What is a Command Cyber Readiness Inspection (CCRI)?
The Command Cyber Readiness Inspection (CCRI) is a comprehensive cybersecurity evaluation and assessment conducted by the United States Department of Defense (DoD). A CCRI serves as a formal inspection aimed at enhancing accountability and bolstering the security posture of DoD Information Networks in alignment with DoD standards, with a specific focus on Command, Mission, Threat, and Vulnerability. The primary objective of a CCRI audit is to comprehensively evaluate and ensure the cybersecurity readiness of DoD information systems and networks, encompassing those utilized by military commands, installations, and various organizations, thus safeguarding critical data and assets. We’re going to discuss the Command Cyber Readiness Inspection (CCRI) checklist and CCRI hardening for cybersecurity and defense.
What is Cyber Operational Readiness Assessment (CORA)
The CCRI inspection underwent significant changes, shifting its focus from a traditional inspection to an operational readiness mission. To reflect this new approach, the program was renamed Cyber Operational Readiness Assessment (CORA).
The Joint Force Headquarters-Department of Defense Information Network (JFHQ-DODIN) launched its Cyber Operational Readiness Assessment (CORA) program on March 1, 2024 after a nine-month pilot. CORA is crucial for validating current, future, and emerging technologies that will help the DOD continuously monitor and assess terrain to assess and mitigate risk across the DODIN.
Understanding the process
Inspections are essential for pinpointing weaknesses and vulnerabilities in information systems and networks while also evaluating their adherence to cybersecurity regulations. CCRI (now CORA) inspections encompass various cybersecurity aspects such as hardening, network security, information assurance, configuration management, physical security, and more. The specific focus of the inspection may vary depending on the organization under assessment.
Lt. Gen. Robert Skinner, commander of JFHQ-DODIN, CORA stated, ‘The new processes help strengthen the posture and resiliency of the Department of Defense Information Network (DODIN) by supporting DODIN Areas of Operation (DAO) commanders and directors in efforts to harden their information systems, reduce the attack surface of their cyber terrain, and enhance a more proactive defense. These are the foundational cybersecurity principles measured by the CORA program.’
What are the Three Inspection Areas?
The results of these three CCRI (now CORA) inspection areas help identify vulnerabilities, weaknesses, and areas for improvement:
Information Assurance (IA) and Cybersecurity: This area focuses on the organization’s information assurance and cybersecurity practices. It assesses whether the organization’s information systems and networks are adequately protected and compliant with DoD cybersecurity standards, policies, and regulations. It includes evaluations of access control, network security, vulnerability management, and compliance with information assurance and cybersecurity best practices.
Computer Network Defense (CND): The CND inspection area evaluates the organization’s capabilities and procedures for defending against cyber threats, attacks, and intrusions. It assesses the organization’s ability to detect, respond to, and mitigate cybersecurity incidents and vulnerabilities. This area also examines incident response plans and the organization’s readiness to handle cyber threats effectively.
Information Management: Information management encompasses the organization’s practices for handling and protecting sensitive and classified information. This includes ensuring that proper access controls are in place, data is appropriately classified, and information is safeguarded to prevent unauthorized disclosure or loss. Compliance with data protection and data handling policies and procedures is a key focus within this inspection area.
How often are CORA Inspections Conducted?
CORA will implement a risk-based approach to determine which organizations receive assessments and how frequently. Instead of adhering to fixed inspection schedules as with CCRI, the DoD will base visits on a “multifactor” analysis that considers both the needs of the organizations and the resources of the assessment teams. As a result, some bases and commands might undergo CORAs multiple times a year, while others may not have one for several years.
The frequency of Command Cyber Readiness Inspections were based on several factors, including the type of organization being inspected, its mission-criticality, and the specific requirements set by the Department of Defense (DoD). CCRI guidelines for the frequency of CCRI assessments were: Annually, Biennially, As Required, and Ad Hoc.
What is the scoring criteria for Command Cyber Readiness Inspections?
The CORA scoring criteria will no longer be a pass or fail tests, unlike CCRI where a score of 70 or above was considered passing.
Instead, assessment teams from JFHQ-DoDIN and the military services will shift from physical inspections to a data-driven approach. By leveraging intelligence, cyber threat information from MITRE ATT&CK, they will determine an organization’s susceptibility to current threats. A key change is the recognition of risk mitigation steps, even in the presence of vulnerabilities, as valuable progress.
CCRI scoring criteria was based on an overall score of 100 percent, which was divided into three components:
- Technical Implementation: This component accounted for 60 percent of the total score and evaluated the technical aspects of the network security, such as device discovery, classification, access control, policy compliance, and continuous monitoring.
- Compliance with Computer Network Defense (CND) Directives: This component accounted for 30 percent of the total score and assesses the adherence to the security benchmarks and standards mandated by the DoD, such as Host-Based Security System and Assured Compliance Assessment Solution.
- Contributing Factors: This component accounted for 10 percent of the total score and reflects the cyber culture awareness and leadership engagement of the DoD entity, such as the implementation of Security Technical Implementation Guide requirements, the plan of action and milestones, and the cybersecurity service provider alignment.
Prepare Your System for CORA Inspection
Organizations undergoing a CORA hardening project are expected to address any identified vulnerabilities and deficiencies to improve their cybersecurity posture. This often involves implementing corrective actions and mitigation strategies.
CalCom Hardening Suite (CHS) can help save time and effort on CCRI preparations by providing a comprehensive hardening solution. CHS tool configures and strengthens system defenses, prevents vulnerabilities, and aligns with cybersecurity standards and best practices.
If you have an upcoming assessment and want to be prepared with a hardened system, Get in Touch.