Capability Counts Series: Strengthening Cyber Compliance with CMMI V2.0
By Sara Deaton, President, Atomic Wombat Inc, and Benjamin Luthy, Specialist Master, Deloitte
Cyber compliance is no longer an option and can’t be an afterthought—it is required and must be a priority.
Many professionals think that cybersecurity is a daunting task. It has processes that are often misunderstood because they are mistakenly classified as purely technical functions. The reality is that cyber is much broader, and includes process business methods and how it can support the business.
One of our strongest pieces of advice for all organizations—and especially those involved with the U.S. Department of Defense—is to ensure that the process teamwork with the cyber experts early on in projects and to verify that there are clear, enforced goals for process improvement. Also, the cyber processes need to work well with the company’s other documented processes.
Early integration will help to eliminate “catch-up” with cyber requirements in an already completed project. The sooner you start working together, the more effective you will be at planning your project and understanding what is expected from each side. Have that inclusion from the start and integrate it as you work in an Agile method.
Continuous Improvements
Many professionals have concerns about upcoming cyber laws, and a solution is to ensure governance is in place to recognize that cybersecurity needs to be a priority of the organization. Support from the C-level and internal stakeholders is critical. Metrics are an important aspect regarding cyber, and they are a realistic tangible asset to hand to stakeholders who are investing to ensure you have the proper support within the business.
When it comes to process, focus on continuous improvements and continually monitor your results.
Those who have a process improvement background can work with the cyber experts who then pull together what is needed to be compliant – it’s not as scary as it seems! It can be done in an effective way that will help support the bottom line. It is often daunting when first reading the requirements, but if you go back to the concepts that process improvement specialists have shared over the years, it will go smoothly.
We are passionate about sharing how to implement cyber using CMMI V2.0 and how they overlap with the compliance requirements that are developing in the cyber world. CMMI V2.0 and its Practice Areas are very complementary to what is now required compliance-wise in the DoD arena. If a company is not compliant, it cannot play.
Cybersecurity Is Now Part of Doing Business
Several governmental bodies have mandated cybersecurity standards for their contractors. For example, many companies will need to be certified to the Cybersecurity Maturity Model Certification (CMMC) by 2021 and the DoD has identified security as the new fourth pillar in acquisition decisions, joining performance, schedule and cost.
CMMI V2.0 and cyber compliance frameworks are complementary and provide an extra layer of protection. They identify Practice Areas, value and intent to implement a top-down approach from leadership to users. They also address supply chains, configuration management, governance and policy, planning, and monitoring.
CMMC and CMMI V2.0 share the same basic architecture and therefore have a similar look and feel. CMMI V2.0 has Practice Areas that contain practice statements to ensure implementation objectives, and has five levels of maturity, for which ratings are achieved through CMMI appraisals, led by CMMI Certified Lead Appraisers. CMMC has domains that contain cybersecurity best practices and ensure implementation objectives, has five levels of certification and also has an assessment method. Lead Assessors conduct assessments to deliver certifications to companies that demonstrate compliance.
Getting started with compliance means that an organization needs to know where it currently stands and must identify its strengths and weaknesses. To help prevent re-work and ensure resources are focused in the right direction, it should start with a gap analysis. This can directly map to CMMI V2.0 process improvement and a cyber compliance framework.
The Practice Areas in CMMI V2.0 will help with managing the project, developing the process assets, and provide additional support for institutionalizing the developed cyber processes. Institutionalization, within the CMMC model, provides additional assurance that the practices associated with each level are implemented effectively. Some of the other CMMI V2.0 Practice Areas also provide direct support to the cyber domains. In addition, ISACA is planning to release a new Capability Area called Managing Security and Safety. This new Capability area will contain Practice Areas such as: Enabling Security, Managing Threats and Vulnerabilities, and Enabling Safety. After this release, the CMMI V2.0 and the CMMC will be even more in sync and supportive of each other.
Cybersecurity must be brought into a project from the beginning of the design of a product to increase the chance of success. This is not a silo—everyone in the organization is responsible for a secure environment. A solid cybersecurity program saves money and helps prevent inadvertent data leaks, social engineering risks, and the leaking of controlled unclassified information (CUI) and Federal Acquisition Regulation (FAR) information.
Plan the Work and Monitor
Cybersecurity compliance, especially now in the government sector, is a project with tangible deadlines. As such, it is key to develop milestones for the project and have regular meetings with stakeholders. It is important to keep communication lines open regarding costs, resources and any difficulties with supply management.
Not surprisingly, users are the weakest link. Organizations need to balance the implementation of security while not hindering job performance. This may entail central control and defense in depth, education on phishing campaigns, door and inventory checks, and controls on data exports.
Once the compliance project is completed, it is not time to prop up your feet and call it a day. Organizations must continue to monitor processes and implementation, control changes and test updates.
Achieve Results
For any new product or production to have the greatest chance at delivering on promises, it is good to have cyber involved early. This helps all involved to benefit from continuous improvements and focus on how they are going to achieve success. Organizations that partner quality process management with cybersecurity can simplify and streamline work to get to the finish line. As we often say, you don’t have to give each other the whole burrito, but you do need to share the ingredients.