Cybersecurity Maturity Model - HHS.gov

1 HC3 Intelligence BriefingCybersecurity Maturity Models08/06/2020 Report #: 202008061030 AgendaTLP: WHITE, ID# 2020080610302 Executive Summary Background What is Cybersecurity Maturity Model (CMM) History of CMM Why use CMM How to use CMM Notable Cybersecurity Maturity Models Cybersecurity Capability Maturity Model (C2M2) NIST Cybersecurity Framework Cybersecurity Maturity Model Certification How can CMM be used to protect the Health/Public Health Sector Using CMMs to provide customer with continuous service Using CMMs to protect sensitive information Using CMMs to comply with laws and regulationsNon-Technical.

2 Managerial, strategic and high-level (general audience)Technical: Tactical / IOCs; requiring in-depth knowledge (sysadmins, IRT)Slides Key:3 Cybersecurity Maturity Models: Attempt to collect the best Cybersecurity practices ; Are developed by a collaboration of experts from diverse backgrounds; Consider the dispersion in size, knowledge, skills, abilities, and experienceof organizations that will use the Model ; Take a life cycle and continuous improvement approach to cybersecurityExecutive SummaryTLP: WHITE, ID# 202008061030 Cybersecurity Models help organizations Provide services for their customers withoutinterruption; Protect sensitive customer and proprietary information.

3 And Complywith laws and regulations that govern Provides a structure for organizations to baseline current capabilities in Cybersecurity workforce planning, establishing a foundation for consistent evaluation management tool for leadership in identifying opportunities for growth and evolutionCybersecurity Maturity ModelTLP: WHITE, ID# 202008061030 OptimizingManaged/ReviewDefined/Maintena nceDevelopingInitialNICCS (2014) Maturity Model HistoryTLP: WHITE, ID#20200806103051986 CapabilitiesMaturity Model (CMM)2006 Capability Maturity Model Integration (CMMI)2012 Cybersecurity Capability Maturity Model (C2M2)2013 NIST Cybersecurity Framework(CSF)2020 Cybersecurity Maturity Model Certification (CMMC)Why do you need a Cybersecurity Maturity ModelTLP.

4 WHITE, ID#2020080610306 Provide current security postureBenchmarking against industryHelp in optimizing security investmentsBalancing cyber security portfolioSecurity strategy and roadmapHelp CISOs to communicate security to BoardNICCS (2014)How to use a Cybersecurity Maturity ModelTLP: WHITE, ID#2020080610307 Plan Select Cybersecurity Maturity Model or Framework Identify Assessment Tool Conduct Security AssessmentDo Implement Security Controls Develop Policies Conduct trainingCheck Verify the Security Controls Self-Assessment Third Party verificationACT Develop lessons learned Establish baselines, Make adjustments as needed Continue cycle againNICCS (2014)Demming, E.

5 W. (1982)Notable Cybersecurity Maturity ModelsTLP: WHITE, ID#2020080610308 Createdin 2019 and updated in 2020. Developed in concert with Department of Defense stakeholders, University Affiliated Researchers, Federally Funded Research Centers, and the Defense Industrial Base and led by the Office of the Under Secretary of Defense for Acquisition and Sustainment. From NIST SP 800-171, Security Requirements for Controlled Unclassified Information, and the Defense Acquisition Supplement. For Defense Industrial Base Contractors and will require a third- party certification.

6 [3] Publishedfirst in 2014. Updated in 2017 and 2018. Collaborative effort of industry, academia, and government coordinated by the National Institute of Standards and Technology (NIST). Mandated by the Cybersecurity Enhancement Act of 2014 (CEA). Brings best practices from industry and government but practices are derived directly from NIST 800-53, Security and Privacy Controls for Federal Information Systems and Organizations, April 2013. Developed to improve Cybersecurity risk management for critical infrastructure but can be used by any sector or community.

7 [2] Developedin 2012, updated in 2014 and 2019. Developed collaborativelywith an industry advisory group from government, Industry, and academia led by the Department of Energy in partnership with the Department of Homeland Security. Derived from Cybersecurity best practices from government and industry. Originally developed for critical infrastructure but updated to be applied to all sectors with information and operations technology.[1]NIST Cybersecurity Framework (CSF)CybersecurityCapabilitiesMaturity Model (C2M2)DOD Cybersecurity Maturity Model Certification[1] Department of Energy ( ) [2] NIST ( ) [3] CMMC (2020)Notable Cybersecurity Maturity ModelsModelCybersecurity Capabilities Maturity Model (C2M2)NIST Cybersecurity Framework(CSF) Cybersecurity Maturity Model CertificationMaturity Levels Functions/Tiers35/45 Security Domains/Categories102117 Processes/Subcategories/Capabilities3810 844 practices /Controls(Maximum)

8 210240171 Type of AssessmentSelf-AssessedSelf-AssessedThir d Party CertificationTLP: WHITE, ID#2020080610309[1] Department of Energy ( ) [2] NIST ( ) [3] CMMC (2020 Notable Cybersecurity Maturity Models: Cybersecurity Capabilities Maturity Model (C2M2)TLP: WHITE, ID#2020080610301010 Identification, Change,andConfiguration and Access and Sharing and Incident Response,Continuity ofOperations, andService Security ProgramManagementCybersecurity Capability Maturity Model (C2M2) Program. ( Domain is Organized by ObjectivesFor example, the Risk management Domainhas the following 3 Cybersecurity Cybersecurity RiskManagement PracticesC2M2: Risk management Domain,Manage CybersecurityRiskObjective practices by Maturity LevelTLP: WHITE, ID#20200806103011 Level 3.))

9 Risk assessments include all assets and activities that are critical to the achievement of the organization s mission The risk management program defines and operates risk management policies and procedures A current Cybersecurity architecture is used to inform risk analysis The risk register includes all risks identified through Cybersecurity risk assessments and is used to support risk management activities Level 2: Risk assessments are performed to identify risks according to organization-defined triggers Risks are recorded in a risk register Risks are analyzed to select and prioritize risk responses using defined risk criteria Risks are tracked to ensure that risk responses are implemented3210C2M2 Maturity LevelsCybersecurity Capability Maturity Model (C2M2) Program.

10 ( ). C2M2: Risk management Domain,Manage CybersecurityRiskObjective practices by Maturity LevelTLP: WHITE, ID#20200806103012 Level 1: Cybersecurity risks are identified and documented, at least in an ad hoc manner Risks are mitigated, accepted, avoided, or transferred at least in an ad hoc manner Level 0: practices not Maturity Levels3210 Cybersecurity Capability Maturity Model (C2M2) Program. ( ). Notable Cybersecurity Maturity Models: NIST Cybersecurity FrameworkCORE FunctionsCategoriesIdentifyCybersecurity risktosystems,people,assets,data,andcapa bilities.