The Cyber Resilience Manifesto
Read the manifesto online as a complete five-chapter sequence. Start at definitions or jump directly to the part you need.
This is the Cyber Resilience Manifesto
Cyber resilience is an extension of information security and an evolution of operational resilience. It is “the ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on systems that use or are enabled by cyber resources.” Developing Cyber-Resilient Systems [1] is a NIST [2] Special Publication which is considered the most authoritative resource available today.
An organization’s cyber resilience efforts primarily aim to implement strategies and tactics that ensure the survivability of mission-critical functions before, during, or after a coordinated, destructive cyber-attack. Such cyber resilience strategies and tactics require capabilities to address the continuously evolving risks from advanced and unpredictable adversaries. This implies expanding threat scenario definition and modeling beyond “severe but plausible” and focusing on capable and motivated adversaries introducing “extreme but plausible” threat scenarios. The defender's goal should be to make it costly and difficult for these advanced adversaries to break into the organization’s environment and execute such an attack.
A fundamental step to achieving cyber resilience is identifying and understanding the organization’s critical assets, i.e., critical information assets (data) and information systems (applications), processes, roles, and third parties that are high-value assets, and developing plans to become resilient-by-design. For such identification to be effective, it must focus on the assets’ inherent impact and consider both the business objectives (Voice of the Customer) and the adversary’s (Voice of the Adversary).
Business resilience is the outcome of well-executed information security, operational resilience, and cyber resilience and is defined by the World Economic Forum [3] as “the ability of an organization to transcend any stresses, failures, hazards, and threats to its cyber resources within the organization and its ecosystem, such that the organization can confidently pursue its mission, enable its culture, and maintain its desired way of operating.”
References
- [1] Developing Cyber-Resilient Systems: A Systems Security Engineering Approach, NIST SP 800-160 Vol. 2
- [2] National Institute of Standards and Technology
- [3] The Cyber Resilience Index: Advancing Organizational Cyber Resilience
Read The Manifesto
Jump directly to a chapter
Begin with definitions for the full sequence, or move directly to the chapter most relevant to your organization.
Five Chapters
Choose a chapter
The web manifesto is organized into five tightly scoped chapters. Read from the beginning for the full argument, or jump directly to the section most relevant to your work.
Definitions
Core definitions, operating posture, and the four goals of cyber resilience.
Strategy
Strategic assumptions and the ten organizational abilities resilience requires.
Critical Assets
Concentrate resilience effort on the systems, data, and pathways that are truly existential.
Architecture
Architect the enterprise to remain functional under degraded, compromised, and novel conditions.
Outcomes
The high-value states a resilient enterprise should be able to produce and measure.
Reading Order
Definitions first, outcomes last
The sequence matters. Definitions establish the operating concept, strategy turns that concept into organizational ability, critical assets focus investment, architecture shapes survivability, and outcomes make resilience measurable.
Each chapter includes clear back and forward controls so the manifesto can be read as one continuous argument without needing the PDF.
Begin Here