leveraged by malicious actors. Course content and infographics provide a high-level snapshot of five potential attack paths and breaks out the most successful techniques for each tactic that the RVAs have documented. Both the analysis and resulting infographics, map threat actor behavior to the MITRE ATT&CK® framework.

Course Schedule

For fiscal year 2023 (FY23), visit AES Schedule webpage.

Was this webpage helpful?  Yes  |  Somewhat  |  No