External dependencies management assessment

The External Dependencies Management Assessment is a voluntary, in-person, facilitated assessment created by the United States Department of Homeland Security. The EDM Assessment is intended for the owners and operators of critical infrastructure organizations in the United States. It measures and reports on the ability of the subject organization to manage external dependencies as they relate to the supply and operation of information and communications technology (ICT). This area of risk management is also sometimes called Third Party Risk Management or Supply Chain Risk Management.

The EDM Assessment is intended not only for situations where the organization explicitly contracts for services that involve the hosting or processing of data – for example cloud services – but for any situation where the organization may be harmed or realize risks as a result of cyber security failures at a third party. These risks may occur, for example, when failures at a contractor affect the confidentiality of critical information shared with that contractor, or the availability of key resources or capabilities at a third party is jeopardized by a cyber security lapse.



Method and Structure
The EDM Assessment is based on the structure and method of the DHS Cyber Resilience Review. No artifacts or documentary evidence are collected during the assessment. All information collected is protected as PCII – Protected Critical Infrastructure Information. It is shielded from requests under the Freedom of Information Act, cannot be used in civil litigation, and cannot be used for regulatory purposes. The assessment is divided into three domains:

Relationship Formation:  The purpose of Relationship Formation is to assess whether the organization evaluates and controls the risks of relying on external entities before entering into relationships with them. Relationship Formation includes having a process for entering into formal relationships and evaluating external entities.

Relationship Management and Governance: The purpose of Relationship Management and Governance is to assess whether the organization manages ongoing relationships to maintain the resilience of the critical service, and mitigate dependency risk. This includes identifying the external entities that support the critical service, ongoing risk management, managing changing requirements, and controlling external entities' access to the acquirer.

Service Protection and Sustainment: The purpose of Service Protection and Sustainment is to assess whether the organization accounts for its dependence on external entities as part of its operational activities around managing incidents, disruptions, and threats. This includes integrating external entity considerations into the acquirer's disruption planning - typically incident management and service continuity, validating controls at external entities, and maintaining situational awareness activities directed at external dependencies.

Scoring Approach
DHS partnered with the Software Engineering Institute at Carnegie Mellon University to create the EDM Assessment. The assessment itself consists of 71 questions about specific practices. Questions in the EDM Assessment are drawn from the Cyber Resilience Review as well as the CERT Resilience Management Model. In addition, the authors used concepts from the Information Technology Infrastructure Library and National Institute of Standards and Technology materials. Each question in the EDM Assessment is scored in one of three ways, yes, no, or incomplete. A “yes” means that the practice is fully performed as described in the assessment. “No” means that the practice is not performed at all in the organization. An “incomplete” means that the practice is partially performed. For example, if the question asks “Does the organization have a documented procedure for entering into formal agreements with third parties?”, an answer of “incomplete” could mean that the written procedure is incomplete or being written.

Maturity Indicator Levels
The final section of the EDM Assessment consists of fifteen questions intended to evaluate the maturity of the basic practices in the assessment. This approach to maturity is identical to the Cyber Resilience Review, and employs maturity indicator levels (MILs) to assess the maturity of the organization's capability. The MILs are: Planned, Managed, Measured, and Defined. Questions in each MIL level focus on the institutionalization of practice in the organization, and represent a progressively higher level of maturity. Practices that are more institutionalized, or “sticky”, are more likely to be retained during times of organizational stress or disruption. In addition, they tend to be more repeatable and consistent in practice.

Results
The EDM Assessment report includes a heat map, which graphically depicts the organization's performance across the various practices and maturity indicator levels. The easy to understand, graphical format allows managers in an organization to identity areas where the organization is weak. The report also comes with explanatory and background material that the organization can use to improve a specific area. These are drawn from the CERT Resilience Management Model and NIST resources, including the NIST Cyber Security Framework. In some cases, these materials also include pointers to relevant sections of Internal Standards Organization ISO 27036 and 20243.