Manage Learn to apply best practices and optimize your operations.

How CERT RMM can benefit BC plans, resilience management strategies

With so many approaches to risk management and resilience management, it’s difficult to decide which approach and/or strategy to take. This tip examines how the use of a Resilience Management Model (RMM)—such as CERT RMM—can help you build a stronger business continuity plan that are consistent with best practices for operational resiliency.

What you will learn in this tip: With so many approaches to risk management and resilience management, it’s difficult to decide which approach and/or strategy to take. This tip examines how the use of a Resilience Management Model (RMM)—such as CERT RMM—can help you build a stronger business continuity plan that is consistent with best practices for operational resiliency.

Computer Emergency Readiness Team (CERT) is an initiative of the federally funded Software Engineering Institute (SEI) of Carnegie Mellon University. In previous years, SEI developed an internationally deployed framework, the Capability Maturity Model (CMM), to address process improvement in software systems development. A more recent version, Capability Maturity Model Integration, introduced in 2006, has superseded the original CMM and addresses process improvement in the development of hardware products, the delivery of various kinds of services and the acquisition of products and services. CERT is on a similar track for maturity of security and resiliency engineering with a model called the Resilience Management Model.

What is a Resilience Management Model?

Consistent with the CMM and CMMI frameworks, the CERT RMM is a process improvement model for operational resiliency management. It has two primary objectives. Its first objective is to establish the convergence of operational risk and resiliency management activities such as security, business continuity and aspects of IT operations management into a single model. Its second objective is to apply an approach to operational resiliency management through the definition and application of a capability-level scale that expresses increasing levels of process improvement.

Business continuity professionals can benefit from the RMM in that it addresses process-level improvement. Guidance from the RMM can help practitioners develop more robust business continuity plans and procedures by incorporating RMM elements into the overall BCM program structure as well as plans and procedures.

The CERT RMM has many uses for risk management, business continuity and other initiatives dealing with the protection of enterprise assets and operations. For example, it can be used as a:

  • Starting point for leveraging convergence across security, business continuity, and IT operations activities
  • Reference model for understanding the scope of managing operational resiliency
  • Dictionary of terminology to facilitate internal and external communication
  • Organizing construct for codes of practice, standards and regulations and a framework for compliance
  • Process improvement model to stimulate improvement efforts
  • Baseline for auditing an organization’s current capabilities
  • Guide for improvement in operating areas where an organization’s existing capabilities are not consistent with its desired state

CERT RMM features

Features of the CERT's RMM include the following:

  • Provides process-level definitions across four categories: enterprise management, engineering, operations management and process management
  • Expands the four categories into 26 capability areas (See Figure 1 "RMM capability areas" below)
  • Focuses on four essential operational assets: people, information, technology, and facilities
  • Includes processes and practices that map to five capability levels for each capability area: incomplete, performed, managed, directed and continuously improved
  • Serves as a meta-model that includes references to common codes of practice such as ISO 9000, ISO 27000, ITIL Versions 2 and 3, CobiT, COSO, and others such as BS25999, FFIEC, NFPA 1600 and ISO 24762
  • Includes process metrics and measurements that can be used to ensure that operational resiliency processes are performing as intended
  • Facilitates an objective measurement of capability levels via a structured and repeatable appraisal methodology.

For business continuity professionals, the above items are invaluable when formulating a BCM program, business continuity management system, and outputs of these initiatives. Specifically, each item in the list represents a way for BCM professionals to improve the content, structure and quality of their programs and plans. Inclusion of the above items can also be useful when auditing plans and programs, as they add depth to the provisions found in major BCM standards, such as BS 25999, Parts 1 and 2, NFPA 1600:2010 and the new international standard ISO 22301.  

Figure 1: RMM capability areas


Requirements management

RRD – Resiliency Requirements Development

RRM – Resiliency Requirements Management

Asset resiliency management

EC – Environmental Control

KIM – Knowledge & Information Management

PM – People Management

TM – Technology Management


Asset management

ADM – Asset Definition and Management


EXD – External Dependencies

Establishing resiliency

SC – Service Continuity

CTRL – Controls Management

RTSE – Resilient Technical Solution Engineering


Threat, incident, and access management

AM – Access Management

ID – Identity Management

IMC – Incident Management & Control

VAR – Vulnerability Analysis & Resolution


Governance, risk and compliance

COMP – Compliance

EF – Enterprise Focus

RISK – Risk Management


Data collection and Logging

MON – Monitoring


Supporting Resiliency

COMM – Communications

FRM – Financial Resource Management

HRM – Human Resource Management

OTA – Organizational Training & Awareness


Process Management

MA – Measurement and Analysis

OPD – Organizational Process Definition

OPF – Organizational Process Focus


Benefits of CERT RMM

The benefit of developing a framework for resiliency engineering is that a baseline process description is provided as a road map for comparison, analysis and improvement. However, the framework also provides a starting point for driving process improvement. One of the important aspects of process improvement is the ability to recognize and consider capability improvement through process maturity.

The basic goals and practices documented in CERT RMM address the functional and practitioner-level aspects of resiliency engineering at an activity level. In other words, they focus on the body of resiliency engineering knowledge and practices across a wide range of organizational capabilities such as incident management and organizational training and awareness. Organizations can use this body of knowledge as a baseline for improving their overall resiliency management capability by identifying and considering process gaps.

Why use the CERT RMM?

The CERT RMM provides detailed process specifications for the 26 unique and interconnected resiliency-related processes intended to provide specific guidance for process development, improvement and maturity benchmarking. Adopting this model ensures the establishment of operational resiliency processes from the ground up that provide a true basis for process improvement and repeatability. Even more importantly, the CERT RMM has been certified to cross-walk with most of the global standards.  And perhaps most importantly, the model was developed with U.S. Government funding (meaning it is non-proprietary and in the public domain) and in partnership with the Financial Services Technology Consortium (FSTC) which has been funding projects to mature the model in line with advanced financial services industry requirements. These requirements can be used in non-financial sector industries. 

As we have stated, business continuity professionals can use RMM elements to add value to their programs and plans. Use of the RMM will not simplify the development of plans and procedures, but it will provide relevant guidance and structure that can make plans consistent with best practices for operational resiliency, a key aspect of business continuity. Exercising business continuity plans is the best way to ensure that plans work as efficiently as possible, when needed. 

About this author: Paul Kirvan, CISA, CSSP, FBCI, CBCP, has more than 20 years experience in business continuity management as a consultant, author and educator. He has been directly involved with dozens of IT/telecom consulting and audit engagements ranging from governance program development, program exercising, execution and maintenance, and RFP preparation and response. Kirvan currently works as an independent business continuity consultant/auditor and is the secretary of the Business Continuity Institute USA chapter and can be reached at [email protected].

Dig Deeper on Disaster recovery planning - management