Mapping the Cyber Resilience Review to the Financial Sector's Cybersecurity Assessment Tool
This post is also authored by Michael Rattigan and Robert A. Vrtis.
In 2013 the White House directed the nation's critical infrastructure sectors to improve their cybersecurity. The financial sector responded by publishing the Federal Financial Institutions Examination Council's (FFIEC) Cybersecurity Assessment Tool (CAT)--an extensive, thorough method for determining an institution's cyber posture and reporting compliance to regulators, keyed to the National Institute of Science and Technology (NIST) Cybersecurity Framework (CSF). A lightweight, voluntary, no-cost tool predates them both: the Cyber Resilience Review (CRR). To increase the CRR's value to the financial sector, we mapped it to the statements from the FFIEC CAT. This post explains the mapping, as well as why financial institutions should add the CRR as a first step in their cybersecurity improvement program.
Developed by the CERT Division of the Software Engineering Institute and first published in 2011 for the U.S. Department of Homeland Security, the Cyber Resilience Review is a derivative of the CERT Resilience Management Model (CERT-RMM). The CERT Division narrowed the CERT-RMM's 26 process areas down to the practices most closely associated with cybersecurity and crafted corresponding survey questions and maturity indicators. The result was the CRR: a one-day, facilitated or self-guided assessment instrument for critical infrastructure, anchored around 10 domains of cyber resilience:
Each domain is composed of a purpose statement, a set of domain-specific goals and associated practice questions, and a standard set of Maturity Indicator Level (MIL) questions. The MIL questions examine the cybersecurity practices' degree of institutionalization within the organization, according to six maturity levels:
While the CRR predates the NIST CSF, the inherent principles and recommended practices of the CRR align closely with the central CSF tenets. Learn more about the CRR and NIST CSF Crosswalk here.
The financial industry's regulatory examination body (the FFIEC) published the Cybersecurity Assessment Tool in 2015, answering the call to provide financial institutions with more direct guidance for navigating an increasingly complex cyber risk landscape. The FFIEC CAT incorporates cybersecurity-related principles from the FFIEC Information Technology (IT) Examination Handbook and regulatory guidance as well as concepts from the NIST CSF.
The FFIEC CAT is designed to help management assess their institution's cybersecurity preparedness, evaluate its cybersecurity preparedness alignment risks, and determine what risk management practices and controls are needed (or need enhancement) to achieve the desired state. It consists of two parts: Inherent Risk Profile and Cybersecurity Maturity. By completing both parts, management can evaluate whether the institution's inherent risk and preparedness are aligned.
- The Inherent Risk Profile describes activities across risk categories with definitions for the lowest to highest levels of inherent risk. Inherent risk is the level of cybersecurity risk posed to the institution by technologies and connection types, delivery channels, online and mobile products and technology services, organizational characteristics, and external threats. It incorporates the type, volume, and complexity of the institution's operations as well as threats directed at the institution.
- Cybersecurity Maturity helps management measure the institution's level of risk and corresponding controls. The maturity levels are as follows:
At the core of the FFIEC CAT are cybersecurity maturity statements, which declare whether an institution's behaviors, practices, and processes can support cybersecurity preparedness. The statements roll up into assessment factors, which themselves compose five domains:
The CRR and the FFIEC approach maturity differently, resulting in some nonintuitive mappings between CRR maturity practices and FFIEC statements. Fortunately, both tools had been mapped to the NIST CSF. Using the NIST CSF as a Rosetta stone, we created the initial CRR-CAT mapping. Starting with the CAT, we compared each declarative statement and the corresponding NIST CSF mapping to the CRR practices to determine if there was a functional match. To do this, we asked the following questions:
- If the organization can claim the CAT's declarative statement was an accurate evaluation of the practices being performed, is it likely that the corresponding CRR practice question would be answered "Yes" based upon the question guidance provided for that practice?
- Would other CRR practice questions also be answered "Yes"?
- Should the CRR guidance be modified to reflect specific controls or concerns of the sector without changing the question?
- Is there an adequate mapping to the CRR? If not, these statements were identified as gaps.
Roughly two-thirds of the FFIEC CAT declarative statements did not have corresponding NIST CSF mappings. The CAT is based on a number of declarative statements that address similar concepts across FFIEC-defined maturity levels. We used our interpretation of the CAT statement and examined the CRR questions and question guidance throughout all domains to identify the CRR questions, which resulted in the most complete functional match with the NIST CSF mappings.
FFIEC CAT/CRR Mapping
The table below shows just the first portion of the mapping of the CRR to the FFIEC CAT.
To see all 10 CRR domains mapped to all five CAT domains, download our technical note A Mapping of the Federal Financial Institutions Examination Council (FFIEC) Cybersecurity Assessment Tool (CAT) to the Cyber Resilience Review (CRR).
Financial services organizations can use the CRR to quickly gauge their cybersecurity baseline against--and perhaps in preparation for--the FFIEC CAT. The CRR can also give a sense of the organization's cyber posture as compared to the NIST CSF, the emerging de facto standard for cybersecurity readiness. The CRR also provides options for consideration to close gaps in cyber resilience capabilities and maturity. CRR Implementation Guides provide in-depth guidance on practice implementation for each of the 10 CRR domains--a veritable "how-to guide" to aligning with the FFIEC CAT and NIST CSF.
Other sectors can benefit from the CERT Division's mappings of the CRR to different practice models and sector-specific guidance. The CRR's flexibility makes it a useful tool for cyber improvement efforts across the nation's critical infrastructure.