The Evolution of CCRI/CORA: The SecureStrux Journey

Over the span of a decade, SecureStrux has conducted hundreds of Command Cyber Readiness Inspections (CCRIs), both in official capacities and as consultants, serving well over 75 clients.

Understanding the Inspection

CCRI, now known as the Cyber Operational Readiness Assessment (CORA) encompasses a thorough evaluation of a Department of Defense (DoD) entity’s cybersecurity posture that includes a detailed assessment of the organization’s Information Assurance programs, including classified and unclassified networks, along with the critical cyber and physical assets that support these networks.

Early Work with Defense Information Systems Agency (DISA)

In the fall of 2010, the CCRI program was officially launched by DISA Field Security Operations (FSO) and is now managed by Joint Force Headquarters Department of Defense Information Network (JFHQ DoDIN). The SecureStrux team’s initial encounter with the CCRI program stemmed from their CEO, Nathan Shea. The firsthand experience of both him and his team proved invaluable in shaping the evolution of SecureStrux. The team collaborated closely with DISA leaders to formulate and implement the program. This involved conducting several beta assessments and refining the inspection methodologies along the way.

While the introduction of the CCRI program aimed to standardize the assessment and scoring process, prior to the CCRI program, DISA, including many of our team members, performed Enhanced Compliance Validation (ECV) assessments. Though the ECV assessments were valuable, they did not scale well. Organizations often experienced unexplainable fluctuations in their ECV scores and received varying feedback from inspection teams, causing frustration. This urgent recognition highlighted the need for a more consistent, scalable, and clearly defined inspection process.

The CCRI aimed to address this issue, and over time, the inspection process became more scalable and predictable compared to earlier assessment programs.

Because of the extensive size of the sites, scope of inspections, and volume of networks needing to be assessed, DISA sought assistance from different branches of the DoD. Early adopters such as the Army, Navy, and Defense Counterintelligence and Security Agency (DCSA) signed up to help. They collaborated with DISA to get their teams trained and certified to conduct CCRIs within their respective areas of responsibility. Many members of the eventual SecureStrux team actively supported this initiative by training and helping certify these teams. Consequently, this collaboration significantly increased the number of CCRIs conducted worldwide, prompting Nate and his team members to travel across the globe to complete these inspections.

The accumulated experience of working beside these agencies and services gave Nate and his team a strong understanding of what it took to get an “Outstanding” (90%+) score in a CCRI. Once the Army, Navy, and DCSA had certified teams, they continued to assist others in getting certified. For the first time, the team saw the impact of their efforts and how many companies they could reach.

These experiences, while motivating, brought new challenges to Nate’s attention. Both he and his team saw how hard organizations were working towards compliance, yet they were still coming up short in their assessments. In response, Nate sought to build a solution: a team with the aim of guiding organizations to prioritize activities and funding to reduce their risk and bolster their security postures. He is quoted saying,

“Our goal is to, at minimum, get our client’s score into the high 80s, and if we have enough time, get them an “Outstanding” score… we don’t feel like we’re doing our job if we aren’t getting clients into the upper 80s.”

Enter: SecureStrux

In 2014, Nate, as CEO and Founder, assembled a team of CCRI experts, establishing SecureStrux as a leading authority and experienced CCRI consulting company. Working closely with DISA and Joint Service Provider (JSP) Pentagon, SecureStrux played a pivotal role in building JSP’s original CCRI team and was instrumental to the launch of JSPs inspection program, which was built to inspect, consolidate, and absorb the Fourth Estate’s many disjointed cyber programs. From these experiences, the SecureStrux team desired to help other organizations of all sizes, not just understand the requirements needed to undergo a successful CCRI, but to help engineer solutions that would provide resiliency and a strong sustainable cyber posture.

One of their first opportunities was in support of a large Federally Funded Research and Development Center (FFRDC), SecureStrux helped the FFRDC navigate their CCRI preparation and in the end, they earned, what was unheard of at the time, three “Outstanding” CCRI scores, at three different locations. This spring boarded SecureStrux into the spotlight, supporting dozens of defense contractors, defense agencies, and military services such as JSP Pentagon, the Defense Logistics Agency (DLA), Johns Hopkins Applied Physics Lab (APL), Raytheon, Center for Naval Analysis (CNA), Battelle Memorial Institute, MITRE, and many more.

CCRI 2.0 and Beyond

With the introduction of CCRI 2.0, SecureStrux continued to stay in front of CCRI changes, helping clients understand the new requirements and changes to the process that impacted their organization. By this time, their expertise extended well beyond compliance. As a company, they were seasoned in setting up, fine-tuning, and securing classified networks and systems right from the start. The addition of these new services allowed the team at SecureStrux to engineer security from the ground up rather than attempting to retrofit it on pre-existing systems, saving their clients both time and money.

As CCRI 3.0 was rolled out in the Fall of 2023, the bar was once again raised when a more stringent scoring process was introduced, and methodologies were adjusted. For the first time, the CCRI was no longer contained on the ground but now extended to secure cloud enclaves.

CORA

As of March 2024, the DoD changed the name of CCRI to Cyber Operational Readiness Assessment (CORA). This update marks a shift toward mission-focused cybersecurity, placing heightened attention on Key Indicators of Risk (KIORs), strong boundary security controls, and requiring an increased level of security and effort for organizations and assessment teams. Where the adversary continues to find new ways to infiltrate networks, CORA will continue working to stay ahead with innovative solutions and enterprise toolsets. SecureStrux is devoted to helping our clients remain compliant and engineer solutions to provide exceptional visibility and resilience. With our expertise and dedication, we stand ready to support and mature your organization’s CORA journey.

At SecureStrux, we specialize in providing consulting expertise and full lifecycle security solutions to help organizations navigate today’s cyber landscape effectively. Our innovative approach and dedication to excellence ensure that your systems remain compliant, secure, and resilient against evolving threats. If you have any questions or would like to learn more about how SecureStrux can assist your organization, please don’t hesitate to reach out to us.