MITRE released the Cyber Resiliency Engineering Framework (CREF) Navigator — a free, visualization tool that allows organizations to customize their cyber resiliency goals, objectives, techniques, as aligned with NIST SP 800-160, Volume 2 (Rev. 1), National Institute of Standards and Technology’s (NIST) publication on developing cyber-resilient systems.
“Resiliency is the ultimate goal of cybersecurity,” said Wen Masters, VP, cyber technologies, MITRE. “Information and communications systems and those who depend on them must be resilient in the face of persistent, stealthy, and sophisticated cyber-attacks. While resilience is sometimes described as an emergent property, resilience in the face of cyber threats must be engineered.”
As with many of MITRE’s resources for cyber defenders that are developed in the public interest, the CREF Navigator is freely available to the greater cyber community.
“We’ve taken the original cyber resiliency framework we created with NIST and now made it searchable and visualized,” said Shane Steiger, principal cybersecurity engineer, MITRE. “This relational database enables engineers to make educated and informed choices while designing resilient cyber solutions.”
The principles of the CREF framework follow four guiding pillars:
- Anticipate: maintain a state of informed preparedness in order to forestall compromises of mission/business functions from adversary attacks,
- Withstand: continue essential mission/business functions despite successful execution of an attack by an adversary,
- Recover: restore mission/business functions to the maximum extent possible after successful execution of an attack by an adversary, and
- Adapt: to change mission/business functions and/or the supporting cyber capabilities so as to minimize adverse impacts from actual or predicted adversary attacks.
“During the last year of development, we integrated the CREF Navigator with MITRE ATT&CK techniques and mitigations found in ATT&CK and NIST SP 800-160 Volume 2 (Rev. 1) Appendices. We also are using the Navigator to encourage engineers to characterize their cyber resiliency capabilities,” added Steiger. “We plan to keep evolving the Navigator as the discipline of cyber resiliency engineering matures.”
Future enhancements to the CREF Navigator are planned to provide additional automated support for organizations interested in building stronger defenses for their critical infrastructure.
As part of its relationship with NIST, MITRE operates the nation’s only federally funded research and development center (FFRDC) dedicated solely to cybersecurity, the National Cybersecurity Federally Funded Research and Development Center (NCF).
Sponsored by NIST, the NCF helps organizations address their most pressing cybersecurity needs and supports the success of the National Cybersecurity Center of Excellence (NCCoE)—a collaborative hub where government, industry, and academia are building practical solutions to meet the real challenges businesses face each day.