Cybersecurity Capability Maturity Model (C2M2) Version 1.1, Study notes of Computer Networks

The document introduces the Cybersecurity Capability Maturity Model (C2M2) which can help organizations evaluate and improve their cybersecurity programs. It provides descriptive guidance and can be used with a self-evaluation methodology and toolkit. The document acknowledges the organizations and individuals who participated in the development of the model. It is intended for organizations of all sectors, types, and sizes to strengthen their cybersecurity capabilities and prioritize investments.

Typology: Study notes

2021/2022

Uploaded on 05/11/2023

birkinshaw
birkinshaw 🇺🇸

4.7

(9)

239 documents

1 / 76

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
CYBERSECURITY CAPABILITY MATURITY MODEL (C2M2)
Version 1.1
February 2014
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20
pf21
pf22
pf23
pf24
pf25
pf26
pf27
pf28
pf29
pf2a
pf2b
pf2c
pf2d
pf2e
pf2f
pf30
pf31
pf32
pf33
pf34
pf35
pf36
pf37
pf38
pf39
pf3a
pf3b
pf3c
pf3d
pf3e
pf3f
pf40
pf41
pf42
pf43
pf44
pf45
pf46
pf47
pf48
pf49
pf4a
pf4b
pf4c

Partial preview of the text

Download Cybersecurity Capability Maturity Model (C2M2) Version 1.1 and more Study notes Computer Networks in PDF only on Docsity!

CYBERSECURITY CAPABILITY MATURITY MODEL (C2M2)

Version 1.

February 2014

ii

TABLE OF CONTENTS

LIST OF FIGURES

Figure 1: Risk Management Process ............................................................................................................. 4

Figure 2: Model and Domain Elements ........................................................................................................ 7

Figure 3: Referencing an Individual Practice, Example: RM-1a................................................................ 14

Figure 4: Recommended Approach for Using the Model ........................................................................... 15

LIST OF TABLES

Table 1: Example of Approach Progression in the Cyber Program Management Domain ........................ 10

Table 2: Mapping of Management Practices to Domain-Specific Practices ............................................... 11

Table 3: Summary of Maturity Indicator Level Characteristics................................................................... 13

Table 4: Recommended Process for Using Evaluation Results ................................................................... 18

Cybersecurity Capability Maturity Model Version 1.1 ACKNOWLEDGEMENTS

iii

ACKNOWLEDGMENTS

The Department of Energy (DOE) developed the Cybersecurity Capability Maturity Model (C2M2) from the Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2) Version 1.0 by removing sector-specific references and terminology. The ES-C2M2 was developed in support of a White House initiative led by the DOE, in partnership with the Department of Homeland Security (DHS), and in collaboration with private- and public-sector experts.

The DOE acknowledges the dedication and technical expertise of all the organizations and individuals who participated in the development of ES-C2M2 as well as the organizations and individuals from different sectors who have provided the critiques, evaluations, and modifications in order to produce this first release of the C2M2.

Program Technical Lead Jason D. Christopher Department of Energy, Office of Electricity Delivery and Energy Reliability (DOE-OE)

Program Team Fowad Muneer, ICF International John Fry, ICF International

Model Architect Carnegie Mellon University Software Engineering Institute – CERT Division

Model Contributors Dale Gonzalez David W. White James Stevens Julie Grundman Nader Mehravari Pamela Curtis Tom Dolan

Cybersecurity Capability Maturity Model Version 1.1 INTRODUCTION

industry. Within the organization, various stakeholders may benefit from familiarity with the model. This document specifically targets people in the following organizational roles:

Decision makers (executives) who control the allocation of resources and the management of risk in organizations; these are typically senior leaders^2  Leaders with responsibility for managing organizational resources and operations associated with the domains of this model (see Section 3.1 for more information on the content of each C2M2 domain)  Practitioners with responsibility for supporting the organization in the use of this model (planning and managing changes in the organization based on the model)^3  Facilitators with responsibility for leading a self-evaluation of the organization based on this model and the associated toolkit and analyzing the self-evaluation results^4

1.2 Document Organization

This document, along with several others, supports organizations in the effective use of the C2M2, and it introduces the model and provides the C2M2’s main structure and content.

Stakeholders may benefit by focusing on specific sections of this document, as outlined in the table below. Beyond these recommendations, all readers may benefit from understanding the entire document.

Role Recommended Document Sections Decision makers Chapter 1 and 2 Leaders or managers Chapters 1, 2, and 3 Practitioners Entire document Facilitators Entire document

Chapter 2 describes several core concepts that are important for interpreting the content and structure of the C2M2. Chapter 3 describes the architecture of the C2M2. Chapter 4 provides guidance on how to use the model. Chapter 5 contains the model itself—the model’s objectives and practices, organized into 10 domains. Appendix A includes references that were either used in the development of this document or provide further information about the practices identified within the model. Appendix B is the Glossary. Appendix C defines the acronyms used in this document.

(^2) The sponsor of the self-evaluation should be a decision maker from the organization. For more information about the sponsor role, please

3 refer to the C2M2 Facilitator Guide. The Facilitator Guide may be downloaded from^ http://energy.gov/node/795826. Subject matter experts (SMEs) for the self-evaluation should be leaders or practitioners. For more information about the SME role, please 4 refer to the C2M2 Facilitator Guide. The Facilitator Guide may be downloaded from^ http://energy.gov/node/795826. For more information about the facilitator role, please refer to the C2M2 Facilitator Guide. The Facilitator Guide may be downloaded from http://energy.gov/node/795826.

Cybersecurity Capability Maturity Model Version 1.1 CORE CONCEPTS

2. CORE CONCEPTS

This chapter describes several core concepts that are important for interpreting the content and structure of the model.

2.1 Maturity Models

A maturity model is a set of characteristics, attributes, indicators, or patterns that represent capability and progression in a particular discipline. Model content typically exemplifies best practices and may incorporate standards or other codes of practice of the discipline.

A maturity model thus provides a benchmark against which an organization can evaluate the current level of capability of its practices, processes, and methods and set goals and priorities for improvement. Also, when a model is widely used in a particular industry (and assessment results are shared), organizations can benchmark their performance against other organizations. An industry can determine how well it is performing overall by examining the capability of its member organizations.

To measure progression, maturity models typically have “levels” along a scale—C2M2 uses a scale of maturity indicator levels (MILs) 0–3, which are described in Section 3.2. A set of attributes defines each level. If an organization demonstrates these attributes, it has achieved both that level and the capabilities that the level represents. Having measurable transition states between the levels enables an organization to use the scale to:

 Define its current state  Determine its future, more mature state  Identify the capabilities it must attain to reach that future state

2.2 Critical Infrastructure Objectives

The model makes regular reference to critical infrastructure objectives. These are objectives found in the sector-specific infrastructure protection plans^5 of the 16 United States critical infrastructure sectors defined in Presidential Policy Directive 21, “Critical Infrastructure Security and Resilience.”^6 The referenced objectives serve as a reminder that many of the functions provided by potential adopters of the model support the Nation’s critical infrastructure and that the broader cybersecurity objectives of the sector-specific plans should be considered.

Critical infrastructure objectives often transcend the business or operational objectives for an individual organization. Some organizations using the model may not be affiliated with any of the defined critical infrastructure sectors. For such organizations, the term critical infrastructure objectives can be interpreted to mean industry objectives, community objectives, or any other

(^5) http://www.dhs.gov/sector-specific-plans (^6) http://www.whitehouse.gov/the-press-office/2013/02/12/presidential-policy-directive-critical-infrastructure-security-and-resil

Cybersecurity Capability Maturity Model Version 1.1 CORE CONCEPTS

2.5 Function

In this model, the term function is used as a scoping mechanism; it refers to the subset of the operations of the organization that are being evaluated based on the model.

It is common for an organization to use the model to evaluate a subset of its operations. This subset, or function, will often align with organizational boundaries. Therefore, common examples of functions for evaluation include departments, lines of business, or distinct facilities. Organizations have also successfully used the model to evaluate a specific system or technology thread that crosses departmental boundaries.

For example, an organization uses the model to evaluate its enterprise IT services, including email, Internet connectivity, and Voice over Internet Protocol (VoIP) telecommunication. In the Threat and Vulnerability Management domain, practice 2b states, “Cybersecurity vulnerability information is gathered and interpreted for the function.” When evaluating the implementation of this practice, the organization should interpret function to mean the operations of the enterprise IT services. In this example, the practice means that cybersecurity vulnerability information is gathered and interpreted for the enterprise IT services—information about vulnerabilities that would affect the enterprise email services, network devices, and the VoIP system.

Cybersecurity Capability Maturity Model Version 1.1 MODEL ARCHITECTURE

3. MODEL ARCHITECTURE

The model arises from a combination of existing cybersecurity standards, frameworks, programs, and initiatives. The model provides flexible guidance to help organizations develop and improve their cybersecurity capabilities. As a result, the model practices tend to be at a high level of abstraction, so that they can be interpreted for organizations of various structures and sizes.

The model is organized into 10 domains. Each domain is a logical grouping of cybersecurity practices. The practices within a domain are grouped by objective—target achievements that support the domain. Within each objective, the practices are ordered by MIL.

The following sections include additional information about the domains and the MILs.

3.1 Domains

Each of the model’s 10 domains contains a structured set of cybersecurity practices. Each set of practices represents the activities an organization can perform to establish and mature capability in the domain. For example, the Risk Management domain is a group of practices that an organization can perform to establish and mature cybersecurity risk management capability.

For each domain, the model provides a purpose statement, which is a high-level summary of the intent of the domain, followed by introductory notes, which give context for the domain and introduce its practices. The purpose statement and introductory notes offer context for interpreting the practices in the domain.

The practices within each domain are organized into objectives, which represent achievements that support the domain. For example, the Risk Management domain comprises three objectives:

 Establish Cybersecurity Risk Management Strategy  Manage Cybersecurity Risk  Management Practices

Cybersecurity Capability Maturity Model Version 1.1 MODEL ARCHITECTURE

Threat and Vulnerability Management

Establish and maintain plans, procedures, and technologies to detect, identify, analyze, manage, and respond to cybersecurity threats and vulnerabilities, commensurate with the risk to the organization’s infrastructure (e.g., critical, IT, operational) and organizational objectives.

Situational Awareness

Establish and maintain activities and technologies to collect, analyze, alarm, present, and use operational and cybersecurity information, including status and summary information from the other model domains, to form a common operating picture (COP).

Information Sharing and Communications

Establish and maintain relationships with internal and external entities to collect and provide cybersecurity information, including threats and vulnerabilities, to reduce risks and to increase operational resilience, commensurate with the risk to critical infrastructure and organizational objectives.

Event and Incident Response, Continuity of Operations

Establish and maintain plans, procedures, and technologies to detect, analyze, and respond to cybersecurity events and to sustain operations throughout a cybersecurity event, commensurate with the risk to critical infrastructure and organizational objectives.

Supply Chain and External Dependencies Management

Establish and maintain controls to manage the cybersecurity risks associated with services and assets that are dependent on external entities, commensurate with the risk to critical infrastructure and organizational objectives.

Workforce Management

Establish and maintain plans, procedures, technologies, and controls to create a culture of cybersecurity and to ensure the ongoing suitability and competence of personnel, commensurate with the risk to critical infrastructure and organizational objectives.

Cybersecurity Program Management

Establish and maintain an enterprise cybersecurity program that provides governance, strategic planning, and sponsorship for the organization’s cybersecurity activities in a manner that aligns cybersecurity objectives with the organization’s strategic objectives and the risk to critical infrastructure.

3.2 Maturity Indicator Levels

The model defines four maturity indicator levels, MIL0 through MIL3, which apply independently to each domain in the model. The MILs define a dual progression of maturity: an approach progression and an institutionalization progression, which are explained in the following sections

Cybersecurity Capability Maturity Model Version 1.1 MODEL ARCHITECTURE

Four aspects of the MILs are important for understanding and applying the model:

  1. The maturity indicator levels apply independently to each domain. As a result, an organization using the model may be operating at different MIL ratings for different domains. For example, an organization could be operating at MIL1 in one domain, MIL2 in another domain, and MIL3 in a third domain.
  2. The MILs are cumulative within each domain; to earn a MIL in a given domain, an organization must perform all of the practices in that level and its predecessor level(s). For example, an organization must perform all of the domain practices in MIL1 and MIL2 to achieve MIL2 in the domain. Similarly, the organization would have to perform all practices in MIL1, MIL2, and MIL3 to achieve MIL3.
  3. Establishing a target MIL for each domain is an effective strategy for using the model to guide cybersecurity program improvement. Organizations should become familiar with the practices in the model prior to determining target MILs. Gap analysis activities and improvement efforts should then focus on achieving those target levels.
  4. Practice performance and MIL achievement need to align with business objectives and the organization’s cybersecurity strategy. Striving to achieve the highest MIL in all domains may not be optimal. Companies should evaluate the costs of achieving a specific MIL against potential benefits. However, the model was developed so that all companies, regardless of size, should be able to achieve MIL1 across all domains.

3.2.1 Approach Progression

The domain-specific objectives and practices describe the progression of the approach to cybersecurity for each domain in the model. Approach refers to the completeness, thoroughness, or level of development of an activity in a domain. As an organization progresses from one MIL to the next, it will have more complete or more advanced implementations of the core activities in the domain. At MIL1, while only the initial set of practices for a domain is expected, an organization is not precluded from performing additional practices at higher MILs.

Table 1 provides an example of the approach progression in the Cyber Program Management domain. At MIL1, a cybersecurity program strategy exists in any form. MIL2 adds more requirements to the strategy, including the need for defined objectives, alignment with the overall organization’s strategy, and approval of senior management. Finally, in addition to requiring performance of all MIL1 and MIL2 practices, MIL3 warrants that the strategy be updated to reflect business changes, changes in the operating environment, and changes to the threat profile (developed in the Threat and Vulnerability Management domain).

Cybersecurity Capability Maturity Model Version 1.1 MODEL ARCHITECTURE

Table 2: Mapping of Management Practices to Domain-Specific Practices

2 Manage Cybersecurity Risk Management Practices

MIL

MIL1 a.^ Cybersecurity risks are identified b. Identified risks are mitigated, accepted, tolerated, or transferred

  1. Initial practices are performed but may be ad hoc

MIL2 c.^ Risk assessments are performed to identify risks in accordance with the risk management strategy d. Identified risks are documented e. Identified risks are analyzed to prioritize response activities in accordance with the risk management strategy f. Identified risks are monitored in accordance with the risk management strategy g. Risk analysis is supported by network (IT and/or OT) architecture

  1. Practices are documented
  2. Stakeholders of the practice are identified and involved
  3. Adequate resources are provided to support the process (people, funding, and tools)
  4. Standards and/or guidelines have been identified to guide the implementation of the practices

MIL3 h.^ The risk management program defines and operates risk management policies and procedures that implement the risk management strategy i. A current cybersecurity architecture is used to support risk analysis j. A risk register (a structured repository of identified risks) is used to support risk management

  1. Activities are guided by policies (or other organizational directives) and governance
  2. Policies include compliance requirements for specified standards and/or guidelines
  3. Activities are periodically reviewed to ensure they conform to policy
  4. Responsibility and authority for performing the practices are assigned to personnel
  5. Personnel performing the practices have adequate skills and knowledge

A description of the management practices of each MIL can be found in the list below.

Maturity Indicator Level 0 (MIL0)

The model contains no practices for MIL0. Performance at MIL0 simply means that MIL1 in a given domain has not been achieved.

Maturity Indicator Level 1 (MIL1)

In each domain, MIL1 contains a set of initial practices. To achieve MIL1, these initial activities may be performed in an ad hoc manner, but they must be performed. If an organization were to start with no capability in managing cybersecurity, it should focus initially on implementing the MIL1 practices.

MIL1 is characterized by a single management practice:

  1. Initial practices are performed but may be ad hoc. In the context of this model, ad hoc (i.e., an ad hoc practice) refers to performing a practice in a manner that depends largely on the initiative and experience of an individual or team (and team leadership), without much in

Cybersecurity Capability Maturity Model Version 1.1 MODEL ARCHITECTURE

the way of organizational guidance in the form of a prescribed plan (verbal or written), policy, or training.

The quality of the outcome may vary significantly depending on who performs the practice, when it is performed, and the context of the problem being addressed, the methods, tools, and techniques used, and the priority given a particular instance of the practice. With experienced and talented personnel, high-quality outcomes may be achieved even if practices are ad hoc. However, at this MIL, lessons learned are typically not captured at the organizational level, so approaches and outcomes are difficult to repeat or improve across the organization.

Maturity Indicator Level 2 (MIL2)

Four management practices are present at MIL2, which represent an initial level of institutionalization of the activities within a domain:

  1. Practices are documented. The practices in the domain are being performed according to a documented plan. The focus here should be on planning to ensure that the practices are intentionally designed (or selected) to serve the organization.
  2. Stakeholders of the practice are identified and involved. Stakeholders of practices are identified and involved in the performance of the practices. This could include stakeholders from within the function, from across the organization, or from outside the organization, depending on how the organization implemented the practice.
  3. Adequate resources are provided to support the process (people, funding, and tools). Adequate resources are provided in the form of people, funding, and tools to ensure that the practices can be performed as intended. The performance of this practice can be evaluated by determining whether any desired practices have not been implemented due to a shortage of resources. If all desired practices have been implemented as intended by the organization, then adequate resources have been provided.
  4. Standards and/or guidelines have been identified to guide the implementation of the practices. The organization identified some standards and/or guidelines to inform the implementation of practices in the domain. These may simply be the reference sources the organization consulted when developing the plan for performing the practices.

Overall, the practices at MIL2 are more complete than at MIL1 and are no longer performed irregularly or are not ad hoc in their implementation. As a result, the organization’s performance of the practices is more stable. At MIL2, the organization can be more confident that the performance of the domain practices will be sustained over time.

Maturity Indicator Level 3 (MIL3)

At MIL3, the activities in a domain have been further institutionalized and are now being managed. Five management practices support this progression:

  1. Activities are guided by policies (or other organizational directives) and governance. Managed activities in a domain receive guidance from the organization in the form of

Cybersecurity Capability Maturity Model Version 1.1 MODEL ARCHITECTURE

3.3 Practice Reference Notation

A number of practices within the domains are connected to other model practices. When this occurs, the connecting practice is referenced using a notation that begins with the domain abbreviation, a hyphen, the objective number, and the practice letter. Figure 3 shows an example from the Risk Management domain: the domain’s first practice, “There is a documented cybersecurity risk management strategy,” would be referenced elsewhere in the model using the notation “RM-1a.”

Example: RM-1a Domain Abbreviation-Objective Number Practice Letter

1. Establish Cybersecurity Risk Management Strategy MIL1 No practice at MIL MIL2 a.^ There is a documented cybersecurity risk management strategy b. The strategy provides an approach for risk prioritization, including consideration of impact MIL3 c.^ Organizational risk criteria tolerance for risk,^ and^ risk response approaches)^ are defined d. The risk management strategy is periodically updated to reflect the current threat environment e. An organization-specific risk taxonomy is documented and is used in risk management activities

Figure 3: Referencing an Individual Practice, Example: RM-1a

Cybersecurity Capability Maturity Model Version 1.1 USING THE MODEL

4. USING THE MODEL

The C2M2 is meant to be used by an organization to evaluate its cybersecurity capabilities consistently, to communicate its capability levels in meaningful terms, and to inform the prioritization of its cybersecurity investments. Figure 4 summarizes the recommended approach for using the model. An organization performs an evaluation against the model, uses that evaluation to identify gaps in capability, prioritizes those gaps and develops plans to address them, and finally implements plans to address the gaps. As plans are implemented, business objectives change, and the risk environment evolves, the process is repeated. The following sections discuss the preparation activities required to begin using the model in an organization and provide additional details on the activities in each step of this approach.

Figure 4: Recommended Approach for Using the Model

4.1 Prepare To Use the Model

A design goal of the model was to enable organizations to complete a self-evaluation for a single function in less than one day without extensive study or preparation. This goal is achieved in part because the model is supported by an evaluation survey and scoring mechanism and the evaluation survey itself is performed in a workshop setting, led by a facilitator who is familiar with the model content. An important component of successfully completing the self-evaluation in one day is the selection of an effective facilitator. Generally speaking, a C2M2 facilitator is not only someone who is familiar with the model and its supporting artifacts but also someone who is effective at helping a group of people understand their common objectives and assisting them in planning to achieve these objectives without taking a particular position in the discussion.