CERT-SEI

Cyber Risk and Resilience Management

New SEI Report Describing the GQIM Approach

This report describes a November 2014 workshop that introduced the Goal-Question-Indicator-Metric (GQIM) approach.
Learn more about GQIM

New Podcast on Cyber Insurance

Jim Cebula and David White discuss cyber insurance and its potential role in reducing operational and cybersecurity risk.
Listen to the podcast

CERT-RMM and USPIS Collaboration

Learn how the U.S. Postal Inspection Service (USPIS) uses CERT-RMM to improve the resilience of its products and services.
Read about this collaboration

Operational Resilience Webinar

Our webinar, CERT Operational Resilience: Manage, Protect, and Sustain, showcased the application of resilience models to operationalize risk management and solve hard problems in enterprise security.
View the webinar

OCTAVE Course

Take a three-day course or eLearning course to learn to perform information security risk assessments using the OCTAVE method.
Learn to use the OCTAVE method

CERT-RMM Book

The latest version of CERT-RMM is available in book form and is published as part of the SEI Series on Software Engineering.
Learn more about the book

CERT-RMM

Version 1.0 of the CERT Resilience Management Model (CERT-RMM) includes individual process areas that cover the topic areas that are relevant to you.
Download CERT-RMM

Our Mission: We enable organizations to manage operational risks and ensure mission success by performing research, designing and developing models and techniques, and deploying capabilities that improve organizations' security and resilience posture.

Organizations cannot plan for every disruption. They need to be able to handle changes in their risk environment at a moment's notice and with a predictable level of performance. Organizations can no longer expect to prevent every cyber attack. They must be ready to continue operations and meet their mission when disruption occurs. To accomplish this mission, organizations must take a structured approach to managing security risks, business continuity, and information technology operations within the context of their business objectives. Our team of researchers, cyber risk specialists, and security governance experts works diligently to define best practices and provide methods for managing operational risk and resilience.

Using a resilience approach, organizations focus on managing risk to critical assets by optimizing both protection and continuity strategies to prepare for a broad range of outcomes. How can your organization become resilient?

We provide frameworks and models to improve your organization's security posture.

Our tools and methods, such as CERT-RMM, OCTAVE, SGMM, and ES-C2M2, are used to measure an organization's capabilities, identify improvements gaps, and enable data-driven decisions.

We help you understand risk and resilience issues and how to address them.

We offer workshops, training courses, and services to help you measure your current competency, set improvement targets, and establish plans and actions to close any identified gaps.

We research new ways to manage cyber risks.

We are currently researching new security and resilience improvement capabilities, how to prioritize security spending, the growing impact of cyber risk insurance, and approaches to improving cybersecurity governance.

Engage with Us

There are multiple opportunities for you to engage with us. We offer workshops, training, appraisals, and even opportunities to develop derivative models based on the CERT-RMM.

Engage with Us

News & Announcements

Publications & Media

CERT Resilience Management Model: A Maturity Model for Managing Operational
Resilience

In this book, the authors present best practices for managing the security and survivability of people, information, technology, and facilities.

CERT-RMM User Panel Discussion: USPIS, DHS, DoE, SunGard, & Lockheed Martin
In this webinar, watch the CERT-RMM User Panel members discuss their experiences implementing RMM from the SEI Virtual Event, CERT Operational Resilience: Manage, Protect and Sustain.

The Smart Grid Maturity Model Around the World
In this webinar, Jeffrey H. Ferris introduces the Smart Grid Maturity Model (SGMM), a management tool designed to help any utility, anywhere, plan its journey toward grid modernization with no customization required.

Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2)
In this webinar, watch James Stevens discuss the "Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2)" from the SEI Virtual Event, CERT Operational Resilience: Manage, Protect and Sustain.

Introducing OCTAVE Allegro: Improving the Information Security Risk Assessment
Process

In this 2007 report, the authors highlight the design considerations and requirements for OCTAVE Allegro based on field experience.