Operational Resilience Framework (ORF) Released for Public Comment

ORF Rules Designed by Security Leaders from Multiple Sectors to Help Strengthen Resilience and Operational Continuity in the Face of Destructive Attacks or Events

HERNDON, Va.--()--The Global Resilience Federation’s (GRF) Business Resilience Council (BRC), a group focused on mitigating systemic threats to business operations, launched the Operational Resilience Framework (ORF) in 2021 with a multi-sector group of security practitioners working in collaboration to develop rules and implementation aids to ensure the immutable and recoverable nature of data, systems, networks, applications and configurations.

The goal of the Operational Resilience Framework is to reduce operational risk, minimize service disruptions and limit systemic impacts from destructive attacks and adverse events. The framework’s rules, released today for public comment, are aligned to existing standards including NIST and ISO.

“The ORF is about ensuring that when something catastrophic happens, companies have immutable backups of their data, systems, and configurations to quickly restore services during a crisis, minimizing impact to customers,” said Mark Orsi, CEO and president of GRF. “We’ve gathered some very experienced cyber and resilience leaders from multiple industries and I’m pleased with the ORF rules draft we’ve produced.”

The ORF rules define the “Path to Operational Resilience” with seven steps:

  1. Implement an industry-recognized IT and cybersecurity control framework
  2. Understand your organization’s role in its ecosystem
  3. Define the minimum viable service levels for each operations and business critical service
  4. Establish service delivery objectives for those services
  5. Preserve data sets necessary to support the services
  6. Implement processes to enable recovery and restoration services to meet delivery objectives
  7. Independently evaluate design and periodically test

“Early on, the ORF working group identified a gap in existing standards and solutions for continuity and disaster recovery planning: most efforts focus on restoring systems and processes to pre-event levels and do not provide mechanisms to operate in an impaired state during a crisis until full restoration is achieved,” said ORF working group Chair Trey Maust, executive chairman of Lewis and Clark Bank and former CEO of Sheltered Harbor, a financial service sector initiative to protect consumer data.

Aspects of the ORF that distinguish it from other efforts include (i) planning for delivery of critical services in an impaired state until services can be fully restored; (ii) implementing immutable backup and restoration systems for data, systems, applications, networks, and configurations; and (iii) requiring executive-level sponsorship and support from the business to build a culture that achieves resilient business services.

The ORF has already received acclaim from resilience experts, winning most Effective/Impactful in the FDIC Tech Sprint competition “From Hurricanes to Ransomware: Measuring Resilience in the Banking World.” Additional input is requested to further refine the framework.

Please download the ORF rules version 0.9, now available for public comment. Suggestions for change or edits may be sent to orf@grf.org. This draft of the rules will be publicly available through June 30, 2022 and tested in several corporate environments before being finalized.

About GRF

Global Resilience Federation (GRF) is a non-profit hub and integrator for support, analysis, and cross-sector intelligence exchange among information sharing and analysis centers (ISACs), organizations (ISAOs), and computer emergency readiness/response teams (CERTs). GRF’s mission is to help assure the resilience of critical and essential infrastructure against threats that could significantly impact the orderly functioning of the global economy and general safety of the public. Learn about the GRF’s Business Resilience Council that is developing the Operational Resilience Framework: https://www.grf.org/brc. You may also visit @GRFederation on Twitter or Global Resilience Federation on LinkedIn.


Media inquiries may be directed to Patrick McGlone at pmcglone@grf.org

Social Media Profiles


Media inquiries may be directed to Patrick McGlone at pmcglone@grf.org