Richard Caralli

A maturity model is a set of characteristics, attributes, indicators, or patterns that represent progression and achievement in a particular domain or discipline. Maturity models typically have levels arranged in an evolutionary scale that defines measurable transitions from one level of maturity to another. The current version of the CERT® Resilience Management Model (CERT®-RMM v1.2) utilizes the maturity architecture (levels and descriptions) as provided in the Capability Maturity Model… Show more

A maturity model is a set of characteristics, attributes, indicators, or patterns that represent progression and achievement in a particular domain or discipline. Maturity models typically have levels arranged in an evolutionary scale that defines measurable transitions from one level of maturity to another. The current version of the CERT® Resilience Management Model (CERT®-RMM v1.2) utilizes the maturity architecture (levels and descriptions) as provided in the Capability Maturity Model Integration (CMMI) constellation models to ensure consistency with CMMI. The spacing between maturity levels often causes CERT-RMM practitioners some difficulty. To address some of these issues, the CERT Division of Carnegie Mellon University’s Software Engineering Institute did a comprehensive review of the existing specific and generic goals and practices in CERT-RMM to determine if a better scale could be developed to help users of the model show incremental improvement in maturity without breaking the original intent of the CMMI maturity levels. This technical note presents the result: the maturity indicator level scale, or CERT-RMM MIL scale. Show less

CERT® Resilience Management Model (CERT-RMM) is an innovative and transformative way to manage operational resilience in complex, risk-evolving environments. CERT-RMM distills years of research into best practices for managing the security and survivability of people, information, technology, and facilities. It integrates these best practices into a unified, capability-focused maturity model that encompasses security, business continuity, and IT operations. By using CERT-RMM, organizations can… Show more

CERT® Resilience Management Model (CERT-RMM) is an innovative and transformative way to manage operational resilience in complex, risk-evolving environments. CERT-RMM distills years of research into best practices for managing the security and survivability of people, information, technology, and facilities. It integrates these best practices into a unified, capability-focused maturity model that encompasses security, business continuity, and IT operations. By using CERT-RMM, organizations can escape silo-driven approaches to managing operational risk and align to achieve strategic resilience management goals.

Show less

The CERT® Resilience Management Model (CERT-RMM) is an innovative and transformative way to approach the challenge of managing operational resilience in complex, risk-evolving environments. It is the result of years of research into the ways that organizations manage the security and survivability of the assets that ensure mission success. It incorporates concepts from an established process improvement community to allow organizations to holistically mature their security, business continuity,… Show more

The CERT® Resilience Management Model (CERT-RMM) is an innovative and transformative way to approach the challenge of managing operational resilience in complex, risk-evolving environments. It is the result of years of research into the ways that organizations manage the security and survivability of the assets that ensure mission success. It incorporates concepts from an established process improvement community to allow organizations to holistically mature their security, business continuity, and IT operations management capabilities and improve predictability and success in sustaining operations whenever disruption occurs.


This report describes the model’s key concepts, components, and process area relationships and provides guidance for applying the model to meet process improvement and other objectives. One process area is included in its entirety; the others are presented in outline form. All of the CERT-RMM process areas are available for download at www.cert.org/resilience.
Show less

This technical report introduces the next generation of the Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) methodology, OCTAVE Allegro. OCTAVE Allegro is a methodology to streamline and optimize the process of assessing information security risks so that an organization can obtain sufficient results with a small investment in time, people, and other limited resources. It leads the organization to consider people, technology, and facilities in the context of their… Show more

This technical report introduces the next generation of the Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) methodology, OCTAVE Allegro. OCTAVE Allegro is a methodology to streamline and optimize the process of assessing information security risks so that an organization can obtain sufficient results with a small investment in time, people, and other limited resources. It leads the organization to consider people, technology, and facilities in the context of their relationship to information and the business processes and services they support. This report highlights the design considerations and requirements for OCTAVE Allegro based on field experience with existing OCTAVE methods and provides guidance, worksheets, and examples that an organization can use to begin performing OCTAVE Allegro-based risk assessments. Show less

As security issues dominate news headlines and affect our daily lives, organizations need to improve their ability to protect and sustain their business-critical assets, people, information, technology, and facilities using human and financial resources efficiently and effectively. Traditional activities such as security and business continuity must not only be effective at achieving these goals but also must offer the organization increased capabilities for managing and controlling operational… Show more

As security issues dominate news headlines and affect our daily lives, organizations need to improve their ability to protect and sustain their business-critical assets, people, information, technology, and facilities using human and financial resources efficiently and effectively. Traditional activities such as security and business continuity must not only be effective at achieving these goals but also must offer the organization increased capabilities for managing and controlling operational resiliency. Unfortunately, organizations often manage these activities in a reactive posture fraught with stove-piped organizational structures and poorly defined and measured goals. The result: potentially less-than-adequate operational resiliency to support business objectives. But organizations can vastly improve operational resiliency by viewing it as an engineering-based process that can be defined, managed, measured, and improved. This view ensures collaboration between security and business continuity activities toward common goals and considers the role of supporting activities such as governance, asset and risk management, and financial control. This report introduces the CERT Resiliency Engineering Framework as a foundational model that describes the essential processes for managing operational resiliency, provides a structure from which an organization can begin process improvement of its security and business continuity efforts, and catalyzes the formation of a community from which further definition of this emerging discipline can evolve. Show less

Organizations face an ever-changing risk environment. The risk that emanates from the day-to-day activities of the organization, operational risk, is the subject of increasing attention, particularly in the banking and finance industry, because of the potential to significantly disrupt an organizations pursuit of its mission. Security, business continuity, and IT operations management are activities that traditionally support operational risk management. But collectively, they also converge to… Show more

Organizations face an ever-changing risk environment. The risk that emanates from the day-to-day activities of the organization, operational risk, is the subject of increasing attention, particularly in the banking and finance industry, because of the potential to significantly disrupt an organizations pursuit of its mission. Security, business continuity, and IT operations management are activities that traditionally support operational risk management. But collectively, they also converge to improve the operational resiliency of the organization—the ability to adapt to a changing operational risk environment as necessary. Coordinating these efforts to sustain operational resiliency requires a process-oriented approach that can be defined, measured, and actively managed. This report describes the fundamental elements and benefits of a process approach to security and operational resiliency and provides a notional view of a framework for process improvement. Show less

The steadily increasing technical and environmental complexity of today's globally networked economy presents many obstacles to organizations as they attempt to protect their information assets. Information assets are constantly processed and combined to form new information assets. The line between ownership and custodianship of information assets blurs as information freely flows throughout an organization and often crosses outside organizational boundaries to other entities such as partners,… Show more

The steadily increasing technical and environmental complexity of today's globally networked economy presents many obstacles to organizations as they attempt to protect their information assets. Information assets are constantly processed and combined to form new information assets. The line between ownership and custodianship of information assets blurs as information freely flows throughout an organization and often crosses outside organizational boundaries to other entities such as partners, customers, and suppliers. The CERT Survivable Enterprise Management group at the Software Engineering Institute developed the Information Asset Profiling (IAP) process as a tool to help organizations begin to address these security challenges. Show less

The authors offer a view of the changing environment in which security must be performed and, from their field work and research, itemize characteristics of common existing approaches to security that limit effectiveness and success. A "desired state" as a security target for the organization is outlined, and the organizational transformation that the authors believe is essential for approaching security as a business problem is presented. Finally, the authors describe their current work in… Show more

The authors offer a view of the changing environment in which security must be performed and, from their field work and research, itemize characteristics of common existing approaches to security that limit effectiveness and success. A "desired state" as a security target for the organization is outlined, and the organizational transformation that the authors believe is essential for approaching security as a business problem is presented. Finally, the authors describe their current work in exploring solutions that they believe will enable this transformation. Show less

The critical success factor method is a means for identifying these important elements of success. It was originally developed to align information technology planning with the strategic direction of an organization. However, in research and fieldwork undertaken by members of the Survivable Enterprise Management (SEM) team at the Software Engineering Institute, it has shown promise in helping organizations guide, direct, and prioritize their activities for developing security strategies and… Show more

The critical success factor method is a means for identifying these important elements of success. It was originally developed to align information technology planning with the strategic direction of an organization. However, in research and fieldwork undertaken by members of the Survivable Enterprise Management (SEM) team at the Software Engineering Institute, it has shown promise in helping organizations guide, direct, and prioritize their activities for developing security strategies and managing security across their enterprises. This report describes the critical success factor method and presents the SEM team's theories and experience in applying it to enterprise security management. Show less