CERT-RMM Version 1.2 Release Notes

February 26, 2016—The SEI's CERT Division has made version 1.2 of the CERT® Resilience Management Model (CERT®-RMM) available for download. The new version features numerous enhancements to improve readability and usability and to eliminate redundancies. These release notes describe some of the more significant changes to the model, including those that would affect appraisals.

To download CERT-RMM version 1.2, visit http://www.cert.org/resilience/products-services/cert-rmm/rmm-pa-download.cfm

For more information about CERT-RMM, visit http://www.cert.org/resilience/products-services/cert-rmm/.

Changes to GG2.GP8

The title of generic practice GG2.GP8 was changed to “Measure and Control the Process” in all process areas (RMM), and related changes were made in the practice text. The new title clarifies the association of GG2.GP8 primarily with measurement rather than monitoring. 

The examples of process measures in GG2.GP8 were replaced with measures from Measures for Managing Operational Resilience, an PAs technical report. This report presents the results of an effort to carefully review the PA-specific goals and specific practices, and add, correct, combine, or eliminate measures as needed. All measures were edited to improve clarity and consistency and eliminate redundancy, separate compound measures, and eliminate measures of insufficient information value. The report can still be used as a supplement to the GG2.GP8 measures because it provides the following additional information for each measure:

  • measure type (implementation, effectiveness, or process performance)
  • whether the measure is base or derived
  • mapping of the measure to applicable CERT-RMM specific goals and practices

Changes to the Communications Process Area

Structural and content changes were made in the Communications PA. SG2 was deleted and its content was merged with SG1. 

Structure of COMM V1.1

GoalsPractices
COMM:SG1  Prepare for Resilience  Communications
COMM:SG1.SP1  Identify Relevant Stakeholders
COMM:SG1.SP2  Identify Communications Requirements
COMM:SG1.SP3  Establish Communications Guidelines and Standards
 COMM:SG2  Prepare for Communications ManagementCOMM:SG2.SP1  Establish a Resilience Communications Plan
COMM:SG2.SP2  Establish a Resilience Communications Program
COMM:SG2.SP3  Identify and Assign Plan Staff
 COMM:SG3  Deliver Resilience CommunicationsCOMM:SG3.SP1  Identify Communications Methods and Channels
COMM:SG3.SP2  Establish and Maintain Communications Infrastructure
 COMM:SG4  Improve Communications
COMM:SG4.SP1  Assess Communications Effectiveness
COMM:SG4.SP2  Improve Communications
 

Structure of COMM V1.2

GoalsPractices
COMM:SG1  Prepare for Resilience  Communications 
COMM:SG1.SP1  Establish a Resilience Communications Plan
COMM:SG1.SP2  Identify Communications Requirements
COMM:SG1.SP3  Establish Communications Guidelines and Standards
 
COMM:SG2  Deliver Resilience CommunicationsCOMM:SG2.SP1  Identify Communications Methods and Channels
COMM:SG2.SP2  Establish and Maintain Communications Infrastructure
COMM:SG2.SP3  Provide Resilience Communications
 
COMM:SG3  Improve Communications
COMM:SG3.SP1  Assess Communications Effectiveness
COMM:SG3.SP2  Improve Communications

Changes to the Risk Management PA

Name and structural changes to goals and practices were made in the Risk Management process area. 

Goal names changed

  • RISK:SG3 and RISK:SG4 (“Risk” changed to “Risks”)
  • RISK:SG5 (changed from Mitigate and Control Risk to Address Risks)

Practice names changed

  • RISK:SG4.SP1 and RISK:SG4.SP2 (“Risk” changed to “Risks”)
  • RISK:SG5.SP1 (changed from Develop Risk Mitigation Plans to Develop Risk Response Plans)
  • RISK:SG5.SP2 (changed from Implement Risk Strategies to Implement Risk Strategies and Plans)

Other Changes to PAs

Changes to practice statements and subpractices were made in a number of process areas.

Practice statements changed

  • AM:SG1.SP1
  • EC:SG4.SP5
  • RISK:SG3.SP2
  • RISK:SG4.SP2
  • SC:SG5.SP4
  • TM:SG1.SP2

Subpractice deleted

  • COMP:SG3.SP3 subpractice 1 (others were renumbered accordingly)

Subpractice added

  • EXD:SG2.SP1 (added to the end; #6)

Definition of Resilience Requirement Changed

The definition of resilience requirement was changed and is mentioned here because of its significance in the model.

New definition

For an asset, a characteristic or capability that it must possess or a condition that it must meet to ensure that it remains viable and sustainable as needed to support a service. More generally, a need, expectation, or obligation that the organization establishes to ensure resilience.

V1.1 definition

A constraint that the organization places on the productive capability of an asset to ensure that it remains viable and sustainable when charged into production to support a service.