NRMC Resources

This page provides National Risk Management Center (NRMC) outreach materials, information, and guides. Download and share these NRMC resources to enhance critical infrastructure security and resilience.

New Resources

• CISA Insights: Risk Considerations for Managed Service Provider Customers: This resource provides a framework that government and private sector organizations (to include small and medium-sized businesses) outsourcing some level of IT support to MSPs can use to better mitigate against third-party risk.

• We’re excited to share two videos showcasing CISA's Resilience Series graphic novels: the Real Fake trailer and the Bug Bytes trailer. Inspired by real events, Real Fake and Bug Bytes demonstrate the dangers and risks associated with mis-, dis-, and malinformation, and how threat actors capitalize on political and social issues to spread inaccurate information to targeted audiences to steer their opinion. 

• Sign Up for a .gov Domain: Information for Election Officials: This fact sheet explains the importance for election officials to sign up for a .gov domain. Election officials continue to combat false and misleading election information, making it increasingly difficult to identify trusted sources of information. As the Agency that oversees the .gov top-level domain, CISA provides .gov domains for election offices to help the public quickly identify accurate election information.

• CISA Insights: Chain of Custody and Critical Infrastructure Systems. This CISA Insights provides critical infrastructure owners/operators an overview of what chain of custody is, highlights the potential impacts and risks resulting from a broken chain of custody, and offers an initial framework for securing chain of custody for their physical and digital assets.

• Threat Scenarios Report (Version 3): Developed by the ICT Supply Chain Risk Management (SCRM) Task Force, this report provides a practical, example-based guidance on supplier SCRM threat analysis and evaluation that can be applied by procurement or source selection officials. The latest version adds the assessment of products and services to include scenario-specific impacts and mitigating controls to the supplier threat scenarios.

Fact Sheets and CISA Insights

• CISA Insights: Risk Considerations for Managed Service Provider Customers *new resource
• ICT Supply Chain Risk Management (SCRM) Fact Sheet
• ICT Supply Chain Risk Management (SCRM) Task Force Fact Sheet
• National Critical Functions (NCF) Fact Sheet 
• National Risk Management Center (NRMC) Fact Sheet 
• Pipeline Cybersecurity Initiative (PCI) Fact Sheet 
• Time - The Invisible Utility: two quick reference guides designed for organization leaders (corporate level) and IT professionals and staff (technical level) on the importance of accurate and resilient timing.
  • Corporate-level Fact sheet (for organization leaders)
  • Technical-level Fact sheet (for IT and staff)
• Sign Up for a .gov Domain: Information for Election Officials Fact Sheet *new resource
• Systemic Cyber Risk Reduction Venture Fact Sheet 
• Understanding Vulnerabilities of Positioning, Navigation, and Timing (PNT) fact sheet 

Infographics and Graphic Novels

• 5G Basics Infographic 
• 5G Market Penetration and Risk Factors Infographic
• ICT Supply Chain Risks Infographic
• ICT Supply Chain Risk Management (SCRM) Essentials
• National Critical Functions (NCF) Set
• Pipeline Cyber Risk Mitigation Infographic 
• Port Facility Cybersecurity Risks Infographic 
• Resilience Series: Bug Bytes Graphic Novel *new resource
• Resilience Series: Real Fake Graphic Novel 
• Risk to Critical Infrastructure: Telecommunications Central Offices Infographic 

Papers, Reports, and Toolkits

• Defending Against Software Supply Chain Attacks 
• 5G: Edge vs. Core - An Increasingly Less Pronounced Distinction in 5G Networks 
• 5G: Overview of Risks Introduced by 5G Adoption in the United States
• Electromagnetic Pulse (EMP) Program Status Report 
• ICT SCRM: Paper on Executive Order 13873 Response: Methodology for Assessing the Most Critical Information and Communication Technologies (ICT) and Services
  • Frequently Asked Questions: DHS's ICT Methodology in Support of EO 13873
• ICT Supply Chain Risk Management Toolkit 
• NCFs: Status Update to the Critical Infrastructure Community 
• NCFs: Overview of the National Critical Functions
• Potential Threat Vectors to 5G Infrastructure 
• PNT: Report on Positioning, Navigation, and Timing (PNT) Backup and Complementary Capabilities to the GPS
• PNT: Time Guidance for Network Operators, Chief Information Officers, and Chief Information Security Officers 

ICT Supply Chain Risk Management (SCRM) Task Force Products

• ICT SCRM Task Force: Interim Report
• ICT SCRM Task Force: Lessons Learned During the Covid-19 Pandemic 
• ICT SCRM Task Force: Threat Scenarios Report (Version 1)
• ICT SCRM Task Force: Threat Scenarios Report (Version 2) 
• ICT SCRM Task Force: Threat Scenarios Report (Version 3) *new resource
• ICT SCRM Task Force: Year Two Report 
• ICT SCRM Task Force: Report on Mitigating ICT Supply Chain Risks with Qualified Bidder and Manufacturer Lists 
• ICT SCRM Task Force: Vendor SCRM Template 

Election Security Resources

These voluntary resources were developed by the Election Infrastructure Subsector’s Government Coordinating Council (GCC) and Sector Coordinating Council (SCC) to assist election officials and voters prepare for impacts to possible COVID-19 related impacts to upcoming elections. 

COVID-19 & Election Security

• Ballot Drop Box: Deploying ballot drop boxes in support of increased mail voting, including considerations like security, chain of custody, and estimating the number of boxes needed.
• Election Education and Outreach for Increased Absentee or Mail Voting: Strategies for outreach to legislators/policy makers, parties, campaigns, advocacy groups, voters, and others to educate them on absentee voting and vote by mail. 
• Electronic Ballot Delivery and Marking: Helping jurisdictions determine whether expanded electronic ballot delivery and marking options is appropriate for them.  
• Helping Voters to Request a Mail-in Ballot: Public messaging and outreach to apprise voters of the application process for requesting mail-in ballots.
• Importance of Accurate Voter Data When Expanding Absentee or Mail Ballot Voting: Risks associated with inaccurate voter records and considerations for securing voter registration data.
• Inbound Ballot Process: Receipt and processing of increased volume of inbound mail ballots. 
• Managing an Increase in Outbound Ballots: FAQs and recommendations for working with vendors, the U.S. Postal Service, and others for handling increased volume of outgoing mail ballots.  
• Signature Verification and Cure Process: Processes for verifying signatures and giving voters the opportunity to remedy rejected mail ballots.
• Vote By Mail / Absentee Voting Timeline – Excel and PDF: Lays out estimated lead times required for states to consider when implementing processes to support significant increases in mail-in voting.

In-Person Voting Materials

• Assisting Sick, Exposed, Symptomatic, and Quarantined Voters: Guidance with measures for election officials to consider to mitigate the spread of COVID-19 during the November elections.
• Considerations for Modifying the Scale of In-Person Voting: Guidance to election administrators conducting in-person voting on a different scale, and considerations for combining precincts and alternative vote centers.
• Finding Voting Locations and Poll Workers: Outlines challenges election officials may face procuring polling places and poll workers and considerations for increased physical and cybersecurity risks associated with in-person voting.
• Health and Safety at the Polling Place: Guidance to election administrators regarding personal protective equipment (PPE), cleaning and disinfecting, establishing procedures, and considerations for modifying poll working training.
• Innovative Practices and New Solutions Guide: Provides ideas and solutions to  election officials on how to administer and secure election infrastructure.
• Safeguarding Staff and Work Environment from COVID-19: Outlines new safety measures, (i.e., isolating staff and regular disinfecting protocols), providing PPE, exposed employees, and cybersecurity considerations regarding remote work.

#Protect2020 Resources

• #Protect2020 Rumor vs. Reality: This web page addresses some common election-related rumors, provides factual information, and lists the resources to support these facts. 
• Election Infographic Products: A set of five products designed to combat disinformation by equipping election officials, stakeholders, and voters with information on the mail-in voting, post election, and election result processes (which vary by state and/or jurisdictions). 
  • Mail-in Voting Processing Factors Map: A weekly-updated map that offers a visual of the movement in each state’s mail-in ballot processing.
  • Mail-in Voting 2020 Policy Changes Map: A map that offers a visual of changes established to each state as a result of COVID-19.
  • Mail-in Voting Election Integrity Safeguards Infographic: A product that provides the description and in-person equivalent for procedural and physical ballot safeguards.
  • Post Election Process Mapping Infographic: A product that provides a timeline of post-election processes for the Presidential election from close of polls on Election Day, November 3, 2020, to Inauguration Day on January 20, 2021.
  • Election Results Reporting Risk and Mitigations Infographic: A product that provides an overview of the risks associated with results reporting systems and how they are managed through mitigating measures.
    • Note: CISA is committed to providing access to our webpages and documents for individuals with disabilities, both members of the public and federal employees. If the format of any elements or content within these documents interfere with your ability to access the information, as defined in the Rehabilitation Act, please email EISSA@cisa.dhs.gov. To enable us to respond in a manner most helpful to you, please indicate the nature of your accessibility problem and the preferred format in which to receive the material.
• Election Disinformation Toolkit: A toolkit for election officials to emphasize their role as “trusted voices” for election information, and to spread the importance of “we’re all in this together” in reducing the impacts of disinformation campaigns on the 2020 elections. 
• Election Risk Profile Tool 
• 3 P’s of Voting: An infographic to help voters understand the importance of their engagement (by being prepared, participating, and being patient) in the 2020 election season.
• Cyber Incident Detection and Notification Planning Guide for Election Security 
• Election Infrastructure Cyber Risk Assessment and Infographic 
• FBI-CISA Public Service Announcement - Spoofed Internet Domains Pose Cyber and Disinformation Risks to Voters: The FBI and CISA are issuing this announcement to help the public recognize and avoid spoofed election-related internet domains during the 2020 election year. 
• FBI-CISA Public Service Announcement - Foreign Actors Likely to Use Online Journals to Spread Disinformation Regarding 2020 Elections: The FBI and CISA are issuing this announcement to raise awareness of the potential threat posed by foreign-backed online journals that spread disinformation regarding the 2020 elections. 
• FBI-CISA Public Service Announcement - DDOS Attacks on Election Infrastructure Can Hinder Access to Voting Information, Would Not Prevent Voting: The FBI and CISA are issuing this announcement to raise awareness that Distributed Denial of Service (DDoS) attacks on election infrastructure can hinder access to voting information but would not prevent voting. 
• FBI-CISA Public Service Announcement - False Claims of Hacked Voter Information Likely Intended to Cast Doubt on Legitimacy of U.S. Elections: The FBI and CISA are issuing this announcement to raise awareness of the potential threat posed by attempts to spread disinformation regarding cyberattacks on U.S. voter registration databases or voting systems. 
• FBI-CISA Public Service Announcement - Cyber Threats to Voting Processes Could Slow But Not Prevent Voting: The FBI and CISA are issuing this announcement to inform the public that attempts by cyber actors to compromise election infrastructure could slow but not prevent voting. 
• FBI-CISA Public Service Announcement - Foreign Actors and Cybercriminals Likely to Spread Disinformation Regarding 2020 Election Results: The FBI and CISA are issuing this announcement to raise awareness of the potential threat posed by attempts to spread disinformation regarding the results of the 2020 elections.
• Guide to Vulnerability Reporting for America’s Election Administrators 
• Mail-in Voting in 2020 Infrastructure Risk Assessment and Infographic 
• Physical Security of Voting Locations and Election Facilities 
• The War on Pineapple: Understanding Foreign Interference in 5 Steps Infographic
• Tools of Disinformation: Inauthentic Content: This product (available in English and Spanish) highlights the tactics used by disinformation campaigns such as manipulating audio and videos, conducting forgeries, and developing proxy websites in order to undermine public confidence and sow confusion. *new resource
• Social Media Bots Overview Infographic
• Disinformation Stops With You 
  • Recognize the Risk
  • Question the Source
  • Investigate the Issue
  • Think Before You Link
  • Talk to Your Circle

Policy Documents | Guidance

• CISA Strategic Intent
• CISA 5G Strategy 
• CISA #Protect2020 Strategic Plan
• National Infrastructure Protection Plan (NIPP) 2013