Skip Ribbon Commands
Skip to main content




Page Content

Assessment Tools and Information

Cyber Chain Portal-Based Assessment Tool — This portal, managed by the University of Maryland Robert H. Smith School of Business Supply Chain Management Center, provides risk assessment tools, scenario based mapping tools, anonymous information sharing, and assessments to calculate factors such vulnerability and risk maturity capability. Tools also enable diagnosis of IT supply chain trouble spots and areas for improvement based on NIST guidelines.

Cyber Resilience Review (CRR) Self-Assessment Package — This self-assessment package covers:

·         Asset Management

·         Controls Management

·         Configuration and Change Management

·         Vulnerability Management

·         Incident Management

·         Service Continuity Management

·         Risk External Dependencies Management

·         Training and Awareness Management

·         Situational Awareness Management

Cyber Infrastructure Survey Tool (CIST) — Half day assessment produces an interactive dashboard and planning resource for enhancing a company’s cyber security posture, preparedness and protective capabilities. This is typically done in conjunction with a Cyber Protection Visit by the DHS Area Cyber Security Advisor.

For more information, email:

Cybersecurity Vulnerability Assessments through the Control Systems Security Program (CSSP) — CSSP provide on�]site support to critical infrastructure asset owners by assisting them to perform a security self�]assessment of their enterprise and control system networks against industry accepted standards, policies, and procedures.

To request on�]site assistance, asset owners may contact

DHS Cyber Resiliency Review (CRR) — CRR is a DHS assessment tool that measures the implementation of key cybersecurity capacities and capabilities. The goal of the CRR is to ensure that core process�]based capabilities exist, are measureable, and are meaningful as predictors for an organization‘s ability to manage cyber risk.

For more information, contact the DHS Computer Security Evaluation program (CSEP) at

US CERT Cyber Resilience Review (CRR) — The CRR is a no-cost, voluntary, non-technical assessment to evaluate an organization’s operational resilience and cyber security practices. The CRR may be conducted as a self-assessment or as an on-site assessment facilitated by DHS cyber security professionals. The CRR assesses enterprise programs and practices across a range of ten domains including risk management, incident management, service continuity, and others. The assessment is designed to measure existing organizational resilience as well as provide a gap analysis for improvement based on recognized best practices.

Industrial Control Systems (ICS) Technology Assessments — ICS Technology Assessments provides a testing environment to conduct baseline security assessments on industrial control systems, network architectures, software, and control system components. These assessments include testing for common vulnerabilities and conducting vulnerability mitigation analysis to verify the effectiveness of applied security measures.

For more information, contact

Information Technology Sector Risk Assessment (ITSRA) — ITSRA provides an all�]hazards risk profile that public and private IT Sector partners can use to inform resource allocation for research and development and other protective measures which enhance the security and resiliency of the critical IT Sector functions.

For more information, contact

National Cyber security Assessment & Technical Services (NCATS) — NCATS leverages existing “best in breed” cyber security assessment methodologies, commercial best practices and integration of threat intelligence that enable cyber security stakeholders with decision making/risk management guidance and recommendations.

NCATS provides an objective third-party perspective on the current cyber security posture of the stakeholder’s unclassified operational/business networks. NCATS security services are available at no-cost to stakeholders and can range from one day to two weeks depending on the security services required.

For more information, contact:

National Security Agency (NSA) / Information Assurance Directorate (IAD) National Security Cyber Assistance Program — The NSA/IAD has established a National Security Cyber Assistance Program wherein commercial organizations can receive accreditation for cyber incident response services. This accreditation in Cyber Incident Response Assistance will validate that an organization has established processes, effective tools and knowledgeable people with the proper skill set and expertise to perform cyber incident response for national security systems.

Disclaimer of Endorsement

Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States, the Department of Homeland Security or the United States Coast Guard. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government, and shall not be used for advertising or product endorsement purposes.

Disclaimer of Hyperlinks

The appearance of external hyperlinks does not constitute endorsement by the United States, the Department of Homeland Security or the United States Coast Guard of the linked web sites, or the information, products or services contained therein. For other than authorized DHS/USCG activities, the government does not exercise any editorial control over the information you may find at these locations. All links are provided with the intent of providing education, awareness and information concerning the issue of cyber security.

Disclaimer of Liability

With respect to documents available from this server, neither the United States, the Department of Homeland Security or the United States Coast Guard nor any of its employees, makes any warranty, express or implied, including the warranties of merchantability and fitness for a particular purpose, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights.










Created at by
Last modified at by