Continuous Risk Diagnosis and Response (CRSA)

In order to respond to cyberattacks, which are becoming more sophisticated every day, it is necessary to further improve cybersecurity countermeasures in the government organization. In the United States, Continuous Diagnostics and Mitigation (CDM) programs are being introduced to improve cybersecurity countermeasures. The Japanese government is also introducing a Continuous Risk Scoring and Action (CRSA) system (hereinafter referred to as the "CRSA System") based on the CDM program in the United States.

Overview

What is CRSA?

CRSA shall implement the following with regard to the necessary controls (management measures) introduced into information systems in order to comply with organization's security Policy, etc.

Risk Assessment: visualization gaps and risks between required controls and actual conditions
Handling: Remediating gaps and risks in visualization
Always: Continuously implement gap and risk visualization and corrective action

Conceptual Diagram of CRSA
Conceptual diagram of continuous risk assessment and response (CRSA). It shows a cycle to return to the original state by visualization gaps and risks in the actual state, implementing necessary controls, and taking corrective actions.

What is the CRSA System?

Based on the concept of CRSA, we provide a mechanism to enhance organization's network and system cybersecurity.
It collects information about organization assets and supports remediation activities for potential risks, such as applying updates to asset configurations and software components.
In the operation of information systems, with the aim of detecting deviations from the security Policy, etc., taking timely and appropriate measures, and automating auditing activities, information (*) on assets that make connection requests to resources will be comprehensively monitored.
*For example, are terminals running properly patched operating systems, are organization approved software components complete, are unauthorized components not present, and are assets free of known vulnerabilities?
In the future, it will be responsible for providing that information to the policy engine in a zero Trust architecture.

Overview of the CRSA System
Overview of Continuous Risk Assessment and Response (CRSA). This shows a mechanism in which Digital Agency and NISC (cybersecurity) request the person in charge of the related government agency (X Agency) to respond to the request, monitor the status of PC user client use through the ASO (AgencySecurityOperation) system, and provide statistical information to Digital Agency and NISC.

Purpose and Effects of Introduction of the CRSA System

1. Prompt recognition and corrective action for deviations from control (management measures) in accordance with the Uniform Standards of Government Agencies, etc.: The CRSA system can continuously monitor the implementation of controls necessary for cybersecurity countermeasures, so that it can quickly identify where conditions are inappropriate and take corrective action.
2. Effective response such as triage at the time of occurrence of an incident: Since the CRSA system can grasp the status of assets and vulnerabilities in the organization in real time, it will be possible to quickly determine the scale of impact on assets and the priority of response when an incident occurs.
3. Efficient reporting of security measure implementation status through real-time data: The CRSA system enables organization to understand real-time asset status, account usage, and incident occurrence. This enables cybersecurity measures to be reported objectively and efficiently. The government as a whole can efficiently understand the cybersecurity measures of each organization without burdening each organization.
4. Rapid detection of cross-government vulnerabilities and corrective responses to threats and incidents: Based on specific threat information and incident information, the CRSA system can identify affected locations and potential incident locations across the government, enabling quick and effective response.
5. Maintain Zero Trust Architecture operational environment in place: In the specific implementation and operation of the Zero Trust Architecture, it is necessary to understand and maintain the soundness of the entire system by understanding the vulnerability response status of each device on the network. The diagnostic results of the CRSA system will also be used as input information for the policy engine in the Zero Trust Architecture.

Reference: Constant Risk Assessment and Response (CRSA) (PDF / 711 kb)

Recent Efforts

Survey and research on security by leading ministries and agencies of the 2022 Government Information Systems Continuous Diagnosis and Response implementation Architecture

In order to conduct security of continuous diagnosis and response type implementation architecture throughout the government, we introduced the CRSA system to the preceding ministries and agencies and validation the effects.

Meetings, etc.

References

Fiscal 2020 Performance Report cooperative areas Data-Sharing and AI System development Promotion Project for the Promotion of Connected Industries / Basic Survey on CDM (Continuous Diagnostic and Mitigation) in the United States (Fiscal 2020 NEDO Project Report Management Number: 20220000000503)
Fiscal 2021 Performance Report cooperative areas Data-Sharing and AI System development Promotion Project for the Promotion of Connected Industries / Feasibility study on a continuous diagnostic system based on the CDM Program of the U.S. Government (Fiscal 2021 NEDO Project Report Management No. 20210000000194)
Digital society Promotion Standard Guideline DS-211 Continuous Risk Diagnosis and Response (CRSA) Architecture
Continuous Diagnostics and Mitigation (CDM) Program(CISA)
Continuous Diagnostics and Mitigation (CDM) Training(CISA)