Sample Page

Cyber resilience refers to an entity’s ability to continuously deliver the intended outcome, despite cyber attacks.^[1] Resilience to cyber attacks is essential to IT systems, critical infrastructure, business processes, organizations, societies, and nation-states. A related term is cyberworthiness,^[2] which is an assessment of the resilience of a system from cyber attacks. It can be applied to a range of software and hardware elements (such as standalone software, code deployed on an internet site, the browser itself, military mission systems, commercial equipment, or IoT devices).

Adverse cyber events are those that negatively impact the availability, integrity, or confidentiality of networked IT systems and associated information and services.^[3] These events may be intentional (e.g. cyber attack) or unintentional (e.g. failed software update) and caused by humans, nature, or a combination thereof.

The objective of cyber resilience is to maintain the entity’s ability to deliver the intended outcome continuously at all times.^[4] This means doing so even when regular delivery mechanisms have failed, such as during a crisis or after a security breach. The concept also includes the ability to restore or recover regular delivery mechanisms after such events, as well as the ability to continuously change or modify these delivery mechanisms, if needed in the face of new risks. Backups and disaster recovery operations are part of the process of restoring delivery mechanisms.

Resilience, as defined by Presidential Policy Directive PPD-21, is the ability to prepare for and adapt to changing conditions and withstand and recover rapidly from disruptions.^[5]

The National Institute of Standards and Technology‘s Special Publication 800-160 Volume 2 Rev. 1^[6] offers a framework for engineering secure and reliable systems—treating adverse cyber events as both resiliency and security issues. In particular 800-160 identifies fourteen techniques that can be used to improve resiliency:

Regulatory frameworks increasingly incorporate cyber resilience concepts by requiring organizations to maintain continuity of operations during and after security incidents. The Health Insurance Portability and Accountability Act (HIPAA) Security Rule requires covered entities to establish a contingency plan that includes data backup, disaster recovery, and emergency mode operation procedures to ensure the availability of electronic protected health information during emergencies (45 CFR 164.308(a)(7)).“45 CFR § 164.308 – Administrative safeguards”. Legal Information Institute. Retrieved April 1, 2026. The December 2024 HIPAA Security Rule NPRM proposed requiring regulated entities to restore critical information systems within 72 hours of a security incident and to establish and test procedures for system restoration, reflecting a shift toward resilience-based requirements.“HIPAA Security Rule To Strengthen the Cybersecurity of Electronic Protected Health Information”. Federal Register. January 6, 2025. Retrieved April 1, 2026.

The NIST Cybersecurity Framework 2.0 explicitly addresses resilience through its Recover function, which encompasses recovery planning, improvements, and communications to restore systems and services affected by cybersecurity incidents.“NIST Cybersecurity Framework 2.0”. National Institute of Standards and Technology. February 2024. Retrieved April 1, 2026. NIST Special Publication 800-53 includes the CP (Contingency Planning) control family, providing detailed requirements for system recovery strategies, alternate processing sites, and resilience testing.“NIST SP 800-53 Rev. 5: Security and Privacy Controls”. National Institute of Standards and Technology. September 2020. Retrieved April 1, 2026.

• Giannetto, Boris – et al. – Cyber resilience for business continuity in the financial system (2022) – Bank of Italy – MISP n° 18