The Next Generation of Cyber Maturity Models
16 Dec 2020Since the inception of the first maturity model in 1991, it was originally made for software development. Now, cyber maturity models are not just a basis for business cyber capabilities, they are a benchmark in order to bid for government contracts. With the US Government being a designer and enforcer, why bother with any other model?
Roughly two months ago, I had no idea what a maturity model was, never mind it’s context in the cyber field. Now, the first large assignment apart of my Cyber Security Engineering masters dives into these models.
The rate of change in this business focused field in cyber is just as fast; the next generations of cyber maturity models are coming out now, this blog posts dives into what on earth they are, how they have evolved over the years and their effect on the cyber landscape.
What on earth is it?
From the first derivation, maturity models were made for software development. Take an incremental approach; do we want the software process ad hoc, or something well-managed? Want it to be more sophisticated? Then define the levels in which it can be judged.
In the cyber context, we care about capabilities, readiness and sophistication. Levels are defined in terms of how processes are performed & also how practices reflect in cyber hygiene.
| Level | Characteristics |
|---|---|
| Level N | Optimizing, Advanced / Proactive |
| … | … |
| Level 2 | Documented, Intermediate Cyber Hygiene |
| Level 1 | Performed, Basic Cyber Hygiene |
This is a very brief and high generalisation of CMMs to just paint the picture. It makes sense in the management frame of mind to define a process maturity, and to not strive for the highest level in each case.
How did we get here?
2014 saw a big development of these maturity models, the US Department of Energy game out with C2M2 - the cybersecurity capability maturity model. At the same time, the department of homeland security also published the whitepaper for the NICE-CMM. Across the water in the UK, a government backed scheme called Cyber Essentials was released.
This was a first shift for pushing organisations to become more aware in their cyber practices. It is now incentivized to have Cyber Essentials for a business protecting themselves by following this government scheme.
Coming back to 2020, the NICE-CMM didn’t gain much traction and C2M2 has prevailed, with the second edition currently under review. But there’s a new kid on the block in the US; the Cybersecurity Maturity Model Certification by the Office of the Under Secretary of Defence for Acquisition & Sustainment. Cyber Essentials has continued, with updates in 2020 as well.
Is choice a problem?
With only two maturity models mentioned before, there are actually a large variety to choose from. Specialisation has come from infrastructure domain, with models tailored for Energy, Oil & Gas, IT Services and even digital forensics.
It could be argued that too much choice causes a problem for a SME to decide a best route for implementing such a model, or simply to choose which covers the most bases. On the flip side, a large organisation could just pick one arbitrarily as a seal of approval for what they already do. I would argue that variety is good and should be encouraged, newer ways for assessment or identifying capabilities in a domain could be found. Frameworks are designed to adapt to the rapidly changing field that is cyber, but it can be seen with these updates that changes are always needed.
The CMMC
With this new certification from the US Government, first nominated contracts with the DoD have been announced. The plan for CMMC implementation is a phased roll-out from 2021-2025. Initial pilots of this will be covering the first three (out of 5) levels of of the CMMC. This then flows down to subcontractors to also obtain the appropriate CMMC requirement.
One benefit of this is the documentation of the CMMC being mapped to other frameworks, such as NIST 800-171 and Cyber Essentials. A company could be able to see it’s maturity from previous accreditations and determine if CMMC is something worth while. Nonetheless, when compared to the NICE-CMM it looks like the CMMC made a quick solid rooting and is going to be important for the next few years.
With maturity models starting off for software development and bleeding over into other domains, businesses are going to have to incorporate some sort of awareness. This next generation of maturity models and government schemes come two fold; to make businesses protect themselves and their clients, but to also make them accountable.
Whilst this makes sense in theory, practical examples of this ‘sword and shield’ haven’t played out as well. Section 230 is the behemoth of them all, regardless of the nature of the company at hand.