Our cyber security products span from our next gen SIEM used in the most secure government and critical infrastructure environments, to automated cyber risk reporting applications for commercial and government organisations of all sizes.
The Cybersecurity Maturity Model Certification (CMMC) is a US initiative lead by the Office of the Assistant Secretary of Defense for Acquisition within the Department of Defense (DoD). It imposes requirements on DOD contractors and subcontractors to help safeguard information within the US Defense supply chain. This post is the second in a series where we analyse the CMMC and look at how you might achieve compliance or use it as a basis of your own information security programme. You can read the first post that gives an overview of CMMC, here.
Let’s start by looking at why cyber security maturity models exist and how they help organisations orient their business processes (such as information security management) against a rotation of monitoring, assessment and continual improvement. This historical view of where maturity models have originated is important for cyber security teams as the basis of each level of maturity, the underlying rationale as applied to cybersecurity and CMMC’s 17 specific domains helps you make better security decisions and gauge what needs to be done to progress between levels.
Maturity models have been used in software engineering since as early as 1986. Originally, the Capability Maturity Model (CMM) was developed to assess U.S. Department of Defense contractors’ process maturity, as a gauge as to how likely they are to deliver a successful software project; the higher the maturity score, the better their processes and the higher likelihood they use established processes for the design, development, quality assurance (testing) and building of software.
The term maturity relates to specific aspects of the assessment, where the level of establishment and optimisation of each process can range from ad hoc to formally defined and optimised. Since this early CMM approach was aimed at improving software development processes, its applicability was somewhat limited, so in 2006, the Software Engineering Institute (SEI) at Carnegie Mellon University reworked it to create Capability Maturity Model Integration (CMMI), which has now superseded the original CMM framework.
Since then, capability maturity models have appeared in all sorts of disciplines, such as ICT infrastructure, service management, business process management, manufacturing, civil engineering and cybersecurity.
The Capability Maturity Model Integration (CMMI) framework is a process measurement and improvement meta-framework that helps organisations measure their processes’ effectiveness and identify how to improve them over time.
The U.S. Department of Defense funded and assisted in the development of CMMI, which was the precursor of the CMMC tool we are looking at in this blog series. CMMI is administered by the CMMI Institute, purchased in 2016 by ISACA.
CMMI is now used the world over, both in software engineering and in ICT service management. Organisations who supply government products or services are often asked to meet CMMI level 3 across their core delivery processes, a level of maturity that requires the use of formal methods of design, development, testing and delivery. CMMI has five maturity levels, with level 5 being the ideal target state where processes are fully optimised across the business and managed under a continuous process improvement regime.
CMMI has five maturity levels, which follow the original guidelines of CMM. These levels are as follows:
Since cybersecurity has such a keen focus on business processes, it makes sense that a tailored CMMI framework for security maturity came along.
CMMI is flexible and applies to any business processes, thus tailoring the framework for information security management was an obvious step. One example of an adapted CMMI solution for cybersecurity is the CMMI Institute’s Cybermaturity Platform, a tool designed to measure your overall security maturity against the original model. Another model tailored specifically to operational security, is the SOC-CMM, which adds one extra layer of maturity below the original “Initial” layer specified by CMMI. This is where SOC processes have never been established, consequently assessed as “Non-existent.” Further refinement of SOC-CMM makes it a continuous maturity model, since most security processes should continually be assessed and improved against other standards anyway, such as ISO 27001.
As we’ve seen, the U.S. Department of Defense has taken a keen interest in process maturity, so it’s no surprise they have released their own approach to cybersecurity maturity in the CMMC Framework. CMMC also has five levels of certification that measure cyber process maturity, with each tier developing on the previous one with specific technical requirements. Processes are split into 17 separate security domains, aligned very closely to the NIST cybersecurity framework (CSF), thus CMMC can be used in concert with the CSF to design, deliver and run an optimised and continually improving security programme. The CMMC levels, similar to the CMMI levels, run from Initial through to Optimised, but the definitions of each level are specific to cybersecurity, as follows:
As you can see from these levels, the continuum follows the same model as CMMI, but is specifically tailored for cybersecurity. Assessors can now use CMMC to assess and accredit the U.S. Department of Defense’s supply chain, which is a powerful regime to establish as it makes the barrier to entry for smaller organisations relatively easy to attain, since change and improvement in smaller organisations is often easier to implement than larger organisations with more complex structures and business requirements.
In this post, we’ve looked at the history behind the CMMC framework and why it’s important in cybersecurity that we adopt a model like this to ensure we continually improve our security posture. In future posts we will look at a selection of domains and follow the progression of maturity from the lowest to the highest level, providing context and examples of how you can fulfil the capabilities and practices.
As cyber risks increase, organisations are encountering the longer life cycle of insurance renewals and the need to demonstrate better management of security controls and their effectiveness.Read more
Highlights and insights from the recent Managed Services Summit in London & the ISACA Central Chapter Conference on Digital Trust, in Birmingham, UK. With two recent conferences in the space of three days, some interesting challenges were very evident in the topics discussed. Being very different events, the challenges were quite different, but interestingly they […]Read more
In early August 2023, the latest joint advisory on persistent vulnerabilities was issued by the intelligence and security agencies of the “Five-eyes” community. These joint advisories are becoming more common. Perhaps recognising the growing importance of shared security information and the common nature of many of the threats faced – the weight they carry makes […]Read more
The quality of your risk assessment and the security information it provides is important; if you plan to use it to actively manage your operational and cyber resilience activities. Organisations are constantly exposed to a rapidly changing threat environment, so you really need a similarly rapid evidence-based feedback system that informs you of the ongoing […]Read more
The UK market has its own regulators, security standards and challenges. And while rulings from SEC in the US or the Australian Prudential Regulation Authority (APRA) in Australia don’t apply to UK companies, for the most part, the observations are undoubtedly relevant and the resulting advice instructive. It would be wrong to think UK financial […]Read more
<<< Part 2a: Australia’s Essential Eight: Beyond Endpoint Control <<< Part 2b: Activating UK NCSC & US NIST Guidelines: Beyond Endpoint Control Part 4: Systematic Measurement of Cyber Controls >>> As much as we invest into cyber security controls, external threats are inevitable. In a recent Notifiable Data Breaches Report from the Office of the […]Read more
Keen campers, scouts and even the Swiss Army know – that a good penknife is indispensable. This simple device has mitigated many a disaster at one point in time or another. Whether it’s to cut through a bit of string, tighten a screw or simply to solve the problem of no bottle opener in the […]Read more
Supply chain risk is an area of cyber security that demands the ongoing attention of every enterprise; because it can make the difference between being resilient or not. It’s no surprise that insurers warn that the vulnerability of supply chains is potentially a systemic risk that can quickly propagate across supply chain dominated industries. Organisations […]Read more
It took a “tripartite cyber assessment” by the Australian Prudential Regulation Authority (APRA) to identify that a sample of financial organisations had inadequate cyber security: poor security control management, a lack of business recovery planning and inadequate 3rd party risk assessment. Why were there gaps? Where is the failure? Clearly the common practice of unsubstantiated […]Read more
The discussion over data-driven vs qualitative cyber security assessment has been going for some time. Nowadays, it is at the top of the priority list for many security and senior executive teams. Managing cyber security has always been a noble ambition but without reliable measurement, the lack of actionable information makes evidence-based management decisions almost […]Read more
Read by directors, executives, and security professionals globally, operating in the most complex of security environments.