Government Agencies Field More Cybersecurity Maturity ModelsPentagon and DOE Pitch Security Frameworks - But Should They Defer to NIST?
Two U.S. government federal agencies are pitching new or revised cybersecurity capability maturity models to their sectors.
Both the Department of Energy and the Department of Defense have released CMMs for public comment. The DOE's Cybersecurity Capability Maturity Model - C2M2 - version 2 is open for public comment until Sept. 13, while the DOD's Cybersecurity Maturity Model Certification revision 0.4 is open for comment until Sept. 25. Subsequently, version 0.6 will be open for comment until in November.
The two CMMs are designed to help organizations in the defense and energy sectors prioritize their cybersecurity investments as well as refine their processes and controls.
But the release of the frameworks has raised questions about whether different parts of the U.S. government should be issuing entirely different CMMs, or if their efforts would be better spent working more closely together and standardizing on the NIST Cybersecurity Framework, which many view as being the gold standard.
CMMC Will Be Enforced Contractually
DOD plans to release CMMC version 1.0 in January 2020. It wants to see defense contractors that bid on projects demonstrate their compliance with the framework beginning in the fall of 2020.
DOD says its CMMC is designed to "be a unified cybersecurity standard for DOD acquisitions to reduce exfiltration of controlled unclassified information from the defense industrial base." It identifies 18 cybersecurity capability domains. Compliance will be contractually enforced.
The DOD CMMC will be mapped to the NIST Cybersecurity Framework, on which it is based, in part. Other sources include the CERT Resilience Management Model, Defense Industrial Base Sector Coordinating Council's task force working group's top 10, ISO 27001:2013 standard for an information security management system, the Aerospace Industries Association's NAS9933 national aerospace standard, the Center for Internet Security's Critical Security Controls 7.1, and subject matter experts.
Legal experts says the comment period for CMMC is welcome because many questions remain, including the deadlines for implementing new controls and requirements, as well as the degree to which defense contractors must implement them.
"The guidance offers no insight into how DOD will determine the CMMC certification level required for each contract solicitation or whether it intends to standardize a process for making such determinations across the departments or even within requiring activities," Covington & Burling LLP attorneys Susan B. Cassidy, Samantha Clark, Ryan Burnette and Ian Brekke write in a blog post analyzing the CMMC draft.
The DOE's revised C2M2 version 2.0 updates version 1.2, which was released in February 2014. As with its predecessor, it will be mapped to the NIST Cybersecurity Framework.
DOE released C2M2 version 2 for public comment on Aug. 7. "The C2M2 version 2.0 was necessitated by advancements in technologies, practices, and frameworks to protect critical infrastructure against cyber intrusions," the agency says in a Federal Register listing.
"Understanding and mapping cybersecurity risk is critically important for all companies and key sectors, such as the energy sector," Chris Pierson, CEO of the cybersecurity company BlackCloak, tells Information Security Media Group. "DOE's current second version draft of the Cybersecurity Capability Maturity Model - C2M2 - has some additional changes in analyzing maturity curves, partnerships and best practices."
"Cybersecurity is changing - the sophistication of technology is improving and so too is the sophistication of threat actors," says Marcus Christian, a Washington-based partner in Mayer Brown LLP's cybersecurity and data privacy practice and white collar defense and compliance group. "The goal of C2M2 2.0 is to keep up with these changes."
C2M2: 10-Domain Maturity Model
Maturity models are designed to enable organizations to benchmark their capabilities and identify where they need to improve. As defined by DOE, "a maturity model is a set of characteristics, attributes, indicators, or patterns that represent capability and progression in a particular discipline," so organizations can identify their maturity level and then next steps for improvement. "Model content typically exemplifies best practices and may incorporate standards or other codes of practice of the discipline."
DOE's C2M2 defines 10 domains for modeling:
- Risk management;
- Asset, change and configuration management;
- Identity and access management;
- Threat and vulnerability management;
- Situational awareness;
- Information sharing and communications;
- Event and incident response;
- Continuity of operations;
- Supply chain and external dependencies management;
- Workforce management and cybersecurity program management
The DOE's Cybersecurity Capability Maturity Model - C2M2 - program also includes models for the electricity subsector as well as the oil and natural gas subsector - ES-C2M2 and ONG-C2M2, respectively.
"The EC-C2M2 has done a great job so far with this model incorporating newer cybersecurity ideas, such as a focus on defensibility, threat, and response along with traditional risk elements like vulnerabilities," Sergio Caltagirone, vice president of threat intelligence at industrial control system security firm Dragos, tells ISMG (see: How Triton Malware Targets Industrial Control Systems). "It won’t be the last model, but it’s good work along the journey.”
DOE says C2M2 is meant to be used as part of a one-day review.
When facilitated by DOE employees and contractors, for example, a two or three-person team will visit an organization for one day - for six to eight hours - to meet with stakeholders, who don't have to prepare, except for reading the C2M2.
"The meeting will comprise the different stakeholders answering questions relevant to their functions," DOE says. "The C2M2 has over 300 questions in total which will generate dialogue between the participants and help the stakeholders understand the maturity of the cybersecurity capabilities."
"C2M2 is designed by many public and private infrastructure cybersecurity practitioners to help communicate to risk and budget owners areas for improvement," Caltagirone says. "It will help guide the perennial question: 'What do we get for the money?' Cybersecurity investment works when both the practitioners and risk owners understand and communicate clearly via risk and impact which this model does well."
How Did We Get Here?
The DOE began developing the first version of C2M2 for the energy sector in 2012 as part of a White House initiative to boost cybersecurity in that sector.
On Feb. 12, 2013, President Barack Obama issued executive order 13636, "Improving Critical Infrastructure Cybersecurity." It defined critical infrastructure as being "systems and assets, whether physical or virtual, so vital to the U.S. that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters."
Among other stipulations, the executive order called for better interagency policy coordination, public/private cybersecurity information sharing and identifying top risks facing the sector. It called for the National Institute of Standards and Technology "to lead the development of a framework to reduce cyber risks to critical infrastructure" as well as for sector-specific government agencies to review the framework and "if necessary, develop implementation guidance or supplemental materials to address sector-specific risks and operating environments."
Complying with those frameworks would be voluntary, the executive order said (see: Analyzing the Cybersecurity Framework's Value).
In February 2014, NIST released its Cybersecurity Framework, which defines five cybersecurity functions:
The same month, DOE released C2M2 version 1.1. "The C2M2 is meant to be used by an organization to evaluate its cybersecurity capabilities consistently, to communicate its capability levels in meaningful terms and to inform the prioritization of its cybersecurity investments," DOE says. "An organization performs an evaluation against the model, uses that evaluation to identify gaps in capability, prioritizes those gaps and develops plans to address them and finally implements plans to address the gaps. As plans are implemented, business objectives change and the risk environment evolves, the process is repeated."
In January 2015, DOE released guidance to help the energy sector map C2M2's processes to the NIST framework.
Any organization can use these maturity models, including the DOE's C2M2.
"This maturity model is not only useful for companies in the energy sector, but also more broadly - it has a lot that would be useful to more companies in general," Christian tells ISMG.
"You want to use this process to identity gaps and establish priorities and then tackle those priorities, to improve your practices, procedures and controls," he says. "Building this into the culture of the organization is something that requires a long-term approach, and doing that with an eye not just to the threats and technology out there but also the relevant laws and regulations."
Signs of Progress
Caltagirone at Dragos says the release of C2M2 and upcoming CMMC point to increasing cybersecurity maturity across multiple sectors and the importance of better sector-specific guidance.
“Cybersecurity, and cybersecurity in critical infrastructure, is such a new domain that the proliferation of models and frameworks such as C2M2 is expected, and welcomed," he says. "It seems as if new models are created every day, and they are, but that is a sign of progress - that we recognize deficiency and work to improve it. The industry should have as many descriptive and supportive models as possible as none are perfect, but we should strive for few prescriptive models. Unlike the Lord of the Rings, there is no ‘one model to rule them all’ and there never will be."
Potential for Confusion
But BlackCloak's Pierson argues that what organizations in critical infrastructure sectors need now are fewer frameworks and more action.
"What the U.S. needs right now is increased action on solving the current risks - low-hanging fruit - and bringing along all companies/critical sectors to a higher level of maturity within each core element of the one main risk framework," Pierson says.
Rather than issuing or refining new models, Pierson recommends more focus on the best one. "The key for the U.S. is to focus on one model - NIST is the most mature and comprehensive at this point in time - and then focus all efforts on mitigating cyber risks," he says.
"Specification for a sector can and should occur - but as an add-on to an already mature model that is universally adopted," he says. "Creating newer or varied models, even if they have a NIST mapping, does not solve cybersecurity - and potentially confuses the teams implementing the controls."