Codifying Resilience Practice
In the aftermath of the 9/11 terror attacks, organizations began to seek answers to predictably and systematically control operational resilience through activities such as security and business continuity.
In October 2003, a group of 20 IT and security professionals from defense organizations, the financial services sector, IT, and security services met at the SEI to identify what could enable and accelerate IT operational and security process improvement. The bodies of knowledge identified included IT and information security governance, auditing, risk management, IT operations, security, project management, and process management.
Soon after, in March 2005, the SEI began work with the Business Continuity committee of the Financial Services Technology Consortium (FSTC), exploring the development of a reference model to help determine an organization's capability to manage operational resilience. Drawing on its experience with developing and evolving the widely used Capability Maturity Model Integration (CMMI) framework, the SEI developed the CERT Resilience Management Model (CERT-RMM), which has 26 process areas.
Since 2009, organizations in the DoD, the U.S. defense industrial base, U.S. federal civilian agencies, the financial services sector, and academia have been using the CERT-RMM to institutionalize improved processes for managing operational resilience and measure their benefit.