CSIRT capabilities : how to assess maturity? : guidelines for national and governmental CSIRTs

National and governmental CSIRTs are essential for every country that is concerned about protecting its digital assets, starting from sensitive government information to its citizens and their information. The CSIRTs' role is very wide, from security incident response and management to various sophisticated technical services and awareness-raising and educational activities. When dealing with cyber incidents, CSIRTs have to work closely with law enforcement and other authorities, but no other authority in the cyber ecosystem is in the better position to help users and institutions to stop cyber incidents, to understand why they could happen and what to do to prevent them from happening again; this is the unique role of a CSIRT. Currently in the EU, governmental CSIRTs are typically used to protect the cyberspace of governmental institutions including critical infrastructure as well as to ensure cyber-crisis management. National CSIRTs, on the other hand, are playing different roles in different countries. In some countries they are responsible for the whole IP address space of that country, in others they also take the role of 'last resort' when no security contact point for an IP address can be found. In any case, when another country has to be contacted regarding solving an incident, national CSIRTs are often asked to help to find the right contact person. Increasingly CSIRTs expect other teams with comparable competences to react to their requests in a timely manner and to handle shared information professionally. A maturity process and certification can help to ensure that these expectations are met. A high level of maturity (certification or similar activities) is also desirable for successful participation in CSIRT cooperation networks working in Europe. Many governmental and national CSIRTs are also responsible for crisis management and critical infrastructure protection processes in their countries. Considering the importance and complexity of these processes, the responsible team's maturity is one of the key factors determining success or failure. This document focuses on the maturity of national and governmental Computer Security and Incident Response Teams (CSIRTs) and the Trusted Introducer certification scheme for CSIRTs as an indicator of the maturity level of teams. The issues covered are described from two points of view: the perspective of the team that is preparing for the certification process on the one hand and of teams that have already undergone certification and even recertification on the other. The aim of this document is to be a guiding tool for those national and governmental CSIRTs which are considering reaching the next level of maturity and good understanding of their capabilities. This document gives recommendations for CSIRTs on how to improve and mature and be better prepared to protect their constituencies. ENISA has carried out a considerable amount of work in this area, and this document contributes by sharping the role of ENISA in helping national and governmental CSIRTs on their way to a higher maturity level.