The Cybersecurity Maturity Model provides a way for organisations to assess their cyber security processes and capabilities with a focus on defending against Advanced Persistent Threat actors.
The Cybersecurity Maturity Model Certification (CMMC) was developed by Carnegie Mellon and Johns Hopkins at the request of the US Department of Defence and was launched in March 2020. Its primary aim is to provide a cybersecurity certification framework for the 300,000 defence contractors and suppliers who serve the US military. While this may not appear immediately relevant to UK and European businesses who do not work in that sector – the principles encapsulated in the CMMC provide a helpful way for Security Managers to think about their own in-house security programmes and could be useful when designing due diligence schemes to assess their own suppliers in order to secure their organisation’s supply chain from attacks.
Processes and Practices
The CMMC views cybersecurity through the lens of Processes and Practices or ‘what you do’ and ‘how you do it.’ The CMMC defines 5 levels of maturity ranging from Level 1 (we usually follow a process, but it’s not written down) through to Level 5 (fully documented, audited and actively managed KPI for each security related process).
The five levels of security practices progress by adding more security practices that need to be in place for each higher level. At Level 1 only 17 basic cybersecurity practices need to be in place while at level 5 a total of 171 practices need to be demonstrated.
To use the Access Control domain of the CMMC as a worked example, the types of practices that need to be in place at each level include (showing just one example from each):
|Level 1||Limit information system access to authorised users and processes or devices acting on behalf of authorised users|
|Level 2||Limit unsuccessful logon attempts|
|Level 3||Prevent non-privileged users from executing privileged functions (eg using SUDO) and capture the execution in audit logs|
|Level 4||Restrict remote network access based on local risk factors such as time/date, physical location and properties of the user and role (i.e. a zero trust approach)|
|Level 5||Identify and mitigate risk associated with unidentified wireless access points connected to the network|
The full list of all 171 aligned with their relevant maturity level are detailed in the CMMC documentation available here – including an option to download all the practices (controls) in a spreadsheet.
NCSC has a different approach
In the context of cyber security, maturity models can help to distinguish between organisations in which security is baked in and those in which it is merely bolted on.
The UK NCSC had a maturity model (the Information Assurance Maturity Model) but it was retired in 2018, a decade after it was first published. The risk with a maturity model is that it can become little more than a box ticking exercise or a tool used by different organisation to try and compare apples to oranges. As a result the NCSC considered the IAMM was having unintended consequences and not driving real improvements in cybersecurity as hoped. Now the NCSC instead promotes a toolbox approach and encourages firms to make informed decisions about what are the right processes and practices to implement in their unique context and situation.
That said, there are still cybersecurity models available off the shelf that can help firms. Cyber Essentials and Cyber Essentials Plus are two obvious examples in the UK, along with sector specific frameworks such as PCI-DSS which is focused on protecting card payment details. ISO 27001 has become the globally-recognised standard which organisations can use to audit and certify their Information Security Management System (ISMS).
How to assess your firms Cybersecurity Maturity
Taking a moment to review your own network’s cybersecurity maturity can help you identify weaknesses in your security and emerging risks that could impact your business. Whether you conduct some form of self-assessment or call in some independent external expertise, there are several places you can turn for help:
A good place to start, Cyber Essentials is the basic standard promoted by the NCSC and UK Government. That said, it’s not that basic and you do need to demonstrate that essential cyber-hygiene practices and policies are in place. This is a self-assessed standard, but you may need some help to understand and put in place the required practices if you have nothing in place currently. Cyber Essentials is a requirement for many UK public sector contracts.
Cyber Essentials Plus
Cyber Essentials Plus builds on the requirements of the Cyber Essentials certification and includes an active assessment that is conducted at your organisation’s premises. The Cyber Essentials Plus assessment requires that organisations already have Cyber Essentials certification and includes a number of specific tests: external vulnerability assessment, security patch audit, review of malware protection, and Web and Email based malware assessments.
NCSC Risk Management toolbox
The NCSC Risk Management guidance aims to end the ‘tick-box approach’ to risk management by providing resources to help firms inform and improve their decisions on how to manage cyber risk.
ISO 27001 Gap Analysis
The starting point of any organisations journey to implement the ISO standard for Information Management Systems is a Gap Analysis. A Gap Analysis provides a benchmark of your organisations policies and practices against the ISO 27001 standard and will highlight those areas were further work is needed in order to comply with the standard. Even if you have no intention of paying to have a certificate to hang on the wall, the gap analysis will provide a clear road map of actions that will drive your cyber security forward.
Use the 171 security practices (Excel/PDF) listed in the Cybersecurity Maturity Model appendices to inspire your own assessment. Pick the practices that address the risks that apply to your situation.