CCRI to CORA: More Than a Name Change

The Shift from Rigidity to Agility.

Established in 2010 by DISA, the Command Cyber Readiness Inspection (CCRI) was known to cause sweat to break out on the brows of cybersecurity professionals throughout the DoD.

The inspection could come at any time—with or without warning. And it included having your NIST/STIG cyber compliance examined, your records reviewed, your network vulnerabilities assessed, your physical security analyzed and your people observed as they work. No pressure, right?

In March 2024, the DoD renamed the program. Today, it’s called the Cyber Operational Readiness Assessment (CORA). But the name isn’t all that has changed.

Comparing CORA and CCRI in practical terms.

While both CCRI and CORA verify and strengthen cybersecurity compliance with DoD orders and directives, there are some subtle shifts that are worth noting.

CORA reflects a shift in focus from CCRI’s inspection compliance to CORA’s operational readiness posture. It’s a nuance that impacts both the assessments themselves and the way agencies perceive and prepare for the visits.

The CORA program uses a risk calculus to decide which organizations get assessments and how often. The DoD conducts visits based on a multifactor analysis that takes needs and team resources into account. These factors may include access control, anomaly detection and the ability to respond to threats, in addition to mission, vulnerabilities and resources.

9 critical elements of the CORA program.

Aside from a change in culture, attitude and mindset, CORA delivers the following features:

• Strengthens the posture and resiliency of the Department of Defense Information Network (DODIN).
• Supports DODIN Areas of Operation (DAO) leaders in their efforts to harden their information systems, reduce the attack surface of their cyber terrain, and enhance a more proactive defense— the foundational cybersecurity principles measured by the CORA program.
• Provides commanders and directors with a more precise understanding of their high-priority cyber terrain and their overall cyber security and defensive posture.
• Enables greater command and control and enhances decision making.
• Prioritizes MITRE ATT&CK mitigations to minimize adversarial risk to the DODIN. MITRE ATT&CK is a knowledge base of adversarial tactics, techniques and procedures (TTPs) used globally to not just protect and defend information systems and networks, but also to hunt bad actors using risk-based metrics.
• Eliminates the pass-fail tests of CCRI and uses the ATT&CK database to measure how vulnerable the organization is to current threats. Even if a command hasn’t completely eliminated a vulnerability from its IT infrastructure, they will get credit for taking steps to mitigate these risks.
• Focuses on securing the boundary, including network perimeter devices, public and DoD-facing assets serving the public, external DoD components, and any information systems with a direct interface to an external information system.
• Adjusts as TTPs and mitigation priorities shift, keeping pace with rapidly changing cybersecurity threats and risks.
• Allows organizations to focus their mitigation efforts on risk and exposure to common adversarial TTPs. This means that agencies can concentrate limited resources and staffing on correcting high-risk areas.

In short, the shift from CCRI to CORA is a shift from a rigid, unscalable compliance inspection process to a more agile and resilient approach that takes multiple factors—and the changing landscape—into consideration. Already tested in military applications, the new program is showing success.

The role automation plays in CORA and cybersecurity compliance.

At 2024’s AFCEA TechNet Cyber, DoD leaders said technologies like automation and AI will play a role in implementing CORA and improving its effectiveness. SteelCloud paves the way for automating many steps along the way to achieving success in the CORA process.

As you consider how your organization will shift and evolve in response to the move to CORA, feel free to reach out to SteelCloud for a demo and discussion of how you can zero in on the specific areas of compliance DISA has earmarked for you.