Contents
Part One—About the CERT Resilience Management Model
1.1 The Influence of Process Improvement and Capability Maturity Models
1.4 Why CERT-RMM Is Not a Capability Maturity Model
2. Understanding Key Concepts in CERT-RMM
2.1.3 Managing Operational Resilience
2.2 Elements of Operational Resilience Management
2.2.5 Strategies for Protecting and Sustaining Assets
2.3 Adapting CERT-RMM Terminology and Concepts
3.1 The Process Areas and Their Categories
3.2 Process Area Component Categories
3.3 Process Area Component Descriptions
3.3.3 Related Process Areas Section
3.3.4 Summary of Specific Goals and Practices
3.3.5 Specific Goals and Practices
3.3.6 Generic Goals and Practices
3.5 Typographical and Structural Conventions
4.2 Objective Views for Assets
Part Two—Process Institutionalization and Improvement
5. Institutionalizing Operational Resilience Management Processes
5.2 Understanding Capability Levels
5.3 Connecting Capability Levels to Process Institutionalization
5.3.1 Capability Level 0: Incomplete
5.3.2 Capability Level 1: Performed
5.3.3 Capability Level 2: Managed
5.3.4 Capability Level 3: Defined
5.4 CERT-RMM Generic Goals and Practices
5.4.1 CERT-RMM Elaborated Generic Goals and Practices
5.5 Applying Generic Practices
5.6 Process Areas That Support Generic Practices
6.1.1 Supporting Strategic and Operational Objectives
6.1.2 A Basis for Evaluation, Guidance, and Comparison
6.1.3 An Organizing Structure for Deployed Practices
6.1.4 Model-Based Process Improvement
6.2 Focusing CERT-RMM on Model-Based Process Improvement
6.2.1 Making the Business Case
6.2.2 A Process Improvement Process
6.3 Setting and Communicating Objectives Using CERT-RMM
6.3.3 Capability Level Targets
6.4 Diagnosing Based on CERT-RMM
6.4.1 Formal Diagnosis Using the CERT-RMM Capability Appraisal Method
6.5 Planning CERT-RMM–Based Improvements
6.5.2 Planning Practice Instantiation
Using CERT-RMM in the Utility Sector
by Darren Highfill and James Stevens
Addressing Resilience as a Key Aspect of Software Assurance Throughout the Software Life Cycle
by Julia Allen and Michele Moss
Raising the Bar on Business Resilience
by Nader Mehravari, PhD
Measuring Operational Resilience Using CERT-RMM
by Julia Allen and Noopur Davis
Part Three—CERT-RMM Process Areas
Asset Definition and Management
External Dependencies Management
Incident Management and Control
Knowledge and Information Management
Organizational Process Definition
Organizational Training and Awareness
Resilience Requirements Development
Resilience Requirements Management
Resilient Technical Solution Engineering
Vulnerability Analysis and Resolution
A. Generic Goals and Practices