search menu icon-carat-right cmu-wordmark

Carnegie Mellon Software Engineering Institute Announces Release of the CERT Resiliency Engineering Framework

Press Release

SEI Media Relations:
  Kelly Kimberland, APR
  Tel: 412-268-4793

FSTC Media Relations:
  Bill Dorfmann
  Tel: 781-235-3424

Carnegie Mellon Software Engineering Institute Announces Release of the CERT Resiliency Engineering Framework

Collaboration with Financial Services Technology Consortium results in new model for security and business continuity management

PITTSBURGH, PA, March 26, 2008—The Carnegie Mellon Software Engineering Institute (SEI) CERT Program, together with the Financial Services Technology Consortium (FSTC), today announced the availability of the CERT® Resiliency Engineering Framework. This framework provides a comprehensive roadmap that enables organizations of all sizes to establish, manage, and evaluate operational resiliency which encompasses both security and business continuity.

The CERT Resiliency Engineering Framework (REF) embodies methods and guidelines that have been developed and proven in practice over the last 20+ years by the SEI, combined with security and business continuity expertise gained through the SEI's collaboration with FSTC.

"Our collaboration with FSTC over the past couple of years has enabled the SEI to develop and release a roadmap specifically designed for organizations to be flexible and straightforward to implement across all sizes of enterprises and their suppliers," said Rich Caralli, technical lead for the CERT REF project. "REF is based not only on our own experience. FSTC provided us with unparalleled access to some of the best practitioners in the security and business continuity space."

"Operational resiliency and effective risk management continue to be a priority for all of us in the financial services industry," said Dan Schutzer, Executive Director of the Financial Services Technology Consortium. "The Resiliency Engineering Framework provides a compelling new tool to measure and improve resiliency for organizations and their suppliers."

The framework consists of over 20 comprehensive capability modules, giving organizations the flexibility to implement as few or as many as their needs and strategies require. Benchmarking against the framework will help organizations optimize their operational resiliency investments, make objective peer-to-peer comparisons in their industry sector, and select capable third-party suppliers.

"The release of REF represents a significant milestone in giving organizations a roadmap to evaluate and manage their operational risk and resiliency capability," said Charles Wallen, Managing Executive of FSTC's Business Continuity Standing Committee. "This comprehensive Framework provides the basis for objective appraisals to benchmark an organization's resiliency activities and those of third-party suppliers."

"This gives the community a common, objective, and comparable measurement of business continuity and security capabilities," added David White, one of the REF developers at CERT. "We are already seeing a tremendous amount of interest in it from companies all over the world."

Operational resiliency is a board-level issue that affects shareholder value and requires a strategic refocusing of disciplines such as business continuity, information security, and operations. Innovations are needed by organizations to successfully manage these converging disciplines and to address operational risk. FSTC and CERT are focused on meeting these evolving requirements by introducing a process improvement approach that grows with the organization as they develop their capabilities and encounter ever-changing risk environments.

REF is available for immediate download from the CERT website at This is the first public version of the framework, and public review and comment are welcome. Instructions are available on the website for how to provide comments.

About the Carnegie Mellon Software Engineering Institute CERT Program
The CERT Program is part of the Carnegie Mellon Software Engineering Institute (SEI), a federally funded research and development center sponsored by the U.S. Department of Defense. CERT is a center of enterprise and network security research, analysis, and training within the SEI. For more information, visit the CERT Web site at and the SEI Web site at

About FSTC
FSTC brings together diverse, and often competitive financial institutions, industry services providers, government agencies, and others to collaborate and find solutions to key industry challenges. Project topics come from member financial institutions and are driven by participating members with the support of FSTC staff.