Man showing a relationship diagram on a computer screen

MITRE’s Cyber Resiliency Engineering Framework Navigator Aligns with the Department of Defense Cybersecurity Maturity Model Certification

Visualization tool helps the Defense Industrial Base better structure their cyber resiliency strategies and strengthen supply chains.

McLean, Va. & Bedford, Mass., April 25, 2024 — MITRE’s Cyber Resiliency Engineering Framework (CREF) NavigatorTM now incorporates the US Department of Defense’s Cybersecurity Maturity Model Certification (CMMC) so cybersecurity engineers for the Defense Industrial Base (DIB) can strengthen supply chain resilience against sophisticated cybersecurity attacks. The CREF Navigator aligns with NIST SP 800-171, the National Institute of Standards and Technology’s (NIST) publication designed to safeguard Controlled Unclassified Information (CUI) and the subset of NIST SP 800-172 that aligns with the proposed CMMC Level 3 model which has 24 of the 34 security requirements that address more sophisticated cybersecurity attacks.

“Our national security depends on the security of our defense systems and the supply chains to enable that defense,” said Wen Masters, vice president, cyber technologies, MITRE. “All along the supply chain, you need accountability in following the appropriate security requirements to build a resilient system. Resilience in the face of a cyber-attack is not a quick fix. Resiliency must be engineered before an incident.”

MITRE in partnership with NIST created the original cyber resiliency framework, NIST SP 800-160, Volume 2 (Rev. 1). The CREF Navigator, which debuted in early 2023, makes that NIST framework searchable and visualized. With the tool, engineers can make educated and informed choices while designing resilient cyber solutions. Beyond pairing with CMMC, the CREF Navigator also aligns with the MITRE ATT&CK® knowledgebase of tactics and techniques and Cyber Model-Based Systems Engineering (MBSE) for cyber threat modeling.

“To allow cyber engineers to customize the tool for their individual needs, we enhanced the CREF Navigator so users can create their own scenarios and apply different parameters of threats and techniques,” said Shane Steiger, principal cybersecurity engineer, MITRE. “Regardless of how you keep your security data, you can import your data into the CREF Navigator via a .csv file, and the visualization of the data can be exported back out to a .csv file. Later this year, we’ll add enhancements for Zero Trust Architectures.”

As with many of MITRE’s resources for cyber defenders that are developed in the public interest, the CREF Navigator is freely available to the greater cyber community. See the CREF Navigator in action at

MITRE’s mission-driven teams are dedicated to solving problems for a safer world. Through our public-private partnerships and as an operator of federally funded R&D centers, we work across government and in partnership with industry to tackle challenges to the safety, stability, and well-being of our nation. Learn more at

Media Contact: Lisa Fasold,