CISA | DEFEND TODAY, SECURE TOMORROW 1
cisa.gov
/SAFECOM [email protected] Linkedin.com/company/cisagov @CISAgov | @cyber | @uscert_gov Facebook.com/CISA @cisagov Guide to Getting Started with a Cybersecurity Risk Assessment
What is a Cyber Risk Assessment?
Cybersecurity (cyber) risk assessments assist public safety organizations in understanding the cyber
risks to their operations (e.g., mission, functions, critical service, image, reputation), organizational
assets, and individuals.
1
To strengthen operational and cyber resiliency, SAFECOM has developed
this guide to assist public safety communications systems operators, owners, and managers
understand the steps of a cyber risk assessment. Included with this guide are customizable
reference tables (pages two, three, and four) to help organizations identify and document personnel
and resources involved with each step of the assessment. While example entities and organizations
are provided, customization is advised.
2
By c
onducting cyber risk assessments, public
safety organizations may experience a multitude
of benefits, such as meeting operational and
mission needs, improving overall resiliency and
cyber posture, and meeting cyber insurance
coverage requirements. It is recommended that
organizations conduct cyber risk assessments
regularly, based on their operational needs, to
assess their security posture. By conducting the
assessments, organizations establish a baseline of
cybersecurity measurements, and such baselines
could be referenced to or compared against future
results to further improve overall cyber posture and
resiliency and demonstrate progress. These
assessments could be conducted with internal
resources or with external assistance. For
instance, organizations may conduct a review of
vulnerabilities based on internal logging and audits
of their internet-facing networks.
Additionally, organizations may also use external guides or services that provide different
perspectives and highlight potential vulnerabilities. The Cybersecurity and Infrastructure Security
Agency (CISA) provides cyber tools and cyber services that are available at no cost and without
commitment to sharing outcomes, such as the Cyber Security Evaluation Tool (CSET
®
).
3
CISA’s other
offerings, such as the Cybersecurity Advisors, are available to federal, state, local, tribal, and
territorial governments, critical infrastructure owners/operators, and private sector entities to help
1
CISA, “QSMO Services – Risk Assessment,” last accessed October 28, 2021. https://www.cisa.gov/qsmo-services-risk-
assessment
2
SAFECOM recommends the guide be used in conjunction with the National Institute of Standards and Technology (NIST)
Cybersecurity Framework (CSF), which provides a holistic perspective of the core steps to a cyber risk assessment, and the Public
Safety Communications and Cyber Resiliency Toolkit, which provides resources for evaluating current resiliency capabilities,
identifying ways to improve resiliency, and developing plans for mitigating the effects of potential resiliency threats. This document
follows the Identify Function of the risk assessment process identified in the NIST CSF.
3
For example, CISA’s Cyber Resiliency Resources for Public Safety Fact Sheet highlights resources such as the Cyber Security
Evaluation Tool (CSET
®
) and others provided by the federal government, industry, and trade associations. The Fact Sheet assists
public safety organizations in determining their network cybersecurity and resiliency capabilities and identifying ways to improve
their ability to defend against cyber incidents.
THREAT: A circumstance or event that has or
indicates the potential to exploit vulnerabilities
and to adversely impact organizational operations,
assets, individuals, other organizations, or society
VULNERABILITIES: A characteristic or specific
weakness that renders an organization or asset
open to exploitation by a given threat
LIKELIHOOD: Refers to the probability that a risk
RISK: The potential for an unwanted or adverse
outcome resulting from an incident, event, or
occurrence, as determined by the likelihood that
a particular threat will exploit a particular
vulnerability, with the associated consequences