Assessment Evaluation and Standardization Program

The role and mission of the Assessment Evaluation and Standardization (AES) program is to increase the quality and quantity of cyber professionals who can execute cyber assessments independently according to CISA’s standards and methodologies. 

Training assessors to conduct CISA standard Cyber Risk Assessment methodologies is a major step in setting up an ecosystem that is critical to the success of performing cyber assessments, and in providing national-level data views that drive initiatives to reduce risk.

Participants who receive their AES training course certificate can execute assessments, however only CISA personnel are authorized to conduct official CISA assessments.

How does AES complete its mission?

The AES program accomplishes this mission by:

• Producing a federal, and private sector, workforce of prepared and qualified assessors.
• Ensuring that assessors have the knowledge and skills necessary to conduct assessments according to the CISA standards and methodologies.
• Confirming that assessment results are of high quality, consistent, and repeatable.

Why is AES important?

The AES program is important for the following reasons:

• AES is the only supporting resource for the non-Tier 1 High Value Assets 3.0 (HVA 3.0) communities in meeting their required three-year Office of Management and Budget (OMB) mandate.​
• AES is the only assessment training resource for Federal Civilian Executive Branch (FCEB), Federal Department and Agencies (D/A), National Guard, State, Local, Tribal, and Territorial (SLTT), and Critical Infrastructure (CI).​
• AES is authorized to train all domestic groups, including contractors and vendors, on Cyber Security Assessments to support Federal and SLTT self-assessments.​

Who is the audience for the AES program?

The approach assists all .GOV and .MIL and critical Infrastructure to include SLTT, Public, and Private Organizations.

Audience

• Federal Civilian Executive Branch (FCEB)
• Federal Department and Agencies (D/A)
• National Guard (.MIL)
• State, Local, Tribal, and Territorial (SLTT)
• Critical Infrastructure (CI)
• Public and Private (Contractors and Vendors)

What role will I be eligible for upon completing the AES courses?

Assessment Lead (AL)

• Serves as primary assessment team person of contact (POC)
• Leads the assessment team
• Manages the overall assessment execution
• Debriefs and delivers the assessment report
• Role for the following assessments:
  • Cyber Performance Goals (CPG)
  • Cyber Resilience Review 2.0 (CRR 2.0)
  • External Dependencies Management (EDM)
  • High Value Assets 3.0 (HVA 3.0)
  • Incident Management Review (IMR)
  • Validated Architecture Design Review (VADR)

Technical Lead (TL)

•  Responsible for overall assessment execution
• Leads the Technical Exchange Meeting (TEM)
• Writes the majority of the assessment report
• Supports meetings throughout the assessment
• Role in HVA 3.0 assessments

Operator (OP)

• Leads the Penetration Test
• Responsible for the testing results appendix of the assessment report; contributes to other portions
• Supports meetings throughout the assessment
• Must pass an additional pre-course exam (OST) for acceptance into the course
• Role in Risk and Vulnerability Assessment (RVA) assessments

When will the courses be available on the new Learning Management System (LMS)?

Available Now:

• Cyber Performance Goals (CPGs)
• Validated Architecture Design Review (VADR) Course
• Incident Management Review (IMR) Course

Coming Soon FY25:

• Q1 - Ready Set Cyber (RSC) Guide
• Q2 - Cyber Resilience Review 2.0 (CRR 2.0) Course
• Q2 - External Dependencies Management (EDM) Course
• Q2 - High Value Assets 3.0 (HVA 3.0) Course
• Q4 - Risk Vulnerability Assessment (RVA) Course

Future Efforts:

• Ready Set Cyber (RSC) Course