How not to create a Maturity Model for Third Parties

The US Department of Defense recently released version 0.4 of its CyberSecurity Maturity Model Certification (CMMC). This is supposed to make third parties more accountable for their security controls to the DoD for the sensitive information they handle.

If you cannot follow the link, it is because you are not in the US. They have restricted the distribution of this Unclassified document to internal US IP addresses only. Only to be foiled be sneaky people using VPNs. Why even bother?

If you’re hoping for some pearls of wisdom that may help you with your own Third Party security controls, I’d advise you to sit back and wait for version 0.5.

The maturity levels created for each capability area are the same throughout. They are essentially a cut and paste of each other with the appropriate capability area updated. This model was put together by Carnegie Mellon University and John Hopkins University. And what value they have provided. Let’s take a look at the detail.

Into the Detail

As you can see, the maturity requirements for each capability area are direct copies. Now there is an argument that says this makes some sense, as you would expect there to be some consistency of approach. OK, I get that.

My main concern is with the logic that applies when you traverse maturity level boundaries.

Let’s use Access Control as an example. As you can see from the diagram, you get level 1 maturity for free. This makes sense as it is the lowest possible level of maturity available.

So what do I need for Level 2?

I need:

  • A Policy;
  • A Process to implement; and
  • A Plan.

Not quite sure what a Plan for Access Control would look like in this context, but I will let this one drift for the moment. Let’s pretend that it actually means something. OK, we are on a roll.

What do I need for Level 3?

I need:

  • To review the activities for conformance;
  • And we need to provide some resources.

This almost makes sense until we play it backwards. What this is actually saying is:

IF (you have a Policy) AND (you have a Process to implement) AND (you have a Plan) …….

BUT (you HAVE NOT checked conformance) OR (you HAVE NO resources) …….

You are still Maturity Level 2.

Let that sink in for a moment. All we have are three pieces of paper. A Policy, a Process and a Plan. We have no resources and we are not checking that any of the three pieces of paper are being used properly. But we are still maturity level 2. Unfortunately, this is not the end of the absurdity.  It actually gets better.

What do we need for Level 4?

I need:

  • To inform high-level management (????? Have you been doing this by stealth somehow?);
  • For the control activities to be effective.

So let’s play the reversal game again. What this is saying is:

IF (you have NOT informed high-level management) OR (the controls applied are NOT effective)….

You are still at Maturity Level 3. This is a pretty high level to be at when your controls are proven to be ineffective.

But the best is left till last.

What do I need for Level 5?

I need:

  • to have standardised documentation;
  • to apply improvements organisation-wide.

Let’s just let that penny drop. You need to have standardised documentation (maybe like a Policy, a Process and a Plan perhaps) and you need to be using them across your entire organisation.

Not for a single moment, did I think that the Policy, Process and Plan at maturity level 2, were for discrete systems. I sort of assumed that they were organisation-wide. Not once did I think that improvements to access control would be limited to discrete systems either.

So basically, there is no difference between ML4 and ML5, because you already have the documentation and you are already using it organisation-wide.

I can’t wait for version 0.5 to come out.

Leave a Comment

Your email address will not be published.