Cybersecurity Assessments

Cybersecurity Assessments

In order to assist state and local election officials ensure the cybersecurity of election infrastructure, CISA offers a range of cybersecurity assessments that evaluate operational resilience, cybersecurity practices, organizational management of external dependencies, and other key elements of a robust cybersecurity framework. These services are available upon request without cost to state and local election jurisdictions. CISA’s cybersecurity assessment services are offered solely on a voluntary basis.

Cyber Resilience Review

The Cyber Resilience Review (CRR) is an interview-based assessment that evaluates an organization’s operational resilience and cybersecurity practices. This assessment is derived from the CERT Resilience Management Model (CERT-RMM), a process improvement model developed by Carnegie Mellon University’s Software Engineering Institute for managing operational resilience. The Cyber Resilience Review evaluates that maturity of an organization’s capacities and capabilities in performing, planning, managing, measuring, and defining cybersecurity capabilities across the following 10 domains:

  1. Asset Management
  2. Controls Management
  3. Configuration and Change Management
  4. Vulnerability Management
  5. Incident Management
  6. Service Continuity Management
  7. Risk Management
  8. External Dependency Management
  9. Training and Awareness
  10. Situational Awareness

Receiving a Cyber Resilience Review will provide an organization with a more robust awareness of its cybersecurity posture by providing and facilitating the following:

  • Improved enterprise-wide awareness of the need for effective cybersecurity management
  • A review of capabilities essential to the continuity of critical services during operational challenges and crisis
  • Integrated peer performance comparisons for each of the 10 domains covered in the assessment
  • A comprehensive final report that includes options for improvement

This assessment is available as a self-assessment or a CISA facilitated assessment. For additional information, consult the Election Infrastructure Security Resource Guide or visit www.us-cert.gov/ccubedvp/assessments. To schedule a facilitated assessment, contact cyberadvisor@hq.dhs.gov

No data collected during this assessment will be used for regulatory purposes or publicly disclosed.

External Dependencies Management Assessment

The External Dependencies Management (EDM) Assessment is an interview-based assessment that evaluates an organization’s management of external dependencies. This assessment focuses on the relationship between an organization’s high-value services and assets—such as people technology, facilities, and information—and evaluates how the organization manages risks derived from its use of the Information and Communications Technology (ICT) Supply Chain in the deliverance of services. The External Dependencies Management Assessment evaluates the maturity and capacity of an organization’s extern dependencies risk management across the following three areas:

  1. Relationship formation
  2. Relationship management and governance
  3. Service protection and sustainment

Participating in an External Dependencies Management Assessment will provide an organization with an informed understanding of its ability to respond to external dependency risks by providing and facilitating the following:

  • Opportunity for internal discussion of vendor-related issues and the organization's reliance upon external entities in order to provide services
  • Improvement options for consideration derived from recognized standards and best practices
  • A comprehensive report on the organization's third-party risk management practices and capabilities that includes peer performance comparisons

For additional information, consult the Election Infrastructure Security Resource Guide. To schedule an assessment, contact cyberadvisor@hq.dhs.gov.

No data collected during this assessment will be used for regulatory purposes or publicly disclosed.

Cyber Infrastructure Survey

The Cyber Infrastructure Survey evaluates that effectiveness of organizational security controls, cybersecurity preparedness, and the overall resilience of an organization’s cybersecurity ecosystem. This survey provides a service-based view opposed to a programmatic view of cybersecurity. An organization’s critical services are assessed against more than 80 cybersecurity controls grouped into the following 5 top-level domains:

  1. Cybersecurity Management
  2. Cybersecurity Forces
  3. Cybersecurity Controls
  4. Cybersecurity Incident Response
  5. Cybersecurity Dependencies

After completing the survey, the organization will receive a user-friendly dashboard to review the results and findings of the survey. Completing the Cyber Infrastructure Survey will provide an organization with the following:

  • Effective assessment of critical service cybersecurity controls
  • Interactive dashboard to support cybersecurity planning and resource allocation
  • Peer performance data visually depicted on the dashboard

For additional information, consult the Election Infrastructure Security Resource Guide. To schedule a Cyber Infrastructure Survey, contact cyberadvisor@hq.dhs.gov.

No data collected during this assessment will be used for regulatory purposes or publicly disclosed.

Phishing Campaign Assessment

The Phishing Campaign Assessment (PCA) evaluates an organization’s susceptibility and reaction to phishing emails of varying complexity.

After the assessment, the organization will receive a Phishing Campaign Assessment Report that highlights organizational click rates for varying types of phishing emails and summarizes metrics related to the proclivity of the organization to fall victim to phishing attacks.

For additional information, consult the Election Infrastructure Security Resource Guide. To schedule a Phishing Campaign Assessment, contact ncciccustomerservice@hq.dhs.gov.

Risk and Vulnerability Assessment

A Risk and Vulnerability Assessment (RVA) collects data through onsite assessments and combines it with national threat and vulnerability information in order to provide an organization with actionable remediation recommendations prioritized by risk. This assessment is designed to identify vulnerabilities that adversaries could potentially exploit to compromise network security controls. Methodologies that a Risk and Vulnerability Assessment may incorporate include the following:

  • Scenario-based network penetration testing
  • Web application testing
  • Social engineering testing
  • Wireless testing
  • Configuration reviews of servers and databases
  • Detection and response capability evaluation

After completing the Risk and Vulnerability Assessment, the organization will receive a final report that includes business executive recommendations, specific findings and potential mitigations, as well as technical attack path details. An optional debrief presentation summarizing preliminary findings and observations is also available.

For additional information, consult the Election Infrastructure Security Resource Guide. To schedule a Risk and Vulnerability Assessment, contact ncciccustomerservice@hq.dhs.gov.

Remote Penetration Testing

Remote Penetration Testing (RPT) utilizes a dedicated remote team to assess and identify and mitigate vulnerabilities to exploitable pathways. While similar to a Risk and Vulnerability Assessment, Remote Penetration Testing focuses entirely on externally accessible systems. Methodologies that Remote Penetration Testing may incorporate include the following:

  • Scenario-based external network penetration testing
  • External web application testing
  • Phishing Campaign Assessment

After completing Remote Penetration Testing, the organization will receive a final report that includes business executive recommendations, specific findings and potential mitigations, as well as technical attack path details. An optional debrief presentation summarizing preliminary findings and observations is also available.

For additional information, consult the Election Infrastructure Security Resource Guide. To schedule Remote Penetration Testing, contact ncciccustomerservice@hq.dhs.gov.

Vulnerability Scanning

CISA offers vulnerability scanning (formerly known as Cyber Hygiene scanning) of internet-accessible systems for known vulnerabilities on a continual basis. As potential vulnerabilities are identified, CISA notifies the organization so that preemptive risk mitigation efforts may be implemented in order to avert vulnerability exploitation.

After completing Vulnerability Scanning, the organization will received the following:

  • Weekly vulnerability reports detailing current and previously mitigated vulnerabilities and recommendations for migrating vulnerabilities uncovered during vulnerability scans
  • Special reporting and notices derived from enhanced scans
  • Engineering support

For additional information, consult the Election Infrastructure Security Resource Guide. To schedule Vulnerability Scanning, contact ncciccustomerservice@hq.dhs.gov.

Validated Architecture Design Review

The Validated Architecture Design Review (VADR) encompasses architecture and design review, system configuration, log file review, and analysis of network traffic to develop a detailed representation of the communications, flows, and relationships between devices in order to identify anomalous communication flows.

After the review, the organization will receive an in-depth report that includes key discoveries and practical recommendations for improving operational maturity and cybersecurity posture.

For additional information, consult the Election Infrastructure Security Resource Guide. To schedule a Validated Architecture Design Review, contact ncciccustomerservice@hq.dhs.gov.

Cyber Security Evaluation Tool (CSET®)

The Cyber Security Evaluation Tool (CSET®) is a stand-alone desktop application that guides asset owners and operators through a systematic process of evaluating Operational Technology and Information Technology.

After completing the evaluation, the organization will receive reports that present the assessment results in both a summarized and detailed manner. The organization will be able to manipulate and filter content in order to analyze findings with varying degrees of granularity.

For additional information on CSET®, consult the Election Infrastructure Security Resource Guide or visit https://www.ics-cert.us-cert.gov. To request a physical copy of the software, contact ncciccustomerservice@hq.dhs.gov.

Was this page helpful?

This page was not helpful because the content:
Back to Top