What is a Cybersecurity Maturity Model?
POSTED ON April 20, 2022
Cyberattacks have increased exponentially over the past few months, hitting businesses of all sizes and industries. Damages globally are estimated to have reached $6 trillion in 2021 and are on track to rise to $10.5 trillion by 2025 — a staggering sum.
Small and medium businesses (SMBs) have proven particularly vulnerable to these types of attacks, with 52 percent of SMBs reporting being a victim of a cyberattack in the past year and some reports estimating that 60 percent or more will go out of business as a result. For that reason, it’s more important than ever for SMBs to ensure they are implementing the best cybersecurity protections and strategies they can for their budget.
One framework for an SMB to consider as they look to advance their security posture is the Cybersecurity Maturity Model. First outlined by the Department of Defense as the Cybersecurity Maturity Model Certification (CMMC), the framework includes a number of key milestones towards cybersecurity maturity that can help guide an SMB — or any business — in advancing their cybersecurity posture and limiting overall risk.
In the most recent iteration of CMMC, there are three critical levels of maturity for an organization to work through.
Foundational. At this level, organizations must comply with 17 basic controls dictated by the Federal Acquisition Regulation. These basic protections are informative for SMBs as a place to start building their cybersecurity strategies, including implementing physical protection and access controls. It also requires annual self-assessments, which is another good practice for SMBs to consider to evaluate where they stand when it comes to risk mitigation.
Advanced. This second level takes protections a step further, including implementing 110 controls outlined in NIST 800-171. One key component of this framework is more thorough self-assessments or even taking on a third-party provider to evaluate their effectiveness. In this case, SMBs can look at the NIST 800-171 framework as guidance for advancement, then consider how they can further self-assess to measure effectiveness.
Expert. The highest level focuses on organizations with national security programs at high risk of nation-state attacks, but SMBs may still learn from its principles. It adds 35 additional controls from NIST 800-172 to help advance their capabilities.
SMBs can learn many items by looking at these key pillars. First, they should look at industry frameworks like NIST 800-171 and others to guide how they can advance their cybersecurity maturity. Additionally, they should consider how they can continuously assess how effectively those protections are working to limit their cybersecurity risk.
Unfortunately, there’s no way to ensure perfect cybersecurity that is 100 percent resilient to attacks. However, it’s possible to limit the risk an organization faces every day by strategically implementing the protections that make the most sense for its risk profile.
SMBs can help tip the scales and make sure they don’t become another statistic by taking these steps.