Cyber Risk and Resilience Management

CERT-RMM and USPIS Collaboration

Learn how the U.S. Postal Inspection Service (USPIS) uses CERT-RMM to improve the resilience of its products and services.
Read about this collaboration

New Podcast

Jim Cebula discusses a taxonomy that provides organizations with a common language and terminology they can use to discuss, document, and mitigate operational cybersecurity risks.
Listen to the podcast

Operational Resilience Webinar

Our webinar, CERT Operational Resilience: Manage, Protect, and Sustain, showcased the application of resilience models to operationalize risk management and solve hard problems in enterprise security.
View the webinar


Take a three-day course or eLearning course to learn to perform information security risk assessments using the OCTAVE method.
Learn to use the OCTAVE method


The latest version of CERT-RMM is available in book form and is published as part of the SEI Series on Software Engineering.
Learn more about the book


Version 1.0 of the CERT Resilience Management Model (CERT-RMM) includes individual process areas that cover the topic areas that are relevant to you.
Download CERT-RMM

Our Mission: We enable organizations to measure and manage operational risks and ensure mission success by performing research;designing and developing models, tools, and techniques;and deploying capabilities that improve organizations' cybersecurity and resilience.

A resilient organization meets its commitments and objectives with consistency and predictability in the face of changing risk environments and potential disruptions. How can your organization become resilient?  

As a trusted broker, the CERT Division of the SEI has developed cyber risk and resilience management approaches to help your organization achieve resilience.

We define best practices for managing operational resilience.

We developed the CERT Resilience Management Model (CERT-RMM) to provide guidance to organizations that wish to use a process improvement approach to improve their operational resilience. We update this model as we discover more strategies for improving resilience.

We provide methods for identifying and managing cyber risk.

To help organizations identify and manage their cyber risks predictably, we developed the OCTAVE method.

Engage with Us

Help inform our research. Share what has worked for you, or let us know if you need support from our team.

Contact Us

News & Announcements

Publications & Media

CERT Resilience Management Model, Version 1.0
In this report, the authors present CERT-RMM, an approach to managing operational resilience in complex, risk-evolving environments.

CERT Resilience Management Model: A Maturity Model for Managing Operational Resilience
In this book, the authors present best practices for managing the security and survivability of people, information, technology, and facilities.

Analyzing Cases of Resilience Success and Failure—A Research Study
In this report, the authors describe research aimed at helping organizations to know the business value of implementing resilience processes and practices.

SEI Technologies Forum: Measuring Operational Resilience
In this presentation, Julia Allen suggests 10 strategic resilience measures and the means to derive them for improving organizational security measurements.

Managing Disruptive Events—CERT-RMM Experience Reports
In this podcast, the participants describe four experience reports that demonstrate how the CERT-RMM can be applied to manage operational risks.

Introduction to the OCTAVE Approach
In this 2003 report, the authors describe the OCTAVE method, an approach for managing information security risks.

Introducing OCTAVE Allegro: Improving the Information Security Risk Assessment Process
In this 2007 report, the authors highlight the design considerations and requirements for OCTAVE Allegro based on field experience.

OCTAVE-S Implementation Guide, Version 1
In this 2005 handbook, the authors provide detailed guidelines for conducting an OCTAVE-S evaluation.