search menu icon-carat-right cmu-wordmark

CERT Resilience Management Model Book Published by Addison-Wesley

Press Release

Pittsburgh, Pa., December 14, 2010—The CERT® Program of the Carnegie Mellon University Software Engineering Institute announced that the CERT Resilience Management Model (CERT®-RMM) Version 1.1 has been published by Addison-Wesley Professional. CERT-RMM, a maturity model for operational resilience, is the foundation for a process improvement approach to security, business continuity, and aspects of IT operations management. It establishes an organization's resilience management system: a collection of essential capabilities that the organization performs to ensure that its important assets stay productive in supporting business processes and services, even in the event of disruption.

“CERT-RMM is the only maturity model in the operational resilience space that is derived from the Capability Maturity Model Integration (CMMI) methodology,” says Richard Caralli, technical manager of the Resilient Enterprise Management team at CERT.

“The advantages that CERT-RMM gains from being related to CMMI are many,” he says. “In addition to complementary integration with an organization’s CMMI activities, they include the ability to extend CMMI process improvement investments into the operations phase of the lifecycle where assets are subjected to harsh risk environments; the ability to address resilience across the entire lifecycle; and, most importantly, the ability to characterize an organization’s operational resilience management program in terms of capability, which can be used as an indicator or predictor of how the organization will behave under times of stress.  Since changing risk environments cause stress, higher levels of capability should translate to more predictable performance.”  

CERT-RMM provides a process structure into which an organization’s best practices can be inserted and managed. The organization can then measure the achievement of process goals to verify that implemented practices are providing the expected results. The model

•    provides a process definition, expressed in 26 process areas across four categories: enterprise management, engineering, operations management, and process management
•    focuses on four essential operational assets: people, information, technology, and facilities
•    includes processes and practices that define a scale of four capability levels for each process area: Incomplete, Performed, Managed, and Defined
•    serves as a meta-model that includes references to common codes of practice such as ISO27000, ITIL, CobiT, and others such as BS25999 and ISO24762
•    includes process metrics and measurements that can be used to ensure that operational resilience processes are performing as intended
•    facilitates an objective measurement of capability levels via a structured and repeatable appraisal method
The model is currently being used by large manufacturing companies, federal civilian agencies, financial services firms, and other types of organizations.

Caralli presented more information about CERT-RMM in a recent CERT podcast, “How Resilient Is My Organization,” and an SEI webinar, which is now archived on the SEI website.

CERT-RMM V1.0 may be downloaded from the CERT website at Version 1.1 of CERT-RMM is only available in the book. A table of contents and sample pages from the book are available at Addison-Wesley’s InformIT website. Training in the model is available through the SEI course Introduction to the CERT Resilience Management Model. A certification and licensing program to become a lead appraiser using the model will be announced early next year.

About the Carnegie Mellon Software Engineering Institute and the CERT Program
The Software Engineering Institute (SEI) is a federally funded research and development center sponsored by the U.S. Department of Defense and operated by Carnegie Mellon University. The SEI helps organizations make measurable improvements in their software engineering capabilities by providing technical leadership to advance the practice of software engineering. For more information, visit the SEI website at The CERT Program serves as a center of enterprise and network security research, analysis, and training within the Software Engineering Institute. For more information, visit the CERT website at