Our Mission: We enable organizations to manage operational risks and ensure mission success by performing research, designing and developing models and techniques, and deploying capabilities that improve organizations' security and resilience posture.

Organizations cannot plan for every disruption. They need to be able to handle changes in their risk environment at a moment's notice and with a predictable level of performance. Organizations can no longer expect to prevent every cyber attack. They must be ready to continue operations and meet their mission when disruption occurs. To accomplish this mission, organizations must take a structured approach to managing security risks, business continuity, and information technology operations within the context of their business objectives. Our team of researchers, cyber risk specialists, and security governance experts works diligently to define best practices and provide methods for managing operational risk and resilience.

Using a resilience approach, organizations focus on managing risk to critical assets by optimizing both protection and continuity strategies to prepare for a broad range of outcomes. How can your organization become resilient?

We develop methods for analyzing your development lifecycle.

Our Complexity Modeling and Analysis research helps you analyze complexity and integration issues throughout the development lifecycle to ensure that development is proceeding as planned. We can also help you link security decisions to mission-critical needs.

We develop tools for measuring and analyzing software security.

Our Software Security Measurement and Analysis research, including our Integrated Measurement and Analysis Framework (IMAF) and Mission Risk Diagnostic (MRD) approaches, helps you establish and measure the confidence that a software-reliant product is sufficiently secure to meet operational needs.

Engage with Us

There are multiple opportunities for you to engage with us. We offer workshops, training, appraisals, and even opportunities to develop derivative models based on the CERT-RMM.

Engage with Us

Publications & Media

A Mapping of the Federal Financial Institutions Examination Council (FFIEC) Cybersecurity Assessment Tool (CAT) to the Cyber Resilience Review (CRR)
To help financial organizations assess cyber resilience, this technical note maps the FFIEC Cybersecurity Assessment Tool (CAT) to Cyber Resilience Review (CRR) questions.

Managing Third-party Risk in Financial Services Organizations: A Resilience-Based Approach
Applying key concepts from resilience management can help financial services organizations to manage cybersecurity risks from outsourcing and other third-party relationships and comply with federal regulations.

Intelligence Preparation for Operational Resilience (IPOR)
This SEI report describes Intelligence Preparation for Operational Resilience (IPOR), a framework for preparing intelligence that complements commonly used intelligence frameworks such as Intelligence Preparation of the Battlefield (IPB).

The SEI and the Pittsburgh Technology Council sponsored the CYBURGH, PA, a one-day event where Pittsburgh organizations met to discuss pain points, barriers, and solutions related to cybersecurity. Its program is applicable to all audiences: corporations, small business, academic institutions and public sector, especially those interested in learning how to develop a secure cyber domain for their organization.

Structuring the Chief Information Security Officer Organization
In this September 2015 technical note, the authors describe how they defined a CISO team structure and functions for a national organization using sources such as CISOs, policies, and lessons learned from cybersecurity incidents.

CERT Resilience Management Model: A Maturity Model for Managing Operational Resilience
In this book, the authors present best practices for managing the security and survivability of people, information, technology, and facilities.

Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2)
In this webinar, watch James Stevens discuss the "Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2)" from the SEI Virtual Event, CERT Operational Resilience: Manage, Protect and Sustain.