Cybersecurity Framework Assessment for Executive Order 13636 (EO 13636)

Critical Start provides assessment services to evaluate your readiness to Executive Order 13636 for Improving Critical Infrastructure Cybersecurity.    This assessment will help you prepare your organization for compliance and to build a roadmap for future enhancement over 24-36 months.

The national and economic security of the United States depends on the reliable functioning of critical infrastructure. To strengthen the resilience of this infrastructure, the President issued Executive Order 13636, “Improving Critical Infrastructure Cybersecurity and Presidential Policy Directive (PPD) on Critical Infrastructure Security and Resilience” on February 12, 2013. This directive calls for the development of a Cybersecurity Framework (“Framework”) that provides a “prioritized, flexible, repeatable, performance-based, and cost-effective approach” for assisting organizations responsible for critical infrastructure services to manage cybersecurity risk.


The Framework provides a common language and mechanism for organizations to: 1) describe current cybersecurity posture; 2) describe their target state for cybersecurity; 3) identify and prioritize opportunities for improvement within the context of risk management; 4) assess progress toward the target state; 5) foster communications among internal and external stakeholders.

  • Identify – Develop the institutional understanding of which organizational systems, assets, data, and capabilities need to be protected, determine priority in light of organizational mission, and establish processes to achieve risk management goals.

  • Protect – Develop and implement the appropriate safeguards, prioritized through the organization’s risk management process, to ensure delivery of critical infrastructure services.

  • Detect – Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event.

  • Respond – Develop and implement the appropriate activities, prioritized through the organization’s risk management process (including effective planning), to take action regarding a detected cybersecurity event.

  • Recover - Develop and implement the appropriate activities, prioritized through the organization's risk management process, to restore the appropriate capabilities that were impaired through cybersecurity event.

Defining a  Target Profile and Desired Framework Implementation Tier

Working together to identify your organizations business requirements, risk tolerance and resources along with industry best practices a Target Profile is created to best understand the goals of your cybersecurity capabilities based on the Core Framework Functions and maturity levels.     This profile will include details for the categories, subcategories and reference frameworks which include NIST, ISO 27002, COBiT and industry guidance (PCI, NERC, FERC, HIPAA).  The framework implementation tiers reflect the how the organization plans to implement the framework core functions:

  • Tier 0: Partial – formal, threat-aware risk management process not implemented

  • Tier 1: Risk-Informed - risk-informed, management approved processes and procedures are defined and implemented and staff has adequate 224 resources to perform their cybersecurity duties

  • Tier 2: Repeatable - organization updates its risk profile based on regular application of its risk management process to respond to a changing cybersecurity landscape

  • Tier 3: Adaptive – organization updates its risk profile based on predictive indicators derived from previous and anticipated cybersecurity activities using internal, external, and partner derived threat intelligence.

Assessment of your Current Profile

An assessment of the current environment is performed based on a capability maturity model to provide a baseline.   This assessment is performed using ISO27002 2013 standards to evaluate the current capabilities.  

Gap Analysis

An analysis between the Targeted and Current Profiles using individual capability maturity model per category. This gap assessment will include the definition of gaps at the category and subcategory level.