Bridgehead IT logo

Cybersecurity Maturity Model Certification – Understanding Cybersecurity Maturity Models

Posted: Sep 2021

CMMC- Understanding Cybersecurity Maturity Models

Cybersecurity maturity models were created to assess the success of software projects for the DoD. Explore the CMMC, its predecessors, and maturity levels.

Keyword(s): Cybersecurity Maturity Models

In December 2020, the Cybersecurity and Infrastructure Security Agency issued an urgent warning. American intelligence agencies believe that hackers had penetrated government systems.

They found evidence that the criminals used more tools than previously identified. This represents “a grave risk to the federal government”. This warning didn’t provide details about the attacks.

Yet this confirmed suspicions that hackers have found new routes into government networks. This impacts the day-to-day business of the United States.

Espionage has been a threat to governments throughout history. Today’s dependence on information technology (IT) has created new risks. The Cybersecurity Maturity Models Certification (CMMC) serves to track DoD cybersecurity.

Keep reading to explore CMMC, its predecessors, and maturity levels.

History Leading to Current Cybersecurity Maturity Models

In 1947, the Armed Services Procurement Regulations set rules for federal government purchasing. This led to the Federal Acquisition Regulation (FAR).Title 48 of the Code of Federal Regulations (CFR) codified the FAR in 1984. The FAR established a uniform structure for federal agencies to follow.

The Defense Federal Acquisition Regulation Supplement (DFARS) amended the rules for purchases. This addressed goods, services, and technology used by the DoD and government agencies.

The goal of DFARS is to secure controlled unclassified information (CUI). It also covers the government’s sensitive information held or used by third parties.

In 2017, the DoD released regulatory standards for all its vendors. The purpose was to protect and guard covered defense information (CDI). The rules address how contractors’ systems/networks store and send CDI.

The cybersecurity standards underwent further revisions. The DoD urged prime and sub-contractors to complete a tiered certification. In 2019, the DoD CIO, Dana Deasy, deemed the tier-three and -four subcontractors as the highest risk.

Deasy describes subcontractors as lacking understanding or equipment to defend themselves. She asked what resources could help them improve their defenses?

In June 2020, Kate Arrington, the CMMC rollout official, emphasized industry feedback. Arrington stated, “it’s not a ‘me’ thing, it is a ‘we’ thing”.

She echoed concerns about DoD’s inconsistent contractor cybersecurity practices. Arrington went on to say, “We should be infuriated about what has happened to our data”.

Cybersecurity Maturity Model Certification (CMMC)

These experiences and concerns led DoD to set new universal standards. Experts felt that DFARS adoption was too slow to meet current threats. DFARS was also a one-size-fits-all plan that allowed contractors to falsely report compliance.

The CMMC focuses on assessing and improving the Defense Industrial Base’s cybersecurity. The end-point goal is to protect CUI in the supply chain.

To meet this goal, they developed a five-level cybersecurity maturity scale. This allows DoD contractors to see which level they must meet to become certified. This is known as the CMMC standard.

A series of high-profile DoD information breaches fueled the development of the CMMC. The DoD reviewed the National Institute of Standards and Technology Special Publication (NIST AP 800-171). They focused on increasing and evolving threats often involving nation-state actors. The CMMC framework Version 1.0 was released in January 2020.

The Capability Maturity Model Integration or CMMI Institute

The Software Engineering Institute at Carnegie Mellon University developed the CMMI. The U.S. Government and the DoD also participated in CMMI’s creation. It’s a process improvement tool for use in projects, divisions, or businesses.

The CMMI provides standards for DoD and U.S. Government software development contracts. The Information Systems Auditing and Control Association (ISACA) bought the CMMI Institute in 2016. Now, the CMMI Institute administers the CMMI.

The CMMI framework

The CMMI has evolved over time to make it more user-friendly. It’s also become easier to integrate and deploy. The increase in cost-effectiveness encourages companies to focus on quality instead of quantity.

The CMMI sets benchmarks for vetting suppliers and vendors. It detects and corrects process issues. Thus reducing risks and building a CMMI supportive culture.

CMMI Maturity Levels

The CMMI model divides businesses into five maturity levels. The optimal goal is for businesses to reach Level 5 maturity. This promotes an ongoing focus on maintenance and process improvement.

Each certification level builds on the previous cyber process maturity technical standards. The levels split into 17 security domains that align with the NIST framework. The CMMC levels are like the CMMI levels but focus on cybersecurity.

The following provides the definition for each CMMC maturity level.

Level 1

Documentation showing the performance of basic cyber hygiene practices. Examples include ensuring routine employee password changes and antivirus software use.

Level 2

Documentation of specific intermediate cyber hygiene practices. These actions must protect CUI by implementing the NIST 800-171 Revision 1 standards.

Level 3

Implementation of business-wide management plans ensuring good cyber hygiene practices. The actions must safeguard CUI. They’re also required to meet all NIST 800-171 r1 security rules and other standards.

Level 4

Implementation of procedures to review and measure the effectiveness of the plan. The company must also show that they have enhanced security practices.

These detect and respond to changing tactics, strategies, and APT procedures. APT refers to Advanced Persistent Threats.

Level 5

Implementation of optimized and standardized processes and further practices to enhance security. The company must demonstrate sophisticated abilities and processes for APT identification and response.

How to Conduct a Risk Assessment

Performing self-assessments ensures that your company meets the CMMC requirements. The following guide provides steps used for NIST 180-30 risk assessments.

Test Your Current Systems

Create a list of all systems and their purpose. What are their software and system interfaces? What hardware do you use in your company processes?

Define what type of data you store, use, or send via company systems. Which employees have access to this data? Define your boundaries, objectives, and system functions.

After you have a complete picture of your critical data, you can look for vulnerabilities. This creates baseline information for process improvement.

Conduct a Systems Check

Some companies use in-house IT employees while others outsource their IT management. In either case, it’s vital to conduct cybersecurity system threat assessments.

Create a list of identified cyber threats or cyberattacks in the past. Review the details of each event to work toward improved security measures. Check all systems to ensure that their completing security actions as planned.

Define Vulnerabilities

After completing your system assessment, you should be able to see vulnerable areas. If weaknesses exist in your infrastructure, this may pose a big problem. Any hole that allows hackers to enter your system raises your risk score.

The NIST 800-30 assessment helps find and expose these vulnerabilities. Review previous assessments to compare findings. Run security tests and create a map of all places at risk for a breach.

Examine and Check Your Controls

This step is only required if you have found vulnerabilities. After you identify a problem, defining controls can help mitigate the issues quicker. This works especially well for covering small security problems.

Analyze your controls and run test scenarios following corrective measures. This ensures that you’ve enhanced your security stance for the future.

Determine Your Chance of a Cyberattack

The next step involves identifying potential cybersecurity threats. What is their motivation for attacking your company? Estimate their ability to harm your systems.

This information evaluates the risk for various cyber threats or attacks. If you’ve found multiple threats, spend more time exploring each risk. Be sure to document all information including updates to cybersecurity protocols.

Evaluate Your Company’s Cybersecurity Impact and Risk

Now that you understand your company’s cybersecurity risks, measure the potential impact. Determine how critical identified risks are.

Examine your controls and determine the probability of an attack. This describes your risk level. Use this data to fortify your IT infrastructure.

Put Updates In Place

Following CMMC and NIST 800-30 standards, install the changes you’ve decided upon. Always focus on threat risks and improved cybersecurity to reduce attacks. You’ll have more confidence that the data you handle is safe.

Convey Your Process Improvement to Shareholders

It’s valuable to notify all shareholders of improved security measures. This keeps these stakeholders informed, involved, and invested in promoting your company. Everyone is on the same page creating a more solid partnership.

Benefits of Network Security Monitoring

With cyberattacks on the rise, there’s a significant chance you may become a victim. Money is a prime motivator for these attacks.

This is especially seen in ransomware attacks. In this situation, criminals take your systems offline until you pay the ransom.

There are several steps you can take to reduce your risk. First, you need a strong cybersecurity plan that’s adaptable and ever-evolving. The following describes the most common IT security risks:

*Password attacks



*Service denial



Using an IT service management company gives you access to network experts. They track your system in real-time to efficiently detect issues and decrease downtime. This service tracks your network’s operating status and provides reports.

If any device contacts the network, this monitoring service immediately checks it. This ensures the identification of any malicious attempts. It also watches for interference in traffic flow or device failure and sends an alert.

These services ensure that your administrators understand the network baseline performance. This makes it easier to detect sudden, unexpected changes that may signal a threat.

Administrators are also able to see how different devices affect network performance. This data provides the information needed to optimize system operations. They’re also able to anticipate future needs.

Would Your Company Benefit from an IT Service Management Service?

Cybersecurity Maturity Models Compliance is key if you’re competing for government contracts. Bridgehead I.T. is ready to help your company achieve its goals. Our experts will provide collaborative advice about products and services.

Bridgehead’s advisors range from account managers to technicians. They solve IT issues and provide ongoing evaluation of your business environment. The goal is to help you reach the best possible outcome within your budget and timeline.

Contact us today to learn about the benefits of using our IT experts.

Cybersecurity maturity models were created to assess the success of software projects for the DoD.

Connect with us today for all of your outsourced IT needs