Cyber Resource Hub


In order to assist a variety of stakeholders to ensure the cybersecurity of our Nation's critical infrastructure, CISA offers a range of cybersecurity assessments that evaluate operational resilience, cybersecurity practices, organizational management of external dependencies, and other key elements of a robust cybersecurity framework. CISA's cybersecurity assessment services are offered solely on a voluntary basis and are available upon request.

Vulnerability Scanning

Evaluates external network presence by executing continuous scans of public, static IPs for accessible services and vulnerabilities. This service provides weekly vulnerability reports and ad-hoc alerts.

Phishing Campaign Assessment

Provides an opportunity for determining the potential susceptibility of personnel to phishing attacks. This is a practical exercise intended to support and measure the effectiveness of security awareness training.

Risk and Vulnerability Assessment

A Risk and Vulnerability Assessment (RVA) collects data through onsite assessments and combines it with national threat and vulnerability information in order to provide an organization with actionable remediation recommendations prioritized by risk. This assessment is designed to identify vulnerabilities that adversaries could potentially exploit to compromise network security controls. Methodologies that a Risk and Vulnerability Assessment may incorporate include the following:

  • Scenario-based network penetration testing
  • Web application testing
  • Social engineering testing
  • Wireless testing
  • Configuration reviews of servers and databases
  • Detection and response capability evaluation

After completing the Risk and Vulnerability Assessment, the organization will receive a final report that includes business executive recommendations, specific findings and potential mitigations, as well as technical attack path details. An optional debrief presentation summarizing preliminary findings and observations is also available.

For additional information, consult the Election Infrastructure Security Resource Guide. To schedule a Risk and Vulnerability Assessment, contact CISAServiceDesk@cisa.dhs.gov.

Cyber Resilience Review

The Cyber Resilience Review (CRR) is an interview-based assessment that evaluates an organization’s operational resilience and cybersecurity practices. This assessment is derived from the CERT Resilience Management Model (CERT-RMM), a process improvement model developed by Carnegie Mellon University’s Software Engineering Institute for managing operational resilience. The Cyber Resilience Review evaluates that maturity of an organization’s capacities and capabilities in performing, planning, managing, measuring, and defining cybersecurity capabilities across the following 10 domains:

  1. Asset Management
  2. Controls Management
  3. Configuration and Change Management
  4. Vulnerability Management
  5. Incident Management
  6. Service Continuity Management
  7. Risk Management
  8. External Dependency Management
  9. Training and Awareness
  10. Situational Awareness

Receiving a Cyber Resilience Review will provide an organization with a more robust awareness of its cybersecurity posture by providing and facilitating the following:

  • Improved enterprise-wide awareness of the need for effective cybersecurity management
  • A review of capabilities essential to the continuity of critical services during operational challenges and crisis
  • Integrated peer performance comparisons for each of the 10 domains covered in the assessment
  • A comprehensive final report that includes options for improvement

This assessment is available as a self-assessment or a CISA facilitated assessment. For additional information, consult the Election Infrastructure Security Resource Guide or visit www.us-cert.gov/ccubedvp/assessments. To schedule a facilitated assessment, contact cyberadvisor@hq.dhs.gov

No data collected during this assessment will be used for regulatory purposes or publicly disclosed.

External Dependencies Management Assessment

The External Dependencies Management (EDM) Assessment is an interview-based assessment that evaluates an organization’s management of external dependencies. This assessment focuses on the relationship between an organization’s high-value services and assets—such as people technology, facilities, and information—and evaluates how the organization manages risks derived from its use of the Information and Communications Technology (ICT) Supply Chain in the deliverance of services. The External Dependencies Management Assessment evaluates the maturity and capacity of an organization’s extern dependencies risk management across the following three areas:

  1. Relationship formation
  2. Relationship management and governance
  3. Service protection and sustainment

Participating in an External Dependencies Management Assessment will provide an organization with an informed understanding of its ability to respond to external dependency risks by providing and facilitating the following:

  • Opportunity for internal discussion of vendor-related issues and the organization's reliance upon external entities in order to provide services
  • Improvement options for consideration derived from recognized standards and best practices
  • A comprehensive report on the organization's third-party risk management practices and capabilities that includes peer performance comparisons

For additional information, consult the Election Infrastructure Security Resource Guide. To schedule an assessment, contact cyberadvisor@hq.dhs.gov.

No data collected during this assessment will be used for regulatory purposes or publicly disclosed.

Cyber Infrastructure Survey

The Cyber Infrastructure Survey evaluates that effectiveness of organizational security controls, cybersecurity preparedness, and the overall resilience of an organization’s cybersecurity ecosystem. This survey provides a service-based view opposed to a programmatic view of cybersecurity. An organization’s critical services are assessed against more than 80 cybersecurity controls grouped into the following 5 top-level domains:

  1. Cybersecurity Management
  2. Cybersecurity Forces
  3. Cybersecurity Controls
  4. Cybersecurity Incident Response
  5. Cybersecurity Dependencies

After completing the survey, the organization will receive a user-friendly dashboard to review the results and findings of the survey. Completing the Cyber Infrastructure Survey will provide an organization with the following:

  • Effective assessment of critical service cybersecurity controls
  • Interactive dashboard to support cybersecurity planning and resource allocation
  • Peer performance data visually depicted on the dashboard

For additional information, consult the Election Infrastructure Security Resource Guide. To schedule a Cyber Infrastructure Survey, contact cyberadvisor@hq.dhs.gov.

No data collected during this assessment will be used for regulatory purposes or publicly disclosed.

Remote Penetration Testing

Simulates the tactics and techniques of real-world adversaries to identify and validate exploitable pathways. This service is ideal for testing perimeter defenses, the security of externally-available applications, and the potential for exploitation of open source information.

Web Application Scanning

Evaluates known and discovered publicly-accessible websites for potential bugs and weak configuration to provide recommendations for mitigating web application security risks.

Cyber Security Evaluation Tool (CSET®)

The Cyber Security Evaluation Tool (CSET®) is a stand-alone desktop application that guides asset owners and operators through a systematic process of evaluating Operational Technology and Information Technology.

After completing the evaluation, the organization will receive reports that present the assessment results in both a summarized and detailed manner. The organization will be able to manipulate and filter content in order to analyze findings with varying degrees of granularity.

For additional information on CSET®, consult the Election Infrastructure Security Resource Guide or visit https://www.ics-cert.us-cert.gov. To request a physical copy of the software, contact CISAServiceDesk@cisa.dhs.gov.

Was this document helpful?  Yes  |  Somewhat  |  No