Cybersecurity Maturity Model Certification (CMMC) Part 2: Process Maturity’s Role in Cybersecurity insights.sei.cmu.edu

Read: insights.sei.cmu.edu

Process maturity represents an organization’s ability to institutionalize their practices.

The first line establishes a relationship between process and practice. But is “process maturity” a noun or “process” a modifier. Reads like a state of being, a quantifiable thing in the humanistic sense.

Measuring process maturity determines how well practices are ingrained in the way work is defined, executed, and managed.

A higher degree of process institutionalization contributes to more stable practices that are able to be retained during times of stress.

Process maturity = process institutionalization or Process maturity != process institutionalization ??

Today, the Capability Maturity Model Integration (CMMI) represents a suite of tools built off the SEI’s research and development of the CMM.

Ohh I always see those letters stuck behind people’s names…need to dig into the final version. Only read up on v.1 so far.

The development of the CERT Resilience Management Model, or CERT-RMM, is the result of the SEI’s deep expertise in resilience and cybersecurity.

oooh another acronym…people love collecting acronyms. They are the jewelry of LinkedIn. Need to do a deep dive. A personal crosswalk with all the different cybersecurity frameworks. There is one in the appendix but curricular crosswalks ar amazing learnin opportunities.

The CERT-RMM and the CMMC share a similar model architecture. Both the CERT-RMM and CMMC address technical practices, as well as the institutionalization of those activities through process maturity.

Yet this confuses me seeing the process as being theoretically disconnected from practices in the CMMC model. I know it says simplified model but it is visually clear that practices feed into capabilities and both capabilities and processes feed into domains.

As other cybersecurity standards have demonstrated, compliance does not equal security. The current approach with the Defense Federal Acquisition Regulation Supplement (DFARS) has shown that organizations will implement what they can and create a Plan of Actions & Milestones (POA&M) for everything else.

I think it was a 2015 study that found only 60% of contracts even included language that spoke to DFARS. Self assessment will not work, not when remediation is expensive and failure cost millions.

Feel like #HigherEd accreditation a bunch here. Just a few years behind. Could be lessons to learn in that institutionalized process.

However, the presence or even performance of practices is not always enough. Practices should be embedded in the culture and operations of an organization. The CMMC measures the degree to which an organization has institutionalized the practices within the model.

Within CMMC, practices and processes are defined. A practice is defined as a specific technical activity or activities that are required and performed to achieve a specific level of cybersecurity maturity for a given capability in a domain. A process is a specific procedural activity that is required and performed to achieve a maturity level.

Okay clear easy to grok operational definitions. practice = technical activity, process = procedural activity. I can see two distinct ontological buckets here.

yet practice is defined as a technical process for a given capability in domain.

This is where I keep getting tripped up. I can’t find an operational definition of capability. The CMMC section 2.5 on capabilities (pg 7 ) contains a reference to a figure and a list of capability associated with a domain.

Then the glossary in the appendix defines capabilities as:

“Capabilities are achievements to ensure cybersecurity objectives are met within each domain. Capabilities are met through the employment of practices and processes. Each domain is comprised of a set of capabilities.”

And I get stuck again on the theoretical model introduced in figure 1 in the 2.2 Overview (pg 2). The overarching model keeps processes separate from capabilities. I don’t see any prior evidence of expecting a model fit where process does not influence capabilities.

Disagreement in theoretical models and operational definitions causes me agita. I think it’s the image of the theoretical model that needs to change based on my very brief (as in today) research into SEI maturation models but at least I now understand the intent.

I do think a stronger definition of capabilities is needed before the table of capabilities. That’s just the English teacher in me. You always define key terms and not by referencing a figure.

When you compare Table 1 CMMC Capabilities to the appendices the taxonomic relationship is clear. I can mentally restructure the models matrix into a taxonomy with each domain consisting of a set of capabilities and each capabilities having a subset of practices at different maturity levels.

The CMMC defines five levels of process maturity. To move up levels, an organization must implement the processes at the desired level of certification, plus everything at the lower levels

remember a process if defined as a procedural activity so then moving up levels means doing all the procedures at the current level and all prior levels.

CMMC does not measure process maturity at Maturity Level 1

Just FCI, no CUI, governed by different reference docs. I really gotta memorize those so I can spit them back with a bit of fluency.

CMMC begins to measure process maturity at Maturity Level 2, which requires the organization to have a guiding policy that establishes the objectives and importance of the practice domain.

Interesting it is the practice being documented and not so much the constellation of practices that make up each capability under a domain.

A policy is a high-level statement from senior management that establishes organizational expectations for planning and performing the activity and communicates those expectations to the organization. A policy demonstrates that senior management sponsors and oversees the domain activities, which at a minimum include the defined CMMC practices

Operational definition of policy.

A single policy could include directives for more than one CMMC practice domain

practice domain, capability domain, or just domain???? aren’t domains made up of capabilities and practices…

At Maturity Level 3, an organization establishes and maintains a plan for performing the practice domain activities. The plan should include strategic-level objectives that inform senior management of the status of domain activities.

The plan for performing domain activities typically includes a mission statement and/or vision statement, strategic goals/objectives, relevant standards and procedures, a project plan, training needed to perform the domain activities, and the involvement of relevant stakeholders.

At Level 3 an organization is also required to define and provide adequate resources for performing the domain activities.

At Maturity Level 4, activities, including CMMC practices, are measured and controlled against the plan. If issues are discovered, appropriate corrective action is taken.