Practices are the most fundamental part of C2M2. Each practice is a brief explanation describing a cybersecurity activity that can be performed by an organization. Practices within each area are organized to progress according to a maturity scale. Read announcement 2.1 to learn what`s new in this release and the model update. The Department of Energy has combined a framework of security controls with a process for measuring against it. The product is their cybersecurity capability maturity model, also known as C2M2. The C2M2 is free for the public and can be downloaded from www.energy.gov (www.energy.gov/sites/prod/files/2014/03/f13/C2M2-v1-1_cor.pdf). The Ministry of Energy defines “maturity models” in this product as follows: The concept of cybersecurity management and privacy controls based on maturity expectations is an interesting topic, so I decided to demonstrate what a “NIST SP 800-171 maturity model” could look like, leveraging existing maturity model constructs. In general, a maturity model is designed to accomplish a few things that don`t just sound cool: While the NIST Cybersecurity Framework (CSF) is not a maturity model like the certification of the cybersecurity maturity model required in the defense industry, it identifies four levels and five levels of maturity for organizations of all types. These are designed to help companies assess their cybersecurity capabilities and get a better idea of the status of their program. Most importantly, a cybersecurity maturity model provides a path forward and allows your organization to regularly assess where it is on that journey.

This can be a valuable tool, not only to improve your cybersecurity efforts, but also to communicate with senior management and get the support you need. This episode of “Coffee Thoughts With Tom” reflects on the question: “CMMC has never been a `true maturity model,` so what does an NIST 800-171 capability maturity model (CMMC) look like? and builds on a previous article on how cybersecurity maturity model (CMMC) certification has never really been a capability maturity model (CMM), aside from the fact that the “maturity model” is embedded in its name [hint”, this article is worth reading if you have time to get good background information about maturity models]. For organizations interested in using the NIST-CSF framework to measure maturity rather than compliance, SecurityGate.io has developed an easy-to-use module that displays your organization`s overall CMMI maturity level and can break down maturity scores into the 23 NIST CSF categories. To validate and measure their efforts, many cybersecurity organizations count the number of vulnerabilities they have closed in a given period of time or report compliance with legal or industry standards. However, none of these approaches give a real indication of your company`s maturity, nor do they provide a framework for improvement. To measure and improve, cybersecurity organizations must adopt a cybersecurity maturity model. You can choose from several cybersecurity maturity models. In my view, the National Institute of Standards and Technology`s (NIST CSF) Cybersecurity Framework and the Cybersecurity Capability Maturity Model (C2M2) both offer a holistic approach that covers everything related to cybersecurity. The template you choose is not as important as choosing and using a template. It`s also worth noting that measuring your maturity is just the beginning (remember the second half of the printer quote?). There will be the next steps, including improving your measurements and metrics.

There is a difference between saying we can walk in this area and an eight-minute kilometer. Whichever setting you choose, your organization should develop a program that matters to you. Because NIST SP 800-171/CMMC is not designed for competency development, there is no defined “sweet spot” for organizations seeking certification (OSC) for their process maturity level.