Our cyber security products span from our next gen SIEM used in the most secure government and critical infrastructure environments, to automated cyber risk reporting applications for commercial and government organisations of all sizes.
The Cybersecurity Maturity Model Certification (CMMC) is a US initiative lead by the Office of the Assistant Secretary of Defense for Acquisition within the Department of Defense (DoD). It imposes requirements on DOD contractors and subcontractors to help safeguard information within the US Defense supply chain. This post is the second in a series where we analyse the CMMC and look at how you might achieve compliance or use it as a basis of your own information security programme. You can read the first post that gives an overview of CMMC, here.
Let’s start by looking at why cyber security maturity models exist and how they help organisations orient their business processes (such as information security management) against a rotation of monitoring, assessment and continual improvement. This historical view of where maturity models have originated is important for cyber security teams as the basis of each level of maturity, the underlying rationale as applied to cybersecurity and CMMC’s 17 specific domains helps you make better security decisions and gauge what needs to be done to progress between levels.
Maturity models have been used in software engineering since as early as 1986. Originally, the Capability Maturity Model (CMM) was developed to assess U.S. Department of Defense contractors’ process maturity, as a gauge as to how likely they are to deliver a successful software project; the higher the maturity score, the better their processes and the higher likelihood they use established processes for the design, development, quality assurance (testing) and building of software.
The term maturity relates to specific aspects of the assessment, where the level of establishment and optimisation of each process can range from ad hoc to formally defined and optimised. Since this early CMM approach was aimed at improving software development processes, its applicability was somewhat limited, so in 2006, the Software Engineering Institute (SEI) at Carnegie Mellon University reworked it to create Capability Maturity Model Integration (CMMI), which has now superseded the original CMM framework.
Since then, capability maturity models have appeared in all sorts of disciplines, such as ICT infrastructure, service management, business process management, manufacturing, civil engineering and cybersecurity.
The Capability Maturity Model Integration (CMMI) framework is a process measurement and improvement meta-framework that helps organisations measure their processes’ effectiveness and identify how to improve them over time.
The U.S. Department of Defense funded and assisted in the development of CMMI, which was the precursor of the CMMC tool we are looking at in this blog series. CMMI is administered by the CMMI Institute, purchased in 2016 by ISACA.
CMMI is now used the world over, both in software engineering and in ICT service management. Organisations who supply government products or services are often asked to meet CMMI level 3 across their core delivery processes, a level of maturity that requires the use of formal methods of design, development, testing and delivery. CMMI has five maturity levels, with level 5 being the ideal target state where processes are fully optimised across the business and managed under a continuous process improvement regime.
CMMI has five maturity levels, which follow the original guidelines of CMM. These levels are as follows:
Since cybersecurity has such a keen focus on business processes, it makes sense that a tailored CMMI framework for security maturity came along.
CMMI is flexible and applies to any business processes, thus tailoring the framework for information security management was an obvious step. One example of an adapted CMMI solution for cybersecurity is the CMMI Institute’s Cybermaturity Platform, a tool designed to measure your overall security maturity against the original model. Another model tailored specifically to operational security, is the SOC-CMM, which adds one extra layer of maturity below the original “Initial” layer specified by CMMI. This is where SOC processes have never been established, consequently assessed as “Non-existent.” Further refinement of SOC-CMM makes it a continuous maturity model, since most security processes should continually be assessed and improved against other standards anyway, such as ISO 27001.
As we’ve seen, the U.S. Department of Defense has taken a keen interest in process maturity, so it’s no surprise they have released their own approach to cybersecurity maturity in the CMMC Framework. CMMC also has five levels of certification that measure cyber process maturity, with each tier developing on the previous one with specific technical requirements. Processes are split into 17 separate security domains, aligned very closely to the NIST cybersecurity framework (CSF), thus CMMC can be used in concert with the CSF to design, deliver and run an optimised and continually improving security programme. The CMMC levels, similar to the CMMI levels, run from Initial through to Optimised, but the definitions of each level are specific to cybersecurity, as follows:
As you can see from these levels, the continuum follows the same model as CMMI, but is specifically tailored for cybersecurity. Assessors can now use CMMC to assess and accredit the U.S. Department of Defense’s supply chain, which is a powerful regime to establish as it makes the barrier to entry for smaller organisations relatively easy to attain, since change and improvement in smaller organisations is often easier to implement than larger organisations with more complex structures and business requirements.
In this post, we’ve looked at the history behind the CMMC framework and why it’s important in cybersecurity that we adopt a model like this to ensure we continually improve our security posture. In future posts we will look at a selection of domains and follow the progression of maturity from the lowest to the highest level, providing context and examples of how you can fulfil the capabilities and practices.
Read by directors, executives, and security professionals globally, operating in the most complex of security environments.