Purpose: To identify, analyze, and manage controls in a critical service’s operating environment.

The Controls Management domain focuses on the processes by which an organization plans, defines, analyzes, and assesses the controls that are implemented internally to ensure that controls management objectives are satisfied across the enterprise.

The probing in this Controls Management (CM) Domain focuses on the resilience controls that allow an organization to operate during a time of stress, rather than financial controls concerning an organization’s budgets or return on investments. These resilience controls are implemented in the organization at all levels and require various levels of management and staff to plan, define, analyze, and assess.

Internal control is a governance process used by an organization to ensure effective and efficient achievement of organizational objectives and to provide reasonable assurance of success. The Controls Management domain provides a structure for the organization to identify control objectives and establish controls to meet those objectives. The Controls Management domain also addresses the importance of analyzing and assessing those controls to ensure that the process is constantly being improved.

View Goal Questions

Purpose: To establish processes to ensure the integrity of assets, using change control and change control audits.

An organization’s asset infrastructure is constantly evolving as technology changes, information is updated, and new personnel are hired. The Configuration and Change Management domain addresses how an organization can implement processes and procedures that manage assets and ensure that changes made to those assets are minimally disruptive to the organization.

Configuration and Change Management (CCM) is the process of maintaining the integrity of hardware, software, firmware, and documentation related to the configuration and change management process. CCM is a continuous process of controlling and approving changes to information or technology assets or related infrastructure that support the critical services of an organization. This process includes the addition of new assets, changes to assets, and the elimination of assets.

As the complexity of information systems increases, the complexity of the processes used to create these systems also increases, as does the probability of accidental errors in configuration. The impact of these errors puts data and systems that may be critical to business operations at significant risk of failure that could cause the organization to lose business, suffer damage to its reputation, or close completely. Having a CCM process to protect against these risks is vital to the overall security posture of the organization.

View Goal Questions

Purpose: To identify, analyze, and manage vulnerabilities in a critical service’s operating environment.

Vulnerability is the susceptibility of an asset, and the associated critical service, to disruption. Vulnerabilities can result in operational risks and must be identified and managed to avoid disruptions to the critical service’s operating environment. A vulnerability management process identifies and analyzes vulnerabilities before they are exploited and informs the organization of threats that must be analyzed in the risk management process to determine whether they pose tangible risk to the organization based on the organization’s risk tolerance.

When identifying vulnerabilities, it is the identification of the feature or condition that, if exploited by a threat (natural or man-made), renders an entity (i.e., an entire organization or any of its constituent parts) susceptible to a risk. Vulnerability Management focuses on specific critical services of the organization. Each aspect of the service is analyzed in terms of the various assets that support the service. A vulnerability in the service is a result of a vulnerability in one or more of its assets. Assets are divided into the categories of people, information, technology, and facilities.

Vulnerability management is a key component in planning for and determining the appropriate implementation of controls and the management of risk. It is reasonable to say that vulnerability management is central to cyber resilience.

View Goal Questions

Purpose: To establish processes to identify and analyze events, detect incidents, and determine an organizational response.

Disruptions to an organization’s operating environment regularly occur. The Incident Management domain examines an organization’s capability to recognize potential disruptions, analyze them, and determine how and when to respond.

Disruptions to an organization’s operations may occur regularly and can scale from so small that the impact is essentially negligible to so large that they could prevent an organization from achieving its mission. The required responses to these disruptive events must scale similarly. Some events may not require a formal response by the organization and can be effectively ignored or handled at the individual level following standard operating procedures. For example, a workstation may lock up, and may only require the individual workstation owner to perform a simple reboot. Other disruptive events require the entire organization to mobilize resources. Examples of events whose management may require significant resource investment include natural disasters, loss of a primary data center, a cyber-attack that disrupts critical organizational infrastructure, or any event that affects the organization’s ability to deliver critical services.

The process of detecting, analyzing, responding to, and improving from disruptive events is the practice incident management. The goal of incident management is to mitigate the impact of a disruptive event. To accomplish this goal, an organization establishes processes that:

• detect and identify events
• triage and analyze events to determine whether an incident is underway
• respond and recover from an incident
• improve the organization’s capabilities for responding to a future incident

View Goal Questions

Purpose: To ensure the continuity of essential operations of services and their associated assets if a disruption occurs as a result of an incident, disaster, or other event.

The process of assessing, prioritizing, planning and responding to, and improving plans to address disruptive events is known as Service Continuity. The goal of service continuity is to mitigate the impact of disruptive events by utilizing tested or exercised plans that facilitate predictable and consistent continuity of the critical services.

Service continuity planning is one of the more important aspects of resilience management because it provides a process for preparing for and responding to disruptive events, whether natural or man-made. Operational disruptions may occur regularly and can scale from so small that the impact is essentially negligible to so large that they could prevent an organization from achieving its mission. Services that are most important to an organization’s ability to meet its mission are considered essential and are focused on first when responding to disruptions. The process of identifying and prioritizing services and the assets that support them is foundational to service continuity and need to be addressed in the organizations’ business impact analysis (BIA).

Service continuity planning provides the organization with predefined procedures for sustaining essential operations in varying adverse conditions, from minor interruptions to large-scale incidents. For example, a power interruption or failure of an IT component may necessitate manual workaround procedures during repairs. A data center outage or loss of a business or facility housing essential services may require the organization to recover business or IT operations at an alternate location.

The process of assessing, prioritizing, planning and responding to, and improving plans to address disruptive events is the practice of Service Continuity. The goal of Service Continuity is to mitigate the impact of disruptive events by utilizing tested or exercised plans that facilitate predictable and consistent continuity of essential services. To accomplish this goal, an organization establishes processes that:

• establish the service continuity program
• perform service continuity planning
• validate and exercise or test service continuity plans
• improve service continuity
• detect and identify events
• triage and analyze events to determine whether an incident is underway
• respond and recover from an incident
• improve the organization’s capabilities for responding to a future incident
View Goal Questions

Purpose: To identify, analyze, and mitigate risks to critical service assets that could adversely affect the operation and delivery of services.

Risk Management is a foundational activity for any organization and is practiced at all levels, from the executives down to individuals within business units. Risk Management focuses on risks to cyber-dependent operations that have the potential to interrupt delivery of the critical service being examined. While the Risk Management focuses on operational risk, it is important to note that operational risk management requires a comprehensive approach to be effective.

The Risk Management domain focuses on the processes by which an organization identifies, analyzes, and mitigates risks in order to affect the probability of their realization and/or the impact of a disruption. Organizations must manage many different types of risk to remain effective and achieve their objectives. Cyber risk management needs to be incorporated at the enterprise risk management level.

Organizations must identify the operational risks to which they are exposed and analyze them to determine the extent to which they might impact their mission. Once this is accomplished, these risks must then be dealt with (e.g., avoided, accepted, monitored, transferred, or mitigated) in a way that is commensurate with the organization’s risk tolerances. This requires an approach that balances strategies for protecting assets from disruption against strategies for sustaining assets and services when a disruption occurs.

To effectively manage operational risk, organizations should establish processes that:

• identify risks to which the organization is exposed
• analyze risks and determine appropriate risk disposition
• control risks to reduce probability of occurrence and/or minimize impact
• monitor risks and responses to risks and improve the organization’s capabilities for managing current and future risks
• establish the service continuity program
• perform service continuity planning
• validate and exercise or test service continuity plans
• improve service continuity
• detect and identify events
• triage and analyze events to determine whether an incident is underway
• respond and recover from an incident
• improve the organization’s capabilities for responding to a future incident

View Goal Questions

Purpose: To establish processes to manage an appropriate level of controls to ensure the sustainment and protection of services and assets that are dependent on the actions of external entities.

The outsourcing of services, development, and production has become a normal and routine part of operations for many organizations because outsourcing can engage specialized skills and equipment at a cost savings over internal options. The External Dependencies Management domain presents a method for an organization to identify and prioritize those external dependencies and then focuses on managing and maintaining those dependencies.External Dependencies Management (EDM) focuses on establishing an appropriate level of controls to manage the risks that originate from or are related to the organization’s dependence on these external entities. The purpose of EDM is to ensure the protection and sustainment of services and assets that are dependent on the actions of external entities.

External Dependencies Management focuses on the lifecycle of EDM, including planning the activity, forming new relationships with external entities, managing existing relationships, and monitoring and improving the activity to refine the organization’s approach to planning, implementing, and improving external dependencies.

Operational resilience is an organization’s ability to adapt to risk that affects its core operational capabilities. Like any organization, the external entities that the organization depends on may be susceptible to a diverse and dynamic array of threats, which can negatively affect the dependent organization’s people, information, technology, and facility assets and consequently the organization’s ability to meet its objectives. The key challenge for many organizations is their limited ability to ensure the resilience of the external entities they rely on.

Identifying, prioritizing, and managing relationships with external entities over their entire lifecycle are foundational activities for the development of effective risk mitigation and disposition strategies.To effectively manage external dependencies, organizations should establish:

a strategy and basic plan for EDM

key processes for identifying, prioritizing, monitoring, and tracking external dependencies

guidance and procedures on the formation of relationships with external entities

an approach for managing and governing existing external entity relationships

ongoing oversight, reporting, and correction of external entity performance

an approach for improving the organization’s EDM processes and program

Like many key resilience practices, EDM should be thought of as a planned, continuous processEffective EDM requires standard, planned guidance across the entire lifecycle of external entity relationships and continuous monitoring and improvement of the approach.

View Goal Questions

Purpose: The purpose of Training and Awareness is to develop skills and promote awareness for people with roles that support the critical service.

Training and awareness focuses on the processes by which an organization plans, identifies needs for, conducts, and improves training and awareness to ensure the organization’s operational cyber resilience requirements and goals are known and met.An organization plans for and conducts training and awareness activities that make staff members aware of their role in the organization’s cyber resilience concerns and policies.Staff members also receive specific training to enable them to perform their roles in managing organizational cyber resilience.

Focus is given to staff members receiving specific training to enable them to perform their roles in managing organizational cyber resilience.Though Training and Awareness focuses on training and awareness for cyber resilience activities, these activities should integrate with and support the organization’s overall training and awareness program.If the organization already has training or awareness programs, it is important that they include cyber resilience.Existing programs can use their established information gathering processes, building capabilities, evaluation methods, record keeping, and improvement activities to support cyber resilience training and awareness.

The training and awareness domain focuses on general awareness, skill building, and ongoing training.Training refers to a set of activities that focuses on staff members learning the skills and gaining the knowledge needed to perform their roles and responsibilities in support of their organization’s resilience program.Awareness activities focus on staff members developing an understanding of resilience issues, concerns, policies, plans, and practices.

View Goal Questions

Purpose: To actively discover and analyze information related to immediate operational stability and security and to coordinate such information across the enterprise to ensure that all organizational units are performing under a common operating picture.

Situational awareness activities are performed throughout the organization to provide timely and accurate information about the current state of operational processes. Activities must support communication with a variety of internal and external stakeholders to support the resilience requirements of the critical service.

Situational awareness provides an organization an understanding of its critical service’s operating environment and the environment’s impact on the operation of the critical service. This understanding provides stakeholders with a sufficiently accurate and up-to-date understanding of the past, current, and projected future state of a critical service and supports effective decision making in the context of a common operating environment. This includes understanding the assets and other services that affect or depend on the critical service. The representation or picture of the state of a critical service (including the condition of its supporting assets, the performance of its high-value physical and cyber processes, and events detected and responded to by its physical and cybersecurity safeguards) is presented to stakeholders in the context of the threat environment (internal and external) and the resulting risks to the critical service’s mission.

Situational Awareness focuses on the following situational awareness activities:

collecting and analyzing data from external threats

identifying suspicious behavior of potential internal threats

communicating threat information

participating in threat-sharing communities

View Goal Questions