The CMMC is a new security model from the Department of Defense. It helps to define a modern approach to cybersecurity programs. A close inspection reveals some intriguing details, which are worth highlighting. So in case you missed it, here two of them.
Control frameworks first, followed by program frameworks. References to NIST SP 800-53 occur last. What does it mean?
This is further proof that NIST SP 800-53 Security and Privacy Controls for Federal Information Systems and Organizations is simply not a good fit for the private sector. And maybe it’s not so greatr for the federal government itself. It’s not that SP 800-53 has let us down, but rather the contrary. In a way we have let SP 800-53 down. Though we make use of it, nobody implements the whole thing well. Much like an encyclopedia, SP 800-53 is there for us to fill a gap or delve into a new topic. A pocket guide or practical approach to security, SP 800-53 is not. Its 205 controls explode into hundreds more with enhancements throughout the 400+ page document. It’s simply too big a whale for the pond.
What are the three most referenced frameworks?
#1 – NIST SP 800-171
The primary framework reference made by the CMMC is NIST SP 800-171 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, a control framework, which is far more approachable. Dare we say, “Achievable?” It is much smaller by comparison, and designed with private sector entities in mind. And yes, it’s a reduced, tailored version SP 800-53. Does it cover everything a robust cyber program should? No, but you have a much better chance of implementing and managing all controls well. If you get this in place, then you can worry about the rest. Plus, you only have to cover your Category 1 and 2 systems to be compliant.
#2 – Center for Internet Security (CIS) Top 20
The Center for Internet Security (CIS) Top 20 Controls is another control framework. At Secureside we are big fans of the work done by CIS. Its efforts focus on technical controls with only a hint of program-level processes.It’s an easy control set to interpret. It sets companies up for objective evaluation by measurement and tracking. For the more business-oriented person, conversations around the CIS Controls tend to go well because it is straightforward.
#3 – NIST Cybersecurity Framework (CSF)
The NIST CSF v1.1 is a program framework. What’s interesting is that the PROGRAM level framework is #3 in line, with CONTROL frameworks at the #1 and #2 spots. What you should take away from this observation is that the CMMC is relying heavily on key technical controls as the front line defense versus relying on an organization to institute program-level controls (more on this later).
Robust processes are great to have, but without a strong set of technical controls, what good are such processes against cyber attacks?
Maturity Redefined as… “Institutionalization”? Yes, it just might work.
Someone may finally have pinned a worthy term to the maturity model concept, and that term is “process institutionalization.”
Often times during cyber assessments I inquire about the “culture of security.” What I typically find is that there isn’t one, or not much it. There’s some ticking security time bomb just waiting to go off. Companies tend to assign the onus of cyber protection to a select few people, usually the CISO, a security analyst, and a couple of IT engineers. Try as they might to develop and implement a program, it’s pretty difficult if most people don’t want to participate.
The secret to cyber success is for business leaders to communicate that ALL personnel bear responsibility of cybersecurity, and then lead by example. This creates the culture, or “institutionalizes” security as a pillar of good business practices because protecting the business is inherently important. But before reaching highfalutin maturity levels, companies very much need to focus on on the basics of cyber hygiene, which the CMMC addresses directly.
Maturity is both overused and misapplied.
The secret is that there is a growing stigma around the word “maturity”, and the way this word is thrown around. The problem is that very few people really know what maturity means in the context of security. The concept of maturity is often invoked to belittle the less-than-ideal cyber practices of companies. Maturity does not matter as much as being effective.
The larger an organization is, the more it needs maturity to avoid waste, keep its momentum, and self-regulate to stay healthy. But for the small and medium shops, what does Level 5 “optimizing” provide? What is the cost of reaching this apex? What is the benefit? It doesn’t make sense to shoot for the maturity moon. Companies must determine where on the scale they should be as a matter of balance and practicality.
The good news is that the CMMC has decoupled maturity with practice effectiveness. This makes a lot of sense. Now companies can measure themselves separately in each aspects. This allows for greater flexibility on where to invest resources. It also gives credit where credit is due.
Conclusion
In summary, we conclude that the CMMC emphasizes the importance of control effectiveness while redefining the measurement of program maturity to account for good cyber hygiene. Therefore, companies should consider using the CMMC to help track their progress and inform future efforts.
