Assessment Evaluation and Standardization Program
In 2019, CISA launched the Assessment Evaluation and Standardization (AES) program to expand the availability of organizations and individuals qualified to administer cybersecurity assessments in accordance with CISA’s standards and in a manner that provides data back to CISA for risk management purposes.
Today, this program is only available for assessors affiliated with government entities (including federal civilian agencies, the Department of Defense, or State, Local, Tribal, and Territorial governments). CISA’s goal is to expand the AES program to enable assessors in the private sector to participate.
Goals
- Produce a federal, and private sector, workforce of prepared and qualified assessors.
- Ensure that assessors have the knowledge and skills necessary to conduct assessments according to the CISA standards and methodologies.
- Ensure that assessment results are of high quality, consistent, and repeatable.
Courses
High Value Assets (HVA) Course
The HVA course empowers students to evaluate the federal government’s approach to managing risk, and provide an unbiased, third-party review of the government’s most critical HVA’s cybersecurity posture and operations.
Cyber Resilience Review (CRR) Course
The CRR course focuses on operational resilience and cyber security best practices for critical infrastructure providers. The assessment evaluates the resiliency of all of the assets that support the organization's critical service.
External Dependencies Management (EDM) Course
The EDM course gives students the capability to facilitate an assessment that provides critical infrastructure system owners and operators with an unbiased evaluation of their approach to managing third-party and supply chain dependencies.
Risk and Vulnerability Assessment (RVA) Course
The RVA course gives students the tools they would need to develop an in-depth technical analysis of an organization's security posture by emulating various attack paths discovered and documented by CISA and the cybersecurity industry.
Cybersecurity Performance Goals (CPG) Course
The CPG course is designed to enable students to facilitate a CPG assessment using the Cyber Security Evaluation Tool (CSET). CPGs are a prioritized subset of IT and OT practices that critical infrastructure owners can implement to reduce cyber risk.
Validated Architecture Design Review (VADR) Course
The VADR course enables students to evaluate Operational Technology systems within critical infrastructure networks for secure design and operational intent. The assessment uses a design review and packet analysis to inform a risk profile for owners.
Incident Management Review (IMR) Course
The (IMR) course equips students with the ability to assess a critical infrastructure organization's Incident Management program. Assessment is part of a U.S. Department of Homeland Security critical infrastructure initiative for incident handling.
Find and Register for a Course
For fiscal year 2023 (FY23), visit AES Schedule webpage.