This episode of “Coffee Thoughts With Tom” ponders the question “CMMC was never a “real maturity model” so what does a NIST 800-171 Capability Maturity Model (CMMC) look like?” and builds off a previous article about how the Cybersecurity Maturity Model Certification (CMMC) was really never a Capability Maturity Model (CMM), beyond having “maturity model” embedded within its name [note - that article is well worth the read if you have time to get good background information on maturity models].
Why Should You Care About Maturity?
The simple answer is to help eliminate, or at least minimize, the Fear, Uncertainty & Doubt (FUD) in your organization’s cybersecurity program. Maturity targets and current state assessments can be used to:
When you start working through maturity considerations, please keep in mind with CMMC that the DoD prescribes the baseline controls as a means to manage the DoD’s risks, not necessarily your business’ risks! No OSC should seriously consider itself “secure” by meeting just Level 1 or Level 2 CMMC controls. One reason is simply that CMMC only focuses on the DoD’s risk management for Confidentiality and Integrity of regulated data (FCI/CUI), while for the most part ignoring Availability (your ability to stay in business). The other reason is most OSCs also have other requirements that range from ITAR to PCI DSS to state/international data protection laws that they also have to contend with.
CMMC / NIST SP 800-171 should be viewed as a threshold for establishing the “must have” security practices that a modern business should align with, since it is on its way to being a global “gold standard” for identifying the threshold for what would be considered negligent business practices.
Leverage An Existing Maturity Model
The concept of managing cybersecurity and data protection controls based on maturity expectations is a worthwhile topic, so I decided to demonstrate how a “NIST SP 800-171 Maturity Model” could look that leverages existing maturity model constructs. In general, a maturity model is meant to accomplish a few things, beyond just sounding cool:
Since NIST SP 800-171/CMMC are not focused on evolving capabilities, there is no defined “sweet spot” for Organizations Seeking Certification (OSC) to work towards for its level of process maturity. The reason for this is CMMC levels are dictated to the OSC according to:
For this example, I am going to use the Cybersecurity & Data Privacy Capability Maturity Model (C|P-CMM) that is a free resource of the Secure Controls Framework (SCF). The SP-CMM is meant to solve the problem of objectivity in both establishing and evaluating cybersecurity and privacy controls. There are three main objectives for the SP-CMM and this supports using it for NIST SP 800-171/CMMC:
The SP-CMM leverages the framework established by the Systems Security Engineering Capability Maturity Model (SSE-CMM) and it a SP-CMM as “a framework for evolving an engineering organization from an ad hoc, less organized, less effective state to a highly structured and highly effective state. Use of such a model is a means for organizations to bring their practices under statistical process control in order to increase their process capability.” These 5 levels of maturity from SSE-CMM that the SP-CMM uses should not be construed as having anything to do with the five CMMC v1.0 “maturity levels” since they are entirely different animals.
The six SP-CMM levels are:
Note: If this concept of using the SP-CMM interests you, please make a cup of coffee and read the C|P-CMM overview document, since that will provide a lot of background information on how to use it efficiently and keeps me from having to retype a lot of words that already exist in that document.
Getting Started: Identify Your Organization’s “Sweet Spot” For CMMC/NIST SP 800-171?
When you look at the various maturity models used across industries, it is possible to identify a “sweet spot” that is unique to each organization’s risk appetite and budget. That sweet spot is made up of four different considerations:
For most organizations, the “sweet spot” for maturity targets is between SP-CMM 2 and 4 levels. What defines the ideal target within this zone is generally based on resource limitations and other business constraints, so it goes beyond just the cybersecurity and privacy teams dictating targets. Identifying maturity targets is meant to be a team effort between both technologists and business stakeholders. From a business consideration, the increase in cost and complexity will always require cybersecurity and privacy leadership to provide a compelling business case to support any maturity planning needs. Speaking in terms the business can understand is vitally important.
Fun Fact: During the development of the SP-CMM, a contributor identified an interesting insight that SP-CMM 0-3 are “internal” maturity levels for cybersecurity and privacy teams, whereas SP-CMM 4-5 are “external” maturity levels that expand beyond those teams. When you look at the stakeholders involved in SP-CMM 0-3, it is almost entirely IT, cybersecurity and privacy. It isn’t until SP-CMM 4-5 where there is true business stakeholder involvement in oversight and process improvement. This creates an internal to external shift in owning the cybersecurity & privacy program.
There are two ways to approach assigning maturity levels by assigning a maturity target at the:
Both NIST SP 800-171 and CMMC 2.0 break its controls down into 14 different domains/families, so the easiest way to start off is to identify what level of maturity is appropriate at a domain level:
What About Non-Federal Organization (NFO) Control?
You should also evaluate the maturity of your NFO controls. If you are not sure what NFO controls are, please make another pot of coffee and read all about them this website that is dedicated to demystifying NFO Controls.
SP-CMM Levels
Here is an overview of what defines the criteria associated with the SP-CMM levels:
This level of maturity is defined as “non-existence practices,” where the control is not being performed.
SP-CMM 0 practices, or a lack thereof, are generally considered to be negligent. The reason for this is if a control is reasonably-expected to exist, by not performing the control that would be negligent behavior. The need for the control could be due to a law, regulation or contractual obligation (e.g., client contract or industry association requirement).
This level of maturity is defined as “ad hoc practices,” where the control is being performed, but lacks completeness & consistency.
SP-CMM 1 practices are generally considered to be negligent. The reason for this is if a control is reasonably-expected to exist, by only implementing ad-hoc practices in performing the control that could be considered negligent behavior. The need for the control could be due to a law, regulation or contractual obligation (e.g., client contract or industry association requirement).
Note - The reality with a SP-CMM 1 level of maturity is often:
This level of maturity is defined as “requirements-driven practices,” where the expectations for controls are known (e.g., statutory, regulatory or contractual compliance obligations) and practices are tailored to meet those specific requirements.
SP-CMM 2 practices are generally considered to be “audit ready” with an acceptable level of evidence to demonstrate due diligence and due care in the execution of the control. SP-CMM 2 practices are generally targeted on specific systems, networks, applications or processes that require the control to be performed for a compliance need (e.g., PCI DSS, HIPAA, NIST 800-171, etc.).
It can be argued that SP-CMM 2 practices focus more on compliance over security. The reason for this is the scoping of SP-CMM 2 practices are narrowly-focused and are not organization-wide.
Note - The reality with a SP-CMM 2 level of maturity is often:
This level of maturity is defined as “enterprise-wide standardization,” where the practices are well-defined and standardized across the organization.
SP-CMM 3 practices are generally considered to be “audit ready” with an acceptable level of evidence to demonstrate due diligence and due care in the execution of the control. Unlike SP-CMM 2 practices that are narrowly focused, SP-CMM 3 practices are standardized across the organization.
It can be argued that SP-CMM 3 practices focus on security over compliance, where compliance is a natural byproduct of those secure practices. These are well-defined and properly-scoped practices that span the organization, regardless of the department or geographic considerations.
Note - The reality with a SP-CMM 3 level of maturity is often:
This level of maturity is defined as “metrics-driven practices,” where in addition to being well-defined and standardized practices across the organization, there are detailed metrics to enable governance oversight.
SP-CMM 4 practices are generally considered to be “audit ready” with an acceptable level of evidence to demonstrate due diligence and due care in the execution of the control, as well as detailed metrics enable an objective oversight function. Metrics may be daily, weekly, monthly, quarterly, etc.
Note - The reality with a SP-CMM 4 level of maturity is often:
This level of maturity is defined as “world-class practices,” where the practices are not only well-defined and standardized across the organization, as well as having detailed metrics, but the process is continuously improving.
SP-CMM 5 practices are generally considered to be “audit ready” with an acceptable level of evidence to demonstrate due diligence and due care in the execution of the control and incorporates a capability to continuously improve the process. Interestingly, this is where Artificial Intelligence (AI) and Machine Learning (ML) would exist, since AI/ML would focus on evaluating performance and making continuous adjustments to improve the process. However, AI/ML are not requirements to be SP-CMM 5.
Note - The reality with a SP-CMM 5 level of maturity is often:
In Summary
You can create your own useful spider charts for current vs targeted maturity by modifying cells D & E on the "Control Maturity Worksheet" that is provided as a free resource (hosted for download by the CMMC Center of Awesomeness).
