Cyber Resource Hub

The Cybersecurity and Infrastructure Security Agency offers a range of cybersecurity assessments that evaluate operational resilience, cybersecurity practices, organizational management of external dependencies, and other key elements of a robust and resilient cyber framework. These professional, no-cost assessments are provided upon request on a voluntary basis and can help any organization with managing risk and strengthening the cybersecurity of our Nation's critical infrastructure.

Assessment Evaluation and Standardization

The Cybersecurity and Infrastructure Security Agency (CISA) Vulnerability Management team offers the Assessment Evaluation and Standardization (AES) program that is available to federal, state, local, tribal and territorial governments, critical infrastructure, and federal agency partners.  The program is designed to enable organizations to have a trained individual that can perform several cybersecurity assessments and reviews in accordance with industry and/or federal information security standards.

For more information on the AES program, visit cisa.gov/aes

Vulnerability Scanning

Vulnerability Scanning evaluates external network presence by executing continuous scans of public, static IPv4s for accessible services and vulnerabilities. This service provides weekly vulnerability reports and ad-hoc alerts. 

For more information on this service and how to sign up, please email Vulnerability Scanning.

Cyber Resilience Review

The Cyber Resilience Review (CRR) is an interview-based assessment that evaluates an organization’s operational resilience and cybersecurity practices. This assessment is derived from the CERT Resilience Management Model (CERT-RMM), a process improvement model developed by Carnegie Mellon University’s Software Engineering Institute for managing operational resilience. The Cyber Resilience Review evaluates that maturity of an organization’s capacities and capabilities in performing, planning, managing, measuring, and defining cybersecurity capabilities across the following 10 domains:

  1. Asset Management
  2. Controls Management
  3. Configuration and Change Management
  4. Vulnerability Management
  5. Incident Management
  6. Service Continuity Management
  7. Risk Management
  8. External Dependency Management
  9. Training and Awareness
  10. Situational Awareness

Receiving a Cyber Resilience Review will provide an organization with a more robust awareness of its cybersecurity posture by providing and facilitating the following:

  • Improved enterprise-wide awareness of the need for effective cybersecurity management
  • A review of capabilities essential to the continuity of critical services during operational challenges and crisis
  • Integrated peer performance comparisons for each of the 10 domains covered in the assessment
  • A comprehensive final report that includes options for improvement

This assessment is available as a self-assessment or a CISA facilitated assessment. The Cyber Resilience Review (CRR) resource guides were developed to help organizations implement practices identified as considerations for improvement in a CRR report. The guides were developed for organizations that have participated in a CRR, but are useful to any organization interested in implementing or maturing operational resilience capabilities for critical cyber dependent services. The CRR captures an understanding and qualitative measurement of an organization’s operational resilience and its ability to manage operational risks to critical services and their associated assets.

Each resource guide can be used and downloaded independently. Organizations using more than one resource guide will be able to make use of complementary materials and suggestions.

** Please note: There is legacy content regarding CRR, EDM, and CIS within some legacy US-CERT environments, but for the latest up to date content please use the CISA Cyber Hub page. 

CRR Downloadable Resources

** Note: These documents have features that may not work in certain web browsers. For best use, please open using Internet Explorer.

Available are the downloadable content and guides for the CRR Self-Assessment.

CRR Self-Assessment [PDF] 1. Downloadable PDF copy of the CRR Self-Assessment so that a user can employ the CRR for self-evaluation purposes for their organization, leverage it as a “dry run,” prior to an onsite assessment which is facilitated by a DHS Cybersecurity professional.  

CRR User Guide [PDF] 2. This guide contains the overall description of the CRR along with detailed steps and explanations for how to conduct a CRR self-assessment at an organization.

CRR Question Set with Guidance [PDF] 3. This document contains the entire CRR self-assessment question set along with guidance on how to interpret and answer each of the questions contained within the self-assessment package.

CRR NIST Framework Crosswalk [PDF] 4. This document provides a cross-reference chart for each of the categories in the NIST Cybersecurity Framework and how they align to the CRR and other references.

For additional information, consult the Election Infrastructure Security Resource Guide. Note* to schedule an assessment, contact central@cisa.gov.

No data collected during this assessment will be used for regulatory purposes or publicly disclosed.

External Dependencies Management Assessment

The External Dependencies Management (EDM) Assessment is an interview-based assessment that evaluates an organization’s management of external dependencies. This assessment focuses on the relationship between an organization’s high-value services and assets—such as people technology, facilities, and information—and evaluates how the organization manages risks derived from its use of the Information and Communications Technology (ICT) Supply Chain in the deliverance of services. Although the EDM assessment is normally carried out by a CISA Cyber Security Professional, the EDM also is available in PDF so an organization can benefit and or prepare prior to the coordinated assessment with a CISA Cyber Advisor. The External Dependencies Management Assessment evaluates the maturity and capacity of an organization’s extern dependencies risk management across the following three areas:

  1. Relationship formation
  2. Relationship management and governance
  3. Service protection and sustainment

Participating in an External Dependencies Management Assessment will provide an organization with an informed understanding of its ability to respond to external dependency risks by providing and facilitating the following:

  • Opportunity for internal discussion of vendor-related issues and the organization's reliance upon external entities in order to provide services
  • Improvement options for consideration derived from recognized standards and best practices
  • A comprehensive report on the organization's third-party risk management practices and capabilities that includes peer performance comparisons

For additional information, consult the Election Infrastructure Security Resource Guide. To schedule an assessment, contact central@cisa.gov.

** Please note: There is legacy content regarding CRR, EDM, and CIS within some legacy US-CERT environments, but for the latest up to date content please use the CISA Cyber Hub page.

EDM Downloadable Resources

** Note: These documents have features that may not work in certain web browsers. For best use, please open using Internet Explorer.

Available are the downloadable content and guides for the EDM Assessment.

EDM Assessment [PDF] 1. Downloadable PDF copy of the EDM Assessment so that a user can employ the EDM assessment for self-evaluation purposes for their organization. They can also leverage it as a “dry run,” prior to an onsite assessment which is facilitated by a DHS Cybersecurity Advisor. This is accomplished by contacting the Cyber Advisor contact email listed above.   

EDM User Guide [PDF] 2. This guide contains the overall description of the EDM along with detailed steps and explanations for how to conduct an EDM self-assessment at an organization.

EDM Primary Guidance [PDF] 3. This document contains the entire EDM assessment question set along with guidance on how to interpret and answer each of the questions contained within the self-assessment package.

EDM NIST Cyber Security Framework Crosswalk [PDF] 4. This document provides a cross-reference chart for each of the categories in the NIST Cybersecurity Framework and how they align to the EDM and other references.

To schedule a facilitated assessment, contact central@cisa.gov

No data collected during this assessment will be used for regulatory purposes or publicly disclosed.

Cyber Infrastructure Survey

The Cyber Infrastructure Survey evaluates that effectiveness of organizational security controls, cybersecurity preparedness, and the overall resilience of an organization’s cybersecurity ecosystem. This survey provides a service-based view opposed to a programmatic view of cybersecurity. An organization’s critical services are assessed against more than 80 cybersecurity controls grouped into the following 5 top-level domains:

  1. Cybersecurity Management
  2. Cybersecurity Forces
  3. Cybersecurity Controls
  4. Cybersecurity Incident Response
  5. Cybersecurity Dependencies

After completing the survey, the organization will receive a user-friendly dashboard to review the results and findings of the survey. Completing the Cyber Infrastructure Survey will provide an organization with the following:

  • Effective assessment of critical service cybersecurity controls
  • Interactive dashboard to support cybersecurity planning and resource allocation
  • Peer performance data visually depicted on the dashboard

For additional information, consult the Election Infrastructure Security Resource Guide. To schedule a Cyber Infrastructure Survey, contact central@cisa.gov.

** Please note: There is legacy content regarding CRR, EDM, and CIS within some legacy US-CERT environments, but for the latest up to date content please use the CISA Cyber Hub page

No data collected during this assessment will be used for regulatory purposes or publicly disclosed.

Cyber Security Evaluation Tool (CSET®)

The Cyber Security Evaluation Tool (CSET®) is a stand-alone desktop application that guides asset owners and operators through a systematic process of evaluating Operational Technology and Information Technology. After completing the evaluation, the organization will receive reports that present the assessment results in both a summarized and detailed manner. The organization will be able to manipulate and filter content in order to analyze findings with varying degrees of granularity. It includes the Cyber Resilience Review and Cyber Infrastructure Survey.  

On June 30, 2022, CISA Current Activity announced that CSET now includes a new module: Ransomware Readiness Assessment (RRA). The RRA is a self-assessment based on a tiered set of practices to help organizations better assess how well they are equipped to defend and recover from a ransomware incident; completing the RRA is recommended.

Services Catalog

Discover more CISA cybersecurity services with the CISA Services Catalog. The catalog is all of CISA, all in one place – a single resource that provides users with access to information on services across all of CISA’s mission areas that are available to Federal Government; State, Local, Tribal and Territorial Government; Private Industry; Academia; NGO and Non-Profit; and General Public stakeholders. The catalog is interactive, allowing users to filter and quickly hone in on applicable services with just a few clicks.

Free Public and Private Sector Cybersecurity Tools and Services 

As part of our continuing mission to reduce cybersecurity risk across U.S. critical infrastructure partners and state, local, tribal, and territorial governments, CISA has compiled a list of free public and private sector cybersecurity services and tools to help organizations further advance their security capabilities.