The CRE Cybersecurity Institute B Series is an independent certification program for commercial properties, Bronze through Platinum. A structured assessment against defined CRE cyber controls, producing a certificate, a gap analysis, and a remediation roadmap your team can act on immediately.
The Four Tiers
Each tier builds on the one below it. Most organizations start at Bronze or Silver and work toward Gold over 12–24 months. Platinum is the benchmark for flagship assets in institutional portfolios.
Side by Side
What each tier includes, what it delivers, and who it's for.
| Bronze-B | Silver-B | Gold-B | Platinum-B | |
|---|---|---|---|---|
| Assessment & Process | ||||
| Timeline to certificate | 3–4 wks | 6–8 wks | 10–14 wks | 16–20 wks |
| Technical verification component | — | ✓ | ✓ | ✓ |
| Adversarial / red team testing | — | — | — | ✓ |
| Controls Coverage | ||||
| Network segmentation (IT/OT) | ✓ | ✓ | ✓ | ✓ |
| EDR on IT endpoints | — | ✓ | ✓ | ✓ |
| SIEM with OT log ingestion | — | ✓ | ✓ | ✓ |
| NDR on OT segments | — | — | ✓ | ✓ |
| NIST CSF 2.0 maturity documentation | — | — | ✓ | ✓ |
| Annual penetration test | — | ✓ | ✓ | ✓ |
| OT-aware IR tabletop exercise | — | — | ✓ | ✓ |
| Continuous OT monitoring | — | — | — | ✓ |
| Deliverables & Value | ||||
| Certification letter + badge | ✓ | ✓ | ✓ | ✓ |
| Gap analysis + remediation roadmap | ✓ | ✓ | ✓ | ✓ |
| Board-ready NIST CSF maturity report | — | — | ✓ | ✓ |
| Insurance carrier submission package | — | — | ✓ Included | ✓ Included |
| Tenant disclosure documentation | — | ✓ Template | ✓ Full package | ✓ Full package |
| Carrier premium discount eligible | — | — | — | ✓ Eligible |
| Public portfolio badge display rights | — | — | — | ✓ Yes |
| Dedicated quarterly advisory support | — | — | — | ✓ Included |
Deliverables
Certification isn't the end, it's the benchmark. Every tier produces actionable outputs your team can put to work immediately.
A structured assessment of your building's current controls against the tier standard. Every gap is categorized by severity, mapped to a control domain, and linked to a remediation recommendation.
A signed certification letter for your property, a digital badge for tenant materials and marketing, and a listing in the CRE Cybersecurity Institute public building registry, verifiable by tenants, investors, and insurers.
A 12-month execution plan sequencing remediation items by risk priority and implementation complexity. Built for your team, not for a consultant to bill against. Quick wins in the first 30 days, strategic items across the year.
A board-ready maturity assessment mapped to all six NIST CSF 2.0 functions (Govern, Identify, Protect, Detect, Respond, Recover) with current-state scores, target-state recommendations, and a visual maturity heatmap.
Gold-B produces a documentation package structured to satisfy most cyber insurance underwriting questionnaires. Includes control evidence summaries, assessment findings, and a standardized security posture declaration signed by the assessor.
Silver and above produce templated tenant documentation, a one-page building security summary designed for RFP responses and lease addenda, and a full disclosure package for institutional tenants requiring documented security posture.
Assessment Process
30-minute call to confirm building scope, relevant systems, and documentation required for your tier
Structured questionnaire covering all controls for your tier. You submit supporting documentation, network diagrams, policies, vendor contracts
Assessor reviews documentation and, for Silver and above, conducts a technical verification. Platinum includes on-site or remote red team engagement
Gap analysis, remediation roadmap, and all tier deliverables delivered. Certificate and digital badge issued. Building listed in public registry
Why Organizations Certify
Cyber insurers are increasing CRE premiums in response to OT/BAS incidents. Gold-B and Platinum-B documentation satisfies most underwriting questionnaires and signals a mature posture at renewal. Early carrier conversations have been strongly positive on premium impact.
Law firms, financial services companies, technology tenants, and government contractors increasingly include cybersecurity requirements in RFPs and lease addenda. A B Series certification letter is a concise, third-party-verified answer, faster to produce and more credible than an internal security summary.
Institutional investors and lenders are beginning to ask about cyber risk as part of property due diligence. A building certification provides a structured, repeatable answer, and demonstrates that cyber risk is managed proactively rather than reactively after an incident.
Most CRE organizations don't know exactly where their building security gaps are, or how to prioritize fixing them. The assessment process itself produces the gap analysis and remediation roadmap that most internal teams lack the framework to build independently. The certificate is the output; the roadmap is the value.
Who Certifies
Publicly traded REITs and institutional portfolio owners certifying flagship assets for investor and board reporting. Typically Gold-B or Platinum-B for top assets.
Private CRE firms and third-party managers certifying individual properties to differentiate with institutional tenants, satisfy lease requirements, and leverage at insurance renewal.
Single-asset or small portfolio owners who want a structured assessment of their building's cyber posture and a clear remediation plan, without needing to build an internal security program from scratch.
Annual Renewal
Building certifications renew annually via a controls verification review, not a full re-assessment. Lower ongoing cost once the foundational work is done.
Common Questions
Bronze and Silver begin with a structured questionnaire covering all required controls, followed by document review (network diagrams, policies, vendor contracts, patch reports). Bronze concludes with a 90-minute verification call. Silver adds a technical verification component, typically a network architecture review and configuration sample check. Gold and Platinum include additional technical verification; Platinum includes adversarial red team testing with OT/BAS systems in scope.
Bronze and Silver assessments are fully remote, questionnaire, document review, and verification call via video. Gold can be conducted remotely for most components with a remote technical review. Platinum typically includes at least one on-site visit for physical systems review and red team scoping, though the engagement is largely remote-capable.
Most buildings don't pass on first assessment, that's expected. The assessment produces a gap analysis identifying what's missing. You have 90 days to remediate and resubmit documentation before the assessment fee is forfeited. If significant gaps exist, we'll recommend a lower tier as an interim certification while you work toward the target tier. Many buildings start at Bronze-B and advance to Silver-B within 12 months.
Yes. Legacy OT systems, including Windows XP endpoints running BAS controllers, are common in the CRE environment and are explicitly part of the assessment framework. Controls like network segmentation, compensating controls, and monitoring are designed to address legacy systems that can't be patched. Bronze-B is specifically designed to be achievable without requiring OT hardware replacement.
Physical access control systems (Lenel, Software House, etc.) and IP-connected surveillance systems (Avigilon, Milestone, Genetec) are included in Silver-B and above. They're treated as OT infrastructure, assessed for network exposure, credential hygiene, and patch status. Platinum-B includes physical security systems in the red team scope.
We are actively working with cyber insurance carriers on a formal premium discount program for Gold-B and Platinum-B buildings. The Gold-B documentation package satisfies most carrier underwriting questionnaires and has been well-received in early carrier conversations. Until the formal program is established, the documentation package provides strong evidence for negotiations at renewal, several organizations have used it successfully to justify premium reductions.
Yes. All certified buildings are listed in the CRE Cybersecurity Institute public building registry, verifiable by certificate number. Tenants can confirm tier, certificate date, and renewal status. The registry is designed to be referenced in RFP responses and lease addenda.
Annual renewal is a controls verification review, not a full reassessment, it confirms that controls remain in place and documentation is current. A full reassessment is triggered when: (1) you're pursuing a higher tier, (2) a material change occurs to the building's IT/OT environment (major system replacement, significant network redesign), or (3) a material cybersecurity incident affects the certified building.
Start with Bronze-B, the fastest path to a structured gap analysis and a certified building. Most organizations are assessment-ready within two weeks of kickoff.
Questions? Email credentialing@cre-ci.com, we respond within one business day.