What is CORA (Cyber Operational Readiness Assessment)?

The Joint Force Headquarters-Department of Defense Information Network (JFHQ-DoDIN) is a part of US Cyber Command (CYBERCOM) and is in charge of overseeing the day-to-day operations and defense of DoD network around the world.

CORA replaces the Command Cyber Readiness Inspections (CCRIs) that the DoD has used for over ten years. JFHQ-DoDIN have introduced it as a more flexible and effective program for measuring cyber readiness. Previously the inspection mindset has been very focused on compliance, but the CORA program aims to change this with a focus on operational resilience.

“CORA assessment provides commanders and directors a more precise understanding of their high-priority cyber terrain and their overall cyber security and defensive posture.”

Lt. Gen. Robert Skinner, commander of JFHQ-DODIN

A Command Cyber Readiness Inspection (CCRI) was a formal inspection conducted by the US Department of Defense. It was a comprehensive look at the cyber security posture of a military installation in order to improve the security of the DoDIN with a pass/fail assessment.

Now the focus is on cyber security efforts for those systems that are mission- critical and also most at risk of attack. This reflects a mindset shift from tick-box compliance to operational resilience assessments, represented by the launch of the Cyber Operational Readiness Assessment (CORA) program.

The CORA program which has replaced the CCRI, shifts the focus from compliance to operational readiness. CORA recognizes that not all parts of your network are the same.

Some are more mission-critical than others and the focus should be on assessing the right part of the network in the right way for mission success.

The CORA program will also consider risk factors when it chooses which DoD organizations to assess and when. This may result in some bases undergoing multiple CORAs within a single year, whereas others may go for a number of years without an assessment.

It also represents a mindset shift – no longer is every misconfiguration or vulnerability considered as equal in importance, but rather it focuses on the assets that are important to the mission, and where the risks to those assets lie.

The program focuses on three principles when deciding what and when to assess:

• Assessing the right things

• Assessing the right places

• Assessing for mission success  

CORA emphasizes using risk-based metrics to guide assessments and remediation. These risk-based metrics, derived from threat intelligence and MITRE ATT&CK to determine an organization's risk exposure, ensure that they are assessing the critical areas.

ATT&CK is a knowledge base of known tactics, techniques and procedures (TTPs) that are used by adversaries to attack networks and exploit vulnerabilities. Cyber defenders worldwide use it to protect their information systems and to hunt malicious actors.

CORA emphasizes the use of ATT&CK to assess and identify a DoD entity's vulnerability to TTPs that might allow an intruder to achieve initial access or conduct privilege escalation, lateral movement, and data exfiltration within the DoDIN network.

A key component of the CORA program is a focus on the key indicators of risk. These are taken from threat intelligence and the MITRE ATT&CK framework. They are fed down from the JFHQ-DoDIN and shared with teams conducting CORA assessments.

KIORs offer essential insights into the tactics, techniques, and procedures (TTPs) that could potentially be employed in an attack, highlighting activities that pose existential risks to an organization.

Understanding where these risks lie enables remediation efforts to be directed at these vulnerable points, which actual threats may be targeting. These KIORs will change over time as attack vectors change and different TTPs are employed.