Multi-Asset and System Assessment (MASA)

Developer/Partners: DHS (N/A)

Relevant Hazard/Threat(s): All hazards

Intent: Assessment process applicable to systems, campuses, and clusters. MASA collects data at the enterprise and asset levels and provides the following: a ranked list of assets based on criticality, applicable attack types by asset, and vulnerabilities and options for consideration, all within an integrated output (GIS, data, results).

A MASA is a process led by a CISA Protective Security Advisor and informed by a variety of enterprise personnel (e.g. facilities manager, engineering, chief information officer, security manager, HR, etc.). The process is intended to evaluate a systems vulnerability to up to 17 attack types and identify actions to take to mitigate these vulnerabilities. These phases include: 1) preliminary approvals, background collection and asset identification, 2) enterprise-level assessment, facilitated criticality discussions and attack type identification; 3) site visits and vulnerability assessments; 4) development of options and a draft report; and 5) final product development.

Inputs: The Cybersecurity and Infrastructure Security Agency (CISA) conducts a MASA in collaboration with the infrastructure owner of the enterprise and various assets. The Protective Security Advisor leads the coordination and includes support staff from multiple
Outputs: Report outputs include: enterprise and asset data, ranked list of assets, options for consideration, interactive maps, vulnerability indices, and security and  dependency dashboards.

MASAs are only available if scheduled through CISA's PSAs