CISA Retires US CERT and ICS CERT, and Releases New Edition of MITRE ATT&CK Best Practices

Author photo: Larry O'Brien
By Larry O'Brien
Company and Product News

The US Cybersecurity and Infrastructure Security Agency (CISA) recently retired the old US-CERT (computer emergency readiness team) and ICS-CERT (industrial control systems). While these domains have MITRE ATT&CK Best Practicesbeen in existence for many years, CISA now handles all the functions previously done by US and ICS-CERT organizations, so it makes sense to get rid of these old designations in favor of the now unified CISA. 

CISA also recently announced the second edition of its Best Practices for MITRE ATT&CK Framework. From the press release: 

"Since the Cybersecurity and Infrastructure Security Agency (CISA) announced its first edition of Best Practices for MITRE ATT&CK Mapping nearly two years ago, the ATT&CK framework has evolved, expanded, and improved its ability to support more than just optimized cyber threat intelligence to the cybersecurity community. To match these advances, CISA recently published a second edition of our mapping guide and announces a new accompaniment to the guide, CISA’s Decider tool.


This tool walks users through a mapping process, asking them a series of guided questions about adversary activity to help them arrive at the correct tactic, technique, or sub-technique. Along with the tool, users are also provided with a fact sheet and brief video that will familiarize them with key features and capabilities of Decider.

Key features include guided questions about adversary activity in plain language to help users confirm they are mapping correctly, and a powerful search and filter functionality to allow users to focus on what is most relevant to their analysis.  

Why was Decider developed?

Many stakeholders communicated that they either did not know how to start mapping to ATT&CK, or they were unsure if they were accurately mapping adversary behavior. CISA partnered with the Homeland Security Systems Engineering and Development Institute (HSSEDI), which worked with the MITRE ATT&CK team, to develop a tool that was easy to understand with minimal technical language and could help users quickly and properly go through the framework steps.

Decider is currently compatible with Enterprise ATT&CK versions 11.0 and 12.0.

Updates to CISA’s mapping guide

CISA’s recent update of Best Practices for MITRE ATT&CK Mapping, completed in partnership with HSSEDI, incorporates significant updates of MITRE ATT&CK version 9 through version 12. Some of the updates include expansion of macOS and Linux coverage; increased equity between the industrial control systems (ICS), mobile, and enterprise matrices; addition of adversary campaigns, and redefined data sources and

Engage with ARC Advisory Group

Representative End User Clients
Representative Automation Clients
Representative Software Clients