search menu icon-carat-right cmu-wordmark

Enterprise Risk and Resilience

Created November 2017

Can your organization survive a disruptive cyber event? A comprehensive and integrated approach to cybersecurity is the only viable path to achieving predictability in uncertain times. Our experts in the CERT Division conduct cybersecurity research and create models, tools, and methods to empower organizations to gain justified confidence in their cybersecurity posture.

Cyber Disruptions Are Inevitable—Your Organization’s Survival Is Not

Your organization cannot anticipate every disruption or prevent every cyber attack. You must be able to anticipate and respond to changes in your risk environment at a moment’s notice and be ready to continue operations and meet your mission when disruptions occur.

Accomplishing this continuity of operations requires a resilience approach to cybersecurity—an integrated, holistic way to manage security risks, business continuity, disaster recovery, and IT operations—in the context of your business mission and strategy. Managing risk to critical assets by optimizing both protection and continuity strategies prepares your organization for a broad range of outcomes.

Our Tools, Your Operational Resilience

Our cybersecurity research and solutions enable your organization to apply cyber risk and resilience management models and methods to assess and improve its operational resilience, manage operational risks, define meaningful metrics, and ensure mission success.

Our research spans the planning, integration, execution, and governance of operational resilience in the ever-changing cyber and technological landscape. We leverage that research to develop best practices, resilience management models, and other methods and tools for assessing and improving enterprise security and operational resilience.

As a trusted partner, we help organizations

  • identify and mitigate operational risks that could lead to service disruptions before they occur
  • prepare for and respond to disruptive events (realized risks) in a way that demonstrates command and control of incident response and service continuity
  • recover and restore mission-critical services and operations after an incident within acceptable time frames
  • educate and train their workforces in cyber risk and resilience management

Dependencies Matter

Organizations incur potential risk to their missions and key services any time they depend on external entities for information and technology. Examples include breaches due to a third party's failure to protect data, poor integrity of hardware and software deployed within an organization, or malicious use of trusted third-party relationships to gain access to or harm the organization.

Our approach to managing supply chain risk, also called third-party risk, is founded on

  • a risk-based approach
  • acceptance of constant change
  • a well-established body of work

We offer many resources to help organizations manage their supply chain risk, from blogs and webinars to in-person assessments of organizations' external dependencies management. These resources can help your organization

  • determine the maturity of its external dependencies management
  • draft better contracts with third parties
  • build relationships with the right third parties
  • maintain awareness of changes and vulnerabilities that might affect suppliers

Evaluation Beyond Compliance and Penetration Testing

Our experienced team also develops organizational assessments based on our risk and resilience solutions. These tools and methods empower organizations to gain justified confidence in their cybersecurity posture. We draw on well-established principles of process measurement, such as the CERT® Resilience Management Model (CERT®-RMM), and leading-edge technical vulnerability assessment methods in developing solutions. Our approach takes assessment beyond the routine compliance checklist and traditional penetration testing, instead delivering measures of capability.

Our researchers, engineers, and subject-matter experts often lead the national conversation on critical infrastructure protection and supply chain risk management. And we have measured and evaluated organizations of all sizes and compositions. Deriving practical tools and methods from the best concepts that academia has to offer and best practices from private industry is at the heart of our work.

Software and Tools

CERT Resilience Management Model (CERT-RMM) Version 1.2

February 2016

CERT-RMM, the foundation for a process improvement approach to operational resilience management, defines the practices needed to manage operational resilience.


CERT Resilience Management Model: A Maturity Model for Managing Operational Resilience

November 2010

In this book, the authors present best practices for managing the security and survivability of people, information, technology, and facilities.


Learn More

Incident Management Capability Assessment

Incident Management Capability Assessment

December 19, 2018 Technical Report
Audrey J. DorofeeRobin RuefleMark Zajicek

Managing incidents that threaten an organization's computer security is complex. The capabilities presented here provide a benchmark of incident management practices.

Blog Expands to Cover More

Blog Expands to Cover More

November 01, 2017 Blog Post
Summer Fowler

You've known this blog as the Insider Threat blog, and this will continue to be your go-to source as we share our findings and explore the impact insider threat has on information technology and human resources practices and policies. Our...

SEI Cyber Minute: Cyber Security Risk Oversight

SEI Cyber Minute: Cyber Security Risk Oversight

July 26, 2017 Video
Summer C. Fowler

Watch Summer Fowler as she discusses "Cyber Security Risk Oversight" in this SEI Cyber Minute.

SEI Cyber Minute: Enterprise Risk Management

SEI Cyber Minute: Enterprise Risk Management

May 16, 2017 Video
Summer C. Fowler

Watch Summer Fowler in this SEI Cyber Minute as she discusses "Enterprise Risk Management".