A Mapping of the Federal Financial Institutions Examination Council (FFIEC) Cybersecurity Assessment Tool (CAT) to the Cyber Resilience Review (CRR)

Abstract

This technical note describes the methodology we used and the observations we made while mapping thedeclarative statements found in the Federal Financial Institutions Examination Council (FFIEC)Cybersecurity Assessment Tool (CAT) to the practice questions found in the US-CERT Cyber ResilienceReview (CRR). This mapping enables financial organizations to use CRR results not only to gauge theircyber resilience, but to examine their current baseline with respect to the FFIEC CAT and the NationalInstitute of Standards and Technology (NIST) Cybersecurity Framework (CSF). The mapping in thistechnical note is proposed by three senior engineers from the CERT Division of the Carnegie MellonUniversity Software Engineering Institute; these engineers are skilled in conducting CRRs and familiar withall practice questions and question guidance. Two also have the advantage of several years of experience inthe financial sector. The team relied on their experience along with previous mappings of the CRR andFFIEC CAT to the NIST CSF to propose the mapping in this technical note.The FFIEC published the CAT in June 2015 for financial institutions to use in assessing their cybersecurityreadiness. The United States Department of Homeland Security (DHS) produced a similar assessment, theCyber Resilience Review (CRR) version 2.0, in October 2011. The CRR is based on Carnegie MellonUniversitys CERT Resilience Management Model (RMM) and is used by DHS in support of PresidentialPolicy Directive PPD-21 [WH 2013a] to encourage the adoption of the NIST CSF. While the CRR predatesthe establishment of the NIST CSF, the inherent principles and recommended practices within the CRRalign closely with the central tenets of the CSF. Both the CAT and the CRR instruments map well to theNIST CSF. PPD-21 required NIST to create the CSF, and both documents support the implementation.

Open PDF

Document Details

Document Type
Technical Report
Publication Date
Oct 01, 2016
Accession Number
AD1045003

Entities

People

  • Jeffrey L. Pinckard
  • Michael Rattigan
  • Robert A. Vrtis

Organizations

  • Carnegie Mellon University

Tags

Communities of Interest

  • Cyber

DTIC Thesaurus Topics

  • Authentication
  • Business Administration
  • Communication Systems
  • Computer Programming
  • Computer Security Techniques
  • Computers
  • Cyber Threats
  • Cyberattacks
  • Cybersecurity
  • Department Of Homeland Security
  • Engineering
  • Information Systems
  • Mobile Devices
  • Risk Analysis
  • Robotics
  • Software Development
  • Standards

Fields of Study

  • Computer science

Readers

  • Cybersecurity.
  • Data Mining and Knowledge Discovery.
  • Geodesy

Technology Areas

  • Cyber