Cybersecurity Maturity Model Certification (CMMC) Part 2: Process Maturity's Role in Cybersecurity
Katie Stewart coauthored this blog post.
Process maturity represents an organization's ability to institutionalize their practices. Measuring process maturity determines how well practices are ingrained in the way work is defined, executed, and managed. Process maturity represents an organization's commitment to and consistency in performing these practices. A higher degree of process institutionalization contributes to more stable practices that are able to be retained during times of stress. In the case of cybersecurity, having mature cybersecurity processes will improve an organization's ability to prevent and respond to a cyberattack.
In the first blog post in this series, we introduced version 1.0 of the Cybersecurity Maturity Model Certification, or CMMC. We talked about the two aspects of the CMMC, leveled practices and process maturity. In this blog, we are going to take a closer look at process maturity and how this aspect differentiates the CMMC from existing DoD compliance standards.
The SEI's Established History with Process Maturity
The Software Engineering Institute has extensive experience with process maturity. In 1986, the SEI started the development of the Capability Maturity Model for Software, or CMM. The software community began using the initial release of CMM in 1991. It was the foundation for systematically building a set of tools, including a maturity questionnaire, useful in software process improvement.
Today, the Capability Maturity Model Integration (CMMI) represents a suite of tools built off the SEI's research and development of the CMM. CMMI models have expanded beyond software engineering to help any organization in any industry build, improve, and measure their capabilities and improve performance. Organizations have used the CMMI for more than 25 years to help achieve repeatable and sustainable results.
The development of the CERT Resilience Management Model, or CERT-RMM, is the result of the SEI's deep expertise in resilience and cybersecurity. As cybersecurity was on the verge of becoming a dominant national challenge, we began to envision ways that the convergence of security, business continuity, and IT operations management would be critical to an organization's survival. We combined this knowledge with our successful history of developing and deploying process improvement models with our work in CMM. We determined that a process-improvement approach to managing operational resilience improves an organization's performance by shifting their perspective to the process, not the just the technical implementation of solutions. After extensive research and industry collaboration, the SEI published version 1.0 of the CERT-RMM in 2010.
The CERT-RMM and the CMMC share a similar model architecture. Both the CERT-RMM and CMMC address technical practices, as well as the institutionalization of those activities through process maturity. Through our extensive research and implementation of CERT-RMM, we know that this two-sided approach helps organizations ensure cybersecurity and resilience activities are not only being performed appropriately, but the activities and outcomes are ingrained into the culture of the organization. The CERT-RMM's proven framework served as the foundation for the development of the CMMC framework.
As other cybersecurity standards have demonstrated, compliance does not equal security. The current approach with the Defense Federal Acquisition Regulation Supplement (DFARS) has shown that organizations will implement what they can and create a Plan of Actions & Milestones (POA&M) for everything else. Consequently, organizations in the DoD supply chain can have gaps in their cybersecurity programs and be vulnerable to attack.
However, the presence or even performance of practices is not always enough. Practices should be embedded in the culture and operations of an organization. The CMMC measures the degree to which an organization has institutionalized the practices within the model. When practices are documented, managed, reviewed, and optimized, they will be performed more consistently and improved over time. The DoD needs to have some level of confidence that the organization can protect sensitive information, not only at the time of an audit but in the future, especially during times of stress and disruption.
An Overview of CMMC Process Maturity
Within CMMC, practices and processes are defined. A practice is defined as a specific technical activity or activities that are required and performed to achieve a specific level of cybersecurity maturity for a given capability in a domain. A process is a specific procedural activity that is required and performed to achieve a maturity level. Both practices and processes have 5 levels within CMMC and an organization must meet both the process and practice level requirements to achieve that level certification within CMMC.
The CMMC defines five levels of process maturity. To move up levels, an organization must implement the processes at the desired level of certification, plus everything at the lower levels. There are a total of five processes within the CMMC: two processes at level two and one process at each of levels three through five. The sections below detail the processes within each level of the CMMC.
CMMC Maturity Level 1 - Performed
CMMC does not measure process maturity at Maturity Level 1. The organization is simply performing the CMMC's technical practices, perhaps in an ad-hoc manner.
CMMC Maturity Level 2 - Documented
CMMC begins to measure process maturity at Maturity Level 2, which requires the organization to have a guiding policy that establishes the objectives and importance of the practice domain. In addition, the organization must establish and document the practices within that domain.
A policy is a high-level statement from senior management that establishes organizational expectations for planning and performing the activity and communicates those expectations to the organization. A policy demonstrates that senior management sponsors and oversees the domain activities, which at a minimum include the defined CMMC practices. Even though an organization is required to have policy guidance for each of the 17 practice domains, they do not need to have 17 individual policies. A single policy could include directives for more than one CMMC practice domain. It is up to the organization to decide how they want to structure and document their policies. However, at a minimum, the policy should
- clearly state the purpose of the policy
- clearly define the scope of the policy: for example, enterprise-wide, department-wide, or information-system specific
- describe the roles and responsibilities of the activities covered by this policy: the responsibility, authority, and ownership of domain activities
- establish or direct the establishment of procedures to carry out and meet the intent of the policy, including any regulatory guidelines this policy addresses
As directed in the policy, the organization should document the activities needed to meet the intention of the policy. For CMMC, the technical practices must be documented. The documentation of practices enables an organization to execute the CMMC practices in a repeatable manner and to achieve expected outcomes, establishing a foundation for continuous improvement.
Organizations build their cybersecurity practices by documenting them, then practicing them as documented. In other words, "Say what you do; do what you say." The level of detail of a documented practice can vary from a handwritten desk procedure to a formal organizational standard operating procedure that is managed and controlled. It is up to the organization to determine how they will document their CMMC practices.
CMMC Maturity Level 3 - Managed
At Maturity Level 3, an organization establishes and maintains a plan for performing the practice domain activities. The plan should include strategic-level objectives that inform senior management of the status of domain activities. The plan for a CMMC domain can be a stand-alone document, part of a larger document, or distributed among numerous documents. It is up to the organization to decide how domain activities, including CMMC practices, are planned and maintained.
The plan for performing domain activities typically includes a mission statement and/or vision statement, strategic goals/objectives, relevant standards and procedures, a project plan, training needed to perform the domain activities, and the involvement of relevant stakeholders.
At Level 3 an organization is also required to define and provide adequate resources for performing the domain activities. For example: people resources are assigned, funding needs are defined, a budget is established, specific tools required to perform domain activities are provided; people resources are adequately trained, and relevant stakeholders are involved in resourcing activities.
CMMC Maturity Level 4 - Reviewed
At Maturity Level 4, activities, including CMMC practices, are measured and controlled against the plan. If issues are discovered, appropriate corrective action is taken. The organization should define measurement criteria for domain activities. Examples of activities that can be measured against the defined plan include
- measurement of actual performance against the plan for performing the process
- review of accomplishments and results of the process against the plan for performing the process
- review of activities, status, and results of the process with the immediate level of managers responsible for the process and identify issues
- identify and evaluate the effects of significant deviations from the plan for performing the process
- identify problems in the plan
- take corrective action when requirements and objectives are not being satisfied
- take corrective action tracking to closure
Higher-level management should have appropriate visibility into the domain activities through established periodic reviews. In addition, high-level managers should be informed of the status of the domain activities, which include CMMC practices. In this context, higher-level management should include those with overall responsibility and accountability for the scope of the CMMC assessment. When issues are identified, corrective actions should be developed and tracked to resolve issues. This review should be done through an established set of reviews. Examples of reviews include status reviews, risk reviews, status of improvements, and scheduling for achieving milestones.
CMMC Maturity Level 5 - Optimizing
At Maturity Level 5, an organization is continually optimizing their practices. The organization should have standard processes that define the specific practice domain activities, which include CMMC practices, along with guidelines for tailoring these processes to meet the needs of a specific organizational unit, line of business, or any other organizationally defined operating division. The organization establishes and maintains a description of the process that is tailored from the organization's set of standard processes.
The intent of standardizing domain activities is to provide consistency across the organization and to properly share improvement information. A standard practice may include
- practice description
- practice activities to be performed
- process flow including diagrams
- inputs and expected outputs
- performance measures for improvement
- procedures for process improvement
To continually optimize domain activities, including CMMC practices, lessons learned from planning and performing should be documented and shared across the organization.
Wrapping Up and Looking Ahead
The maturity processes of the CMMC are intended to measure the degree to which an organization has institutionalized its cybersecurity practices. Implementing process maturity within an organization will ensure that practices are consistent, repeatable, and constantly being improved.
In the next blog post in this series, we will explore some of the additional practices in Levels 1-3 that are not already NIST SP 800-171 requirements for Defense Industrial Base (DIB) companies. We will look at why these were added to the model and the value they provide for the CMMC program.
The CMMC Framework and accompanying DoD information is available for download at https://www.acq.osd.mil/cmmc/index.html.
View the SEI webpage CMMC--Securing the DIB Supply Chain.
Download the fact sheet, CMMC--Securing the DIB Supply Chain with the Cybersecurity Maturity Model Certification Process.