MITRE's Cyber Resiliency Engineering Framework Aligns With DoD Cyber Maturity Model Cert

April 26, 2024

2 Min Read


McLean, Va. & Bedford, Mass., April 25, 2024 — MITRE’s Cyber Resiliency Engineering Framework (CREF) NavigatorTM now incorporates the US Department of Defense’s Cybersecurity Maturity Model Certification (CMMC) so cybersecurity engineers for the Defense Industrial Base (DIB) can strengthen supply chain resilience against sophisticated cybersecurity attacks. The CREF Navigator aligns with NIST SP 800-171, the National Institute of Standards and Technology’s (NIST) publication designed to safeguard Controlled Unclassified Information (CUI) and the subset of NIST SP 800-172 that aligns with the proposed CMMC Level 3 model which has 24 of the 34 security requirements that address more sophisticated cybersecurity attacks.

“Our national security depends on the security of our defense systems and the supply chains to enable that defense,” said Wen Masters, vice president, cyber technologies, MITRE. “All along the supply chain, you need accountability in following the appropriate security requirements to build a resilient system. Resilience in the face of a cyber-attack is not a quick fix. Resiliency must be engineered before an incident.”

MITRE in partnership with NIST created the original cyber resiliency framework, NIST SP 800-160, Volume 2 (Rev. 1). The CREF Navigator, which debuted in early 2023, makes that NIST framework searchable and visualized. With the tool, engineers can make educated and informed choices while designing resilient cyber solutions. Beyond pairing with CMMC, the CREF Navigator also aligns with the MITRE ATT&CK® knowledge base of tactics and techniques and Cyber Model-Based Systems Engineering (MBSE) for cyber threat modeling.

“To allow cyber engineers to customize the tool for their individual needs, we enhanced the CREF Navigator so users can create their own scenarios and apply different parameters of threats and techniques,” said Shane Steiger, principal cybersecurity engineer, MITRE. “Regardless of how you keep your security data, you can import your data into the CREF Navigator via a .csv file, and the visualization of the data can be exported back out to a .csv file. Later this year, we’ll add enhancements for Zero Trust Architectures.”

As with many of MITRE’s resources for cyber defenders that are developed in the public interest, the CREF Navigator is freely available to the greater cyber community. See the CREF Navigator in action at

MITRE’s mission-driven teams are dedicated to solving problems for a safer world. Through our public-private partnerships and as an operator of federally funded R&D centers, we work across government and in partnership with industry to tackle challenges to the safety, stability, and well-being of our nation. Learn more at

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights