Understanding cyber security maturity models
The Cybersecurity Maturity Model Certification (CMMC) is a US initiative lead by the Office of the Assistant Secretary of Defense for Acquisition within the Department of Defense (DoD). It imposes requirements on DOD contractors and subcontractors to help safeguard information within the US Defense supply chain. This post is the second in a series where we analyse the CMMC and look at how you might achieve compliance or use it as a basis of your own information security programme. You can read the first post that gives an overview of CMMC, here.
Let’s start by looking at why cyber security maturity models exist and how they help organisations orient their business processes (such as information security management) against a rotation of monitoring, assessment and continual improvement. This historical view of where maturity models have originated is important for cyber security teams as the basis of each level of maturity, the underlying rationale as applied to cybersecurity and CMMC’s 17 specific domains helps you make better security decisions and gauge what needs to be done to progress between levels.
What are maturity models?
Maturity models have been used in software engineering since as early as 1986. Originally, the Capability Maturity Model (CMM) was developed to assess U.S. Department of Defense contractors’ process maturity, as a gauge as to how likely they are to deliver a successful software project; the higher the maturity score, the better their processes and the higher likelihood they use established processes for the design, development, quality assurance (testing) and building of software.
The term maturity relates to specific aspects of the assessment, where the level of establishment and optimisation of each process can range from ad hoc to formally defined and optimised. Since this early CMM approach was aimed at improving software development processes, its applicability was somewhat limited, so in 2006, the Software Engineering Institute (SEI) at Carnegie Mellon University reworked it to create Capability Maturity Model Integration (CMMI), which has now superseded the original CMM framework.
Since then, capability maturity models have appeared in all sorts of disciplines, such as ICT infrastructure, service management, business process management, manufacturing, civil engineering and cybersecurity.
The Capability Maturity Model Integration (CMMI) framework is a process measurement and improvement meta-framework that helps organisations measure their processes’ effectiveness and identify how to improve them over time.
The U.S. Department of Defense funded and assisted in the development of CMMI, which was the precursor of the CMMC tool we are looking at in this blog series. CMMI is administered by the CMMI Institute, purchased in 2016 by ISACA.
CMMI is now used the world over, both in software engineering and in ICT service management. Organisations who supply government products or services are often asked to meet CMMI level 3 across their core delivery processes, a level of maturity that requires the use of formal methods of design, development, testing and delivery. CMMI has five maturity levels, with level 5 being the ideal target state where processes are fully optimised across the business and managed under a continuous process improvement regime.
CMMI has five maturity levels, which follow the original guidelines of CMM. These levels are as follows:
- Initial: Processes are somewhat ad hoc and undefined aside from localised documentation.
- Managed: Processes are managed in accordance with agreed metrics, but there is no focus on assessing efficacy or gathering feedback and while processes are followed there is no notion of their success. Processes are not consistent across the business.
- Defined: Processes are well-defined and acknowledged as standard business processes, and are broken down into more detailed procedures, work instructions and registers (artefacts) used to record process outputs.
- Quantitatively managed: Metrics are gathered from each process and fed back to a process governance committee who analyse and report on process efficacy.
- Optimizing: Process management includes a focus on disciplined optimisation and continual process improvement, and a full team of business analysts measure and assess every aspect of the business for possible issues and improvement opportunities.
Since cybersecurity has such a keen focus on business processes, it makes sense that a tailored CMMI framework for security maturity came along.
Cybersecurity Maturity Models
CMMI is flexible and applies to any business processes, thus tailoring the framework for information security management was an obvious step. One example of an adapted CMMI solution for cybersecurity is the CMMI Institute’s Cybermaturity Platform, a tool designed to measure your overall security maturity against the original model. Another model tailored specifically to operational security, is the SOC-CMM, which adds one extra layer of maturity below the original “Initial” layer specified by CMMI. This is where SOC processes have never been established, consequently assessed as “Non-existent.” Further refinement of SOC-CMM makes it a continuous maturity model, since most security processes should continually be assessed and improved against other standards anyway, such as ISO 27001.
As we’ve seen, the U.S. Department of Defense has taken a keen interest in process maturity, so it’s no surprise they have released their own approach to cybersecurity maturity in the CMMC Framework. CMMC also has five levels of certification that measure cyber process maturity, with each tier developing on the previous one with specific technical requirements. Processes are split into 17 separate security domains, aligned very closely to the NIST cybersecurity framework (CSF), thus CMMC can be used in concert with the CSF to design, deliver and run an optimised and continually improving security programme. The CMMC levels, similar to the CMMI levels, run from Initial through to Optimised, but the definitions of each level are specific to cybersecurity, as follows:
- Level 1: Perform basic cyber hygiene practices, such as using antivirus software and ensuring employees change passwords regularly (as examples).
- Level 2: Document certain “intermediate cyber hygiene” practices to start protecting Controlled Unclassified Information (CUI) through the implementation of U.S. Department of Commerce National Institute of Standards and Technology’s Special Publication 800-171 Revision 1 (NIST 800-171 r1) security requirements.
- Level 3: Institutionalised management plan to implement good cyber hygiene practices to safeguard CUI, including all the NIST 800-171 r1 security requirements and additional standards.
- Level 4: Implemented processes for reviewing and measuring the effectiveness of practices as well as established additional enhanced practices that detect and respond to changing tactics, techniques, and procedures of Advanced Persistent Threats (APTs).
- Level 5: Standardised and optimised processes and additional enhanced practices that provide sophisticated capabilities to detect and respond to APTs.
As you can see from these levels, the continuum follows the same model as CMMI, but is specifically tailored for cybersecurity. Assessors can now use CMMC to assess and accredit the U.S. Department of Defense’s supply chain, which is a powerful regime to establish as it makes the barrier to entry for smaller organisations relatively easy to attain, since change and improvement in smaller organisations is often easier to implement than larger organisations with more complex structures and business requirements.
Next steps – looking at CMMC domains
In this post, we’ve looked at the history behind the CMMC framework and why it’s important in cybersecurity that we adopt a model like this to ensure we continually improve our security posture. In future posts we will look at a selection of domains and follow the progression of maturity from the lowest to the highest level, providing context and examples of how you can fulfil the capabilities and practices.