Professional Documents
Culture Documents
Cybersecurity Maturity Model
Cybersecurity Maturity Model
Cybersecurity Maturity Model
Report #: 202008061030
Agenda
• Executive Summary
• Background
• What is Cybersecurity Maturity
Model(CMM)
• History of CMM
• Why use CMM
• How to use CMM
• Notable Cybersecurity Maturity Models
• Cybersecurity Capability Maturity Model
(C2M2)
• NIST Cybersecurity Framework
• Cybersecurity Maturity Model Certification
• How can CMM be used to protect the
Health/Public Health Sector Slides Key:
• Using CMMs to provide customer with
continuous service Non-Technical: managerial, strategic
• Using CMMs to protect sensitive and high-level (general audience)
information
• Using CMMs to comply with laws and Technical: Tactical / IOCs; requiring
regulations in-depth knowledge (sysadmins, IRT)
• Provides a structure for organizations to baseline current capabilities in cybersecurity workforce planning,
establishing a foundation for consistent evaluation
• Management tool for leadership in identifying opportunities for growth and evolution
Optimizing
Managed/Review
Defined/Maintenance
Developing
Initial
NICCS (2014)
2020
2012 Cybersecurity
1986 Cybersecurity Maturity
Capabilities Capability Model
Maturity Maturity Certification
Model (CMM) Model (C2M2) (CMMC)
2006 2013
Capability NIST
Maturity Cybersecurity
Model Framework
Integration (CSF)
(CMMI)
Provide current
security posture
Help CISOs to
communicate Benchmarking
security to against industry
Board
Help in
Security
optimizing
strategy and
security
roadmap
investments
Balancing
cyber security
portfolio
NICCS (2014)
ACT Plan
• Develop lessons • Select Cybersecurity
learned Maturity Model or
Framework
• Establish baselines,
• Identify Assessment
• Make adjustments as Tool
needed
• Conduct Security
• Continue cycle again Assessment
Check Do
• Verify the Security
• Implement Security
Controls
Controls
• Self-Assessment
• Develop Policies
• Third Party
• Conduct training
verification
NICCS (2014)
Demming, E. W. (1982)
• Developed in 2012, updated • Published first in 2014. Updated in • Created in 2019 and updated in
in 2014 and 2019. 2017 and 2018. 2020.
• Developed • Collaborative effort of industry, • Developed in concert with
collaboratively with an academia, and government Department of Defense
industry advisory group from coordinated by the National stakeholders, University Affiliated
government, Industry, and Institute of Standards and Researchers, Federally Funded
academia led by the Technology (NIST). Research Centers, and the
Department of Energy in • Mandated by the Cybersecurity Defense Industrial Base and led
partnership with the Enhancement Act of 2014 (CEA). by the Office of the Under
Department of Homeland • Brings best practices from industry Secretary of Defense for
Security. and government but practices are Acquisition and Sustainment.
• Derived from cybersecurity derived directly from NIST 800-53, • From NIST SP 800-171, Security
best practices from Security and Privacy Controls for Requirements for Controlled
government and industry. Federal Information Systems and Unclassified Information, and the
• Originally developed for Organizations, April 2013. Defense Acquisition Supplement.
critical infrastructure but • Developed to improve • For Defense Industrial Base
updated to be applied to all cybersecurity risk management for Contractors and will require a
sectors with information and critical infrastructure but can be third- party certification. [3]
operations technology. [1] used by any sector or community.
[2]
[1] Department of Energy (n.d.) [2] NIST (n.d.) [3] CMMC (2020)
Security 10 21 17
Domains/Categories
Processes/Subcategorie 38 108 44
s/Capabilities
[1] Department of Energy (n.d.) [2] NIST (n.d.) [3] CMMC (2020
• Level 2:
• Risk assessments are performed to identify risks
1 according to organization-defined triggers
• Risks are recorded in a risk register
• Risks are analyzed to select and prioritize risk
responses using defined risk criteria
• Risks are tracked to ensure that risk responses are
0 implemented
• Level 0:
0
Cybersecurity Capability Maturity Model (C2M2) Program. (n.d.).
3 • Tier 3: Repeatable
• Risk management Process - practices are formally
approved and expressed as policy.
• Integrated Risk Management Program – There is
1
NIST (2018
• Tier 1: Partial
• Risk Management Process Organizational
NIST (2018
Protecting Information
• Healthitsecurity.com reported that so far this year the top 10 Healthcare Sector data breaches accounted for
almost 3 million patient records being compromised [1]
• A 2020 Verizon Data Breach Report found that:
• data breaches in the Health Sector were up 71% from the 2019 Report;
• almost half of data breaches were by company insiders;
• The majority of data stolen was personal and medical information; and
• security awareness training was recommended as a top security control [2].
NICCS (2014)
[1] (Healthitsecurity.com, 2020), [2] (Verizon, 2020
Below are some links to some trusted government websites that can provide free resources that can help
organization to assess their cybersecurity maturity and keep informed of vulnerabilities, threats, and general
information affecting the Health Sector.
• HIPAA Security Rule Crosswalk
• https://www.hhs.gov/hipaa/for-professionals/security/nist-security-hipaa-crosswalk/index.html
• Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients
• https://www.phe.gov/Preparedness/planning/405d/Pages/hic-practices.aspx
• Health Sector Cybersecurity Coordination Center (HC3)
• https://www.hhs.gov/hc3
NICCS (2014)
The HHS 405(d) Program published the Health Industry Cybersecurity Practices (HICP), which is a free
resource that identifies the top five cyber threats and the ten best practices to mitigate them. Below are
examples from HICP that can be used to mitigate some common threats.
Recipients of this and other Healthcare Sector These recommendations are advisory and are
Cybersecurity Coordination Center (HC3) Threat not to be considered as Federal directives or
Intelligence products are highly encouraged to standards. Representatives should review and
provide feedback. If you wish to provide feedback apply the guidance based on their own
please complete the HC3 Customer Feedback requirements and discretion. HHS does not
Survey. endorse any specific person, entity, product,
service, or enterprise.
Products
Sector & Victim Notifications White Papers Threat Briefings & Webinar
Directed communications to victims or Document that provides in-depth information
Briefing document and presentation that
potential victims of compromises, vulnerable on a cybersecurity topic to increase
provides actionable information on health
equipment or PII/PHI theft and general comprehensive situational awareness and
sector cybersecurity threats and mitigations.
notifications to the HPH about currently provide risk recommendations to a wide
Analysts present current cybersecurity topics,
impacting threats via the HHS OIG audience.
engage in discussions with participants on
current threats, and highlight best practices
and mitigation tactics.
Need information on a specific cybersecurity topic or want to join our listserv? Send your request for
information (RFI) to HC3@HHS.GOV or call us Monday-Friday, between 9am-5pm (EST), at (202) 691-2110.
Visit us at: www.HHS.Gov/HC3