The Principles-based Assessment for Cybersecurity Toolkit (PACT)

The Principles-based Assessment for Cybersecurity Toolkit (PACT) is a tool for assessing the toughest cybersecurity problems. CACR chief policy analysts developed the tool in collaboration with NSWC Crane. As a naval installation, Crane uses technologies that many would consider atypical, and which require custom cybersecurity solutions. PACT provides cybersecurity professionals with guidance to efficiently develop custom cybersecurity solutions for unusual environments in the naval environment and operational technologies like control systems.

Apply for an Opportunity to Participate in an Innovative Cybersecurity Assessment

The Indiana University Center for Applied Cybersecurity Research (CACR), in collaboration with the US Navy , is accepting applications to participate in a high profile cybersecurity assessment free of charge. The application period closes on 01 December 2018.

The selected applicant will receive a rigorous cybersecurity assessment conducted by distinguished experts in the field. The selected applicant will also receive tailored, actionable guidance on steps they can take to improve their cybersecurity posture. Finally, the applicant will be contributing to the advancement of our national defense by helping refine a new assessment methodology. Detailed assessment planning and execution will be conducted over a 6-month period, beginning in Q1 2019.

Apply Now

Important Dates:

  • 15 OCT 2018: Begin accepting applications
  • 01 DEC 2018: Application deadline
  • 11 JAN 2019: Applicants notified of decision
  • JAN 2019: Kick-off assessment planning
  • MAR 2019: Kick-off assessment execution

Assessment Overview

The assessment methodology is PACT: the Principles-based Assessment for Cybersecurity Toolkit. PACT was developed through a collaboration between CACR and Naval Surface Warfare Center Crane Division, and systematizes the art of cybersecurity assessment. PACT supports a standardized process for utilizing a team of cybersecurity subject matter experts to provide prioritized, actionable cybersecurity recommendations based on first principles. PACT does so by structuring the core assessment around the Information Security Practice Principles (ISPPs), a product of CACR, allowing for the assessment to be conducted on any assessment target, at any point in its lifecycle. (For more on the Principles, see PACT benefits from lessons learned by the investigators in their experiences conducting assessments for Trusted CI, the NSF Cybersecurity Center of Excellence (

NOTE: PACT is both life-cycle neutral and subject-matter neutral, and therefore can be conducted on any organization, platform, or system, at any phase in its development, from early design and conceptual phases to late stage operations.

Selection Criteria:

PACT was developed for use in environments which rely on unconventional IT infrastructure. The applicant selection process considers a number of factors, including the presence of any of the following: distributed systems, ICS/SCADA systems, hard realtime operating systems, sensor networks, communications systems, maritime platforms, air platforms, space platforms, autonomous platforms, and operationalized artificial intelligence technology (e.g., machine learning).

NOTE: After the applicant is selected, the applicant and CACR will coordinate to finalize the more fine-grained details of the assessment (e.g., timeline, information management, POCs, and team membership).


If you have questions regarding the PACT assessment, the application process, or the status of your application, please contact Craig Jackson, Program Director, IU CACR ( ).

To Apply

Please complete the templated application form and return to & by 01 Dec 2018. Please contact us if you wish to make application delivery arrangements via a more secure medium than unencrypted email.