Getting lost in the different requirements of the Cybersecurity Maturity Model Certification? Pull back the sheets and realize much of what we mean withe practices and processes revolve around doing business better.
You do practices in cybersecurity. Verbs. Controls. Compliance.
These practices require processes to stick. Your company needs solid policies, documentation, and plans to implement practices. Processes. Governance. Nouns.
With reflection through these processes comes security. Culture.
When a company has plan to protect controlled unclassified information CUI, hires the right people, provides the training, and provides funding sensitive data gets protected.
The practices in CMMC derive from controls of different security frameworks. 110 of the one hundred seventy one practices in CMMC originate from the safeguarding requirements and security requirements specified in FAR Clause 52.204-21and DFARS Clause 252.204- 7012. Level 1 is equivalent to all of the safeguarding requirements from FAR Clause 52.204-21. Level 3, building on Levels 1 and 2, includes all of the security requirements in NIST SP 800-171 plus twenty additional practices commonly called the Delta 20s (the Greek letter Delta, a triangle, means change)
Basically, Cybersecurity Maturity Model Certification provides an avenue for third party attestation of NIST SP-800-171, twenty additional practices, and also measurement of process institutionalization. The process part of a CMMC assessment.
Process institutionalization, or the set of repeated practices and processes that lead to stable hygeine within an organization, leads to better business practice. By focusing on institutionalizing the practices and processes of CMMC a company gains stability in times of stress and consistency of results over time.
Any company who does business in the Defense Contracting space d should have a measure of their process maturity.
What is Maturity Measurement?
Maturity models measure growth through a series of benchmark measures. Think of CMMC like the 60 inches sign on a roller coaster. You need to reach a certain level of maturity to go for a ride. CMMC, in processes, practices, and methods and set goals and priorities for improvement.
CMMC requires measurement of maturity. The assessments do not act as a growth measure, our maturation assessment. Instead you need to show compliance on every objective of every practice and process measurement.
What is Process Measurement?
Processes build culture. As a company you engage in specific procedural activities. CMMC has identified, using research from SEI and Carnegie Melon frrom the last 35 years, specfic maturation processes that allow cultures of cyber hygeine to thrive. These processes have five levels within CMMC.
You must meet the objectives of each of the processes at the level of certification.
An Overview of CMMC Process Maturity
The CMMC defines five levels of process maturity. Each level acts as a gateway benchmark assessment. You must demonstrate all level one and level two processes as well as level three in order for compliance. Five processes get measured Across CMMC. Two two processes at level two and one additional process as you move up each of level from three to five.
- Level 1 requires that an organization performs the specified practices. You do not need to document any policy at level one for compliance. Meeting the security requirements of level one compliance will be easier with well written policy. rocess maturity is not assessed for Level 1.
- Level 2 requires that an organization create a plan and the policies to document the practices and processes required of CMMC. Policy, policy, policy.
- Level 3 requires that an organization establish, maintain, and resource a plan demonstrating the management of activities for practice implementation. You need to say who does what and how much you spend doing it. missions, goals, project plans, resourcing, required training, and stakeholders.
- Level 4 requires an organization to test how well things go in the implementation of the plan.
- Level 5 requires an organization to use continuous monitoring and improvement cycles.
History of Process Maturity Measurement
The process maturity assessment included in CMMC has a long history. The Software Engineering Institute began development in 1986 and released the Capability Maturity Model for Software, or CMM in 1991. The model gets used in both e Capability Maturity Model Integration (CMMI) and CERT Resilience Management Model, or CERT-RMM.
Cybersecurity takes culture and process measurement seeks to improve cybersecurity by shifting perspectives within an organization seeking certitication. Companies must measure, and understand the process, not the just use a checklist technical practices.
CERT-RMM and the CMMC both measure practices and the institutionalization of these controls through process maturity assessment. In the CMMC an assessor will look for three types of processes: policy, practices, and plans. Commonly referred to as 99, 98 and 97 in the CMMC assessment guide.
Three Types of Processes
99 Establish a policy
(NOTE: Convert screenshots to tables for accessibility purposes)
Above you see the assessment objectives for the Awareness and Training Domain. These objectives requite establishing a policy process and below you thee same assessment objectives for the Access Control domain. What do you notice?
98 Document the CMMC practices to implement
The 99’s require you to have policy.The 98’s require a plan to make the policy come to life.
Above you see the assessment objectives for the Awareness and Training Domain. The 98s require you to document to implement your policies. Below you thee same assessment objectives for the Access Control domain. What do you notice?
The 98s represent must of the practices in your SSP. However you do not want to include the line, “See the SSP.” This means an assessor needs tu hunt, pick, and infer. Tnree sure ways to fail an assessment.
97 Establish, maintain, and resource a plan
If the 98s describe your procedures for documenting CMMC practices. The 97s describe how you pay qualified people to get the job done.
Above you see the assessment objectives for the Awareness and Training Domain. The 99s require you to budget and staff yoyr . Below you thee same assessment objectives for the Access Control domain. What do you notice?
Across the 99s, 98s, and 99s we notice that the assessments objectives do not change. So you can come up with a template to make process asessment easier. You will not write 17 mission statements with goals and objectives. Many of the observable evidence will get used over and over. As an Organization Seeking Certification you need to draw an explicit link to your observable evidence and the assessments.
Where does Observable Evidence Live?
Before you think about process institutionalization take inventory of where your policy and procedures already live. You can find this in both policy and day to operation. Begin this effort by taking inventory of policies you already have at your company:
- Employee Handbooks
- Employee Agreements
- HR Onboarding, Screening, and Termination
- Org Chart
- System Security Plan
- Threat Diagram
- Job Descriptions with Separation of Duty
- Nondisclosure agreements
- Vendor agreements
- Floor plan
- Visitor Guide
- Visitor logs
- Inventory Policy
- Awareness and Training Policy
- Project Scoping Policy
- Business Continuation Plan
- Disaster Recovery Plan
- Acceptable Use Policy
- Clean Desk Policy
- Password/MFA Policy
- Remote work station polic
- Acceptable Encryption Policy
- Account Management Policy.
- Audit Policy.
- Configuration Management Policy
- Email Policy (don’t do dumb footers)
- Federal Contract Information Policy
- Controlled Unclassified Information Policy
- Penetration Testing Ploicy
- Software Installation Policy
- Workstation Security Policy
Before you even begin to document your institutionalization you need to inventory your existing policy and if you have glaring holes start to write the policy but also think about how daily operations can create observation evidence for process maturity assessment.
Think about the minutes of your weekly security stand ups, perhaps you have the results of a SWOT analysis, what about the daily task checklist for newtork mantainers, or logs from your SEIM? All of these provide evidence of institutionalization.
Hacking the Text Structure
You will not make 17 different documents and write a different report for every 99, 98, and 97. You could and an assessor will not mark you out of compliance but you can also develop more efficient methods. Some OSCs for example combine the 98 and 97 OE into one document. Others recommend creating a spreadsheet combining all off the process objectives.
At the minimum a spreadsheet should have the following columns
- Explicit text from a policy. Do not just list the policy or page number Copy the text
- The domain
- The Process
- Policy Document title
You want to create an index that correlates the practices to the explicit text. For CMMC Level three you need procedures to implement 130 practices. To increase the chances of passing an assessment and lowering your cost
If you are using a wiki or a document rather than a spreadsheet make the Assessment Objectives explicit headings. Then under the heading add xxplicit text from a policy. and where it can be documented. Do not just list the policy or page number. Copy the text.
When documenting the budget requirements for 97 some people may create a sanitized version without PII of experts and the annual spend. You should have an unsanitized copy that does not leave your premise and is made available for an assessor to view on site.
Overall focusing on process maturity will help your business succeed. Compliance and security matter but policies and governance rule.
Armond, A. (2020).Policy templates and tools for CMMC and 800-171.https://www.cmmcaudit.org/policy-templates-and-tools-for-cmmc-and-800-171.
Carnegie Mellon University and The Johns Hopkins University Applied Physics Laboratory LLC. (2020). CMMC Assessment Guide Level 3. Version 1.0.1