Assessment Program Overview
A core component of the Cybersecurity and Infrastructure Security Agency (CISA) risk management mission is conducting security assessments in partnership with ICS stakeholders, including critical infrastructure owners and operators, ICS vendors, integrators, Sector-Specific Agencies, other Federal departments and agencies, SLTT governments, and international partners.
CISA works with these and other partners to assess various aspects of critical infrastructure (cybersecurity controls, control system architectures, and adherence to best practices supporting the resiliency, availability, and integrity of critical systems), and provides options for consideration to mitigate and manage risk.
CISA assessment products improve situational awareness and provide insight, data, and identification of control systems threats and vulnerabilities. Core assessment products and services include self-assessments using the Cybersecurity Evaluation Tool (CSET®), onsite field assessments, network design architecture reviews, and network traffic analysis and verification. The information gained from assessments also provides stakeholders with the understanding and context necessary to build effective defense-in-depth processes for enhancing cybersecurity.
Download PDF: FY 2016 Assessment Report
Download PDF: FY 2015 Assessment Report
Download PDF: FY 2014 Assessment Report
Private Sector Assessments
The CISA Assessment Team developed a Fact Sheet to explain the assessment offerings available to private sector entities.
Download PDF: Fact Sheet - Private Sector Assessments
The CISA Assessment Team developed a Fact Sheet to explain the assessment offerings available to Federal entities.
Download PDF: Fact Sheet - Federal Assessments
All information shared with NCCIC during the analysis and the report outcomes are confidential to the asset owner and protected by DHS as Protected Critical Infrastructure Information (PCII).
To schedule an assessment, please contact CISA Assessments at firstname.lastname@example.org, with "Assessment Request" in the Subject line.
Cyber Security Evaluation Tool
The Cyber Security Evaluation Tool (CSET®) is a Department of Homeland Security (DHS) product that assists organizations in protecting their key national cyber assets. It was developed by cybersecurity experts under the direction of CISA. The tool provides users with a systematic and repeatable approach to assessing the security posture of their cyber systems and networks. It includes both high-level and detailed questions related to all industrial control and IT systems.
The Cybersecurity Evaluation Tool (CSET®) is a software tool for performing cybersecurity assessments of an organization's enterprise and industrial control cyber systems. It was designed to help asset owners identify vulnerabilities and improve the organization's overall cybersecurity posture by guiding them through a series of questions that represent network security requirements and best practices. The presented requirement questionnaires are based on selected industry standards, common requirements, and the network diagram (or network topology and architecture). The CSET output is a prioritized list of recommendations for improving the cybersecurity posture of the organization's enterprise and industrial control cyber systems. The tool derives the recommendations from a database of cybersecurity standards, guidelines, and practices.
CSET® has been designed for easy installation and use on a stand-alone laptop or workstation. It incorporates a variety of available standards from organizations such as NIST, North American Electric Reliability Corporation (NERC), Transportation Security Administration (TSA), U.S. Department of Defense (DoD), and others. When the tool user selects one or more of the standards, CSET opens a set of questions to be answered. The answers to these questions are compared against a selected security assurance level, and a detailed report is generated that shows areas for potential cybersecurity improvement. CSET provides an excellent means to perform a self-assessment of the security posture of your control system environment.
- CSET contributes to an organization's risk management and decision-making process.
- Raises awareness and facilitates discussion on cybersecurity within the organization.
- Highlights vulnerabilities in the organization's systems and provides recommendations on ways to address the vulnerability.
- Identifies areas of strength and best practices being followed in the organization.
- Provides a method to systematically compare and monitor improvement in the cyber systems.
- Provides a common industry-wide tool for assessing cyber systems.
How to Obtain CSET
All new releases of CSET can be found on the CSET GitHub page and can be downloaded at the following link: Download CSET here