Cyber Resource Hub


In order to assist a variety of stakeholders to ensure the cybersecurity of our Nation's critical infrastructure, CISA offers a range of cybersecurity assessments that evaluate operational resilience, cybersecurity practices, organizational management of external dependencies, and other key elements of a robust cybersecurity framework. CISA's cybersecurity assessment services are offered solely on a voluntary basis and are available upon request.

Vulnerability Scanning

Evaluates external network presence by executing continuous scans of public, static IPs for accessible services and vulnerabilities. This service provides weekly vulnerability reports and ad-hoc alerts.

Phishing Campaign Assessment

Provides an opportunity for determining the potential susceptibility of personnel to phishing attacks. This is a practical exercise intended to support and measure the effectiveness of security awareness training.

Risk and Vulnerability Assessment

A Risk and Vulnerability Assessment (RVA) collects data through onsite assessments and combines it with national threat and vulnerability information in order to provide an organization with actionable remediation recommendations prioritized by risk. This assessment is designed to identify vulnerabilities that adversaries could potentially exploit to compromise network security controls. Methodologies that a Risk and Vulnerability Assessment may incorporate include the following:

  • Scenario-based network penetration testing
  • Web application testing
  • Social engineering testing
  • Wireless testing
  • Configuration reviews of servers and databases
  • Detection and response capability evaluation

After completing the Risk and Vulnerability Assessment, the organization will receive a final report that includes business executive recommendations, specific findings and potential mitigations, as well as technical attack path details. An optional debrief presentation summarizing preliminary findings and observations is also available.

For additional information, consult the Election Infrastructure Security Resource Guide. To schedule a Risk and Vulnerability Assessment, contact CISAServiceDesk@cisa.dhs.gov.

Cyber Resilience Review

The Cyber Resilience Review (CRR) is an interview-based assessment that evaluates an organization’s operational resilience and cybersecurity practices. This assessment is derived from the CERT Resilience Management Model (CERT-RMM), a process improvement model developed by Carnegie Mellon University’s Software Engineering Institute for managing operational resilience. The Cyber Resilience Review evaluates that maturity of an organization’s capacities and capabilities in performing, planning, managing, measuring, and defining cybersecurity capabilities across the following 10 domains:

  1. Asset Management
  2. Controls Management
  3. Configuration and Change Management
  4. Vulnerability Management
  5. Incident Management
  6. Service Continuity Management
  7. Risk Management
  8. External Dependency Management
  9. Training and Awareness
  10. Situational Awareness

Receiving a Cyber Resilience Review will provide an organization with a more robust awareness of its cybersecurity posture by providing and facilitating the following:

  • Improved enterprise-wide awareness of the need for effective cybersecurity management
  • A review of capabilities essential to the continuity of critical services during operational challenges and crisis
  • Integrated peer performance comparisons for each of the 10 domains covered in the assessment
  • A comprehensive final report that includes options for improvement

This assessment is available as a self-assessment or a CISA facilitated assessment. The Cyber Resilience Review (CRR) resource guides were developed to help organizations implement practices identified as considerations for improvement in a CRR report. The guides were developed for organizations that have participated in a CRR, but are useful to any organization interested in implementing or maturing operational resilience capabilities for critical cyber dependent services. The CRR captures an understanding and qualitative measurement of an organization’s operational resilience and its ability to manage operational risks to critical services and their associated assets.

Each resource guide can be used and downloaded independently. Organizations using more than one resource guide will be able to make use of complementary materials and suggestions.

** Please note: There is legacy content regarding CRR, EDM, and CIS within some legacy US-CERT environments, but for the latest up to date content please use the CISA Cyber Hub page. 

CRR Downloadable Resources

Available are the downloadable content and guides for the CRR Self-Assessment.

CRR Self-Assessment [PDF] 1. Downloadable PDF copy of the CRR Self-Assessment so that a user can employ the CRR for self-evaluation purposes for their organization, leverage it as a “dry run,” prior to an onsite assessment which is facilitated by a DHS Cybersecurity professional.  

CRR User Guide [PDF] 2. This guide contains the overall description of the CRR along with detailed steps and explanations for how to conduct a CRR self-assessment at an organization.

CRR Question Set with Guidance [PDF] 3. This document contains the entire CRR self-assessment question set along with guidance on how to interpret and answer each of the questions contained within the self-assessment package.

CRR NIST Framework Crosswalk [PDF] 4. This document provides a cross-reference chart for each of the categories in the NIST Cybersecurity Framework and how they align to the CRR and other references.

CRR Self-Assessment Package. This page contains the entire CRR self-assessment, and all supplementary documentation.

For additional information, consult the Election Infrastructure Security Resource Guide. Note* to schedule an assessment, contact cyberadvisor@cisa.dhs.gov.

No data collected during this assessment will be used for regulatory purposes or publicly disclosed.

External Dependencies Management Assessment

The External Dependencies Management (EDM) Assessment is an interview-based assessment that evaluates an organization’s management of external dependencies. This assessment focuses on the relationship between an organization’s high-value services and assets—such as people technology, facilities, and information—and evaluates how the organization manages risks derived from its use of the Information and Communications Technology (ICT) Supply Chain in the deliverance of services. Although the EDM assessment is normally carried out by a CISA Cyber Security Professional, the EDM also is available in PDF so an organization can benefit and or prepare prior to the coordinated assessment with a CISA Cyber Advisor. The External Dependencies Management Assessment evaluates the maturity and capacity of an organization’s extern dependencies risk management across the following three areas:

  1. Relationship formation
  2. Relationship management and governance
  3. Service protection and sustainment

Participating in an External Dependencies Management Assessment will provide an organization with an informed understanding of its ability to respond to external dependency risks by providing and facilitating the following:

  • Opportunity for internal discussion of vendor-related issues and the organization's reliance upon external entities in order to provide services
  • Improvement options for consideration derived from recognized standards and best practices
  • A comprehensive report on the organization's third-party risk management practices and capabilities that includes peer performance comparisons

For additional information, consult the Election Infrastructure Security Resource Guide. To schedule an assessment, contact cyberadvisor@cisa.dhs.gov.

** Please note: There is legacy content regarding CRR, EDM, and CIS within some legacy US-CERT environments, but for the latest up to date content please use the CISA Cyber Hub page.

EDM Downloadable Resources

Available are the downloadable content and guides for the EDM Assessment.

EDM Assessment [PDF] 1. Downloadable PDF copy of the EDM Assessment so that a user can employ the EDM assessment for self-evaluation purposes for their organization. They can also leverage it as a “dry run,” prior to an onsite assessment which is facilitated by a DHS Cybersecurity Advisor. This is accomplished by contacting the Cyber Advisor contact email listed above.   

EDM User Guide [PDF] 2. This guide contains the overall description of the EDM along with detailed steps and explanations for how to conduct an EDM self-assessment at an organization.

EDM Master Guidance [PDF] 3. This document contains the entire EDM assessment question set along with guidance on how to interpret and answer each of the questions contained within the self-assessment package.

EDM NIST Cyber Security Framework Crosswalk [PDF] 4. This document provides a cross-reference chart for each of the categories in the NIST Cybersecurity Framework and how they align to the EDM and other references.

EDM Self-Assessment Package. This page contains the entire EDM-PDF assessment, and all supplementary documentation.

To schedule a facilitated assessment, contact cyberadvisor@cisa.dhs.gov

No data collected during this assessment will be used for regulatory purposes or publicly disclosed.

Cyber Infrastructure Survey

The Cyber Infrastructure Survey evaluates that effectiveness of organizational security controls, cybersecurity preparedness, and the overall resilience of an organization’s cybersecurity ecosystem. This survey provides a service-based view opposed to a programmatic view of cybersecurity. An organization’s critical services are assessed against more than 80 cybersecurity controls grouped into the following 5 top-level domains:

  1. Cybersecurity Management
  2. Cybersecurity Forces
  3. Cybersecurity Controls
  4. Cybersecurity Incident Response
  5. Cybersecurity Dependencies

After completing the survey, the organization will receive a user-friendly dashboard to review the results and findings of the survey. Completing the Cyber Infrastructure Survey will provide an organization with the following:

  • Effective assessment of critical service cybersecurity controls
  • Interactive dashboard to support cybersecurity planning and resource allocation
  • Peer performance data visually depicted on the dashboard

For additional information, consult the Election Infrastructure Security Resource Guide. To schedule a Cyber Infrastructure Survey, contact cyberadvisor@cisa.dhs.gov.

** Please note: There is legacy content regarding CRR, EDM, and CIS within some legacy US-CERT environments, but for the latest up to date content please use the CISA Cyber Hub page

No data collected during this assessment will be used for regulatory purposes or publicly disclosed.

Remote Penetration Testing

Simulates the tactics and techniques of real-world adversaries to identify and validate exploitable pathways. This service is ideal for testing perimeter defenses, the security of externally-available applications, and the potential for exploitation of open source information.

Web Application Scanning

Evaluates known and discovered publicly-accessible websites for potential bugs and weak configuration to provide recommendations for mitigating web application security risks.

Cyber Security Evaluation Tool (CSET®)

The Cyber Security Evaluation Tool (CSET®) is a stand-alone desktop application that guides asset owners and operators through a systematic process of evaluating Operational Technology and Information Technology.

After completing the evaluation, the organization will receive reports that present the assessment results in both a summarized and detailed manner. The organization will be able to manipulate and filter content in order to analyze findings with varying degrees of granularity.

The CSET Download has moved to GitHub: https://github.com/cisagov/cset/releases

You can also find older legacy versions of the software on GitHub.

(this is taken from https://us-cert.cisa.gov/ics/Downloading-and-Installing-CSET)

For additional information on CSET®, consult https://github.com/cisagov/cset/releases, or email CSD_VM_Methodology@cisa.dhs.gov.

More Cybersecurity Services

Discover more CISA cybersecurity services with the CISA Services Catalog. The catalog is all of CISA, all in one place – a single resource that provides users with access to information on services across all of CISA’s mission areas that are available to Federal Government; State, Local, Tribal and Territorial Government; Private Industry; Academia; NGO and Non-Profit; and General Public stakeholders. The catalog is interactive, allowing users to filter and quickly hone in on applicable services with just a few clicks.

Was this document helpful?  Yes  |  Somewhat  |  No