CMMC Compliance Assessment: Current and Target Maturity Models

what does the current models and thetarget models look like now uh as imentioned earliercmmc can be used beyond dod and federal contracts uh now based on uh you knowwhat needs to be achieved uh in terms ofthe overall cyber hygiene and what isthe state of security that the organization haveuh and some of the organizations whohave implemented this it regardless oftheir involvement with the government have also seen uh this has significantly increased the security teams orefficiency when there are threats or theamount of time that the analysts spendin the incident response planhave also significantly improved uh withthis type of a model uh that comes in sowhat what we see current in the currentprofile is that uh the some of thechallenges and some of the limitationsuh as well as causing a kind of anobstacleforadopting to this uh this kind of acertification model when we saystarting with the first one complexlegacy infrastructure so how will we dowe know what systems are in place if wedo not know what systems are we seetoday are managed by us or how are theyconstantly being updated what is the security plan on those end pointsuh we will not be able to map the magainst the compliance needs and thevisibility is the first and foremostcritical componentto enhancing the current profilewhat we see in our existingsecurity infrastructurealso limited security maturity andcontrols especially when it comes to the cmmc compliance leve lit is it is an elaboratedlist of practicesthat we need to adhere to as companiesand organizations but most importantlyhow welldo we achieve what level of cmmccompliance of or these compliance isrequired for usuh level one should be sufficient forthe fci contracts but then as we gobeyondinto a larger projects larger contractvalues uh it requires that we have amuch more robust plans that build in uhwhat is thiscontrolled unclassified information howdoes this look like can i include myoperational technologyas part of my unclassified informationeven though i’m not directly taking anycustomer data into my network but thatis again a gray area whenever there isany data that is flowing inside thenetwork and if there is a component thatis in for involved it falls under thecompliancemandates that are required to be adheredby organizationsand also we have seen that it it also uhthere is a large landscape out there uhwhen it comes to in cave inso incompatibility and also the legacytechnologies which do not have certainsecurity controls be it basic passwordchanging or something that is alreadyhardcodedcannot be updated or hasn’t been updatedfor yearsis also adding to this level ofcomplexity details uh what does thetarget profile look likefirst thing is understanding when youlook at your complex infrastructureunderstanding what is uh building out ofaction plan or a plan of action looklikea we did our self-assessments but it isimportant that we bring in a third partyvulnerability a third party to conductthose robust vulnerability riskassessment to be able to build theselevel two and above a set of compliancethat we need tomanagesome of them require a a significantamount of time efforts if it is done uhin you know internally within theorganization but with automation andsome uh technical tools that are alreadyavailable in the marketplace this isbecoming a morego-to place forquite a lot of security leaderswhoimmediately can build this plan ofaction and start executing themprioritization is another importantaspect so risk scoring the maturityscoresare all dependent on the type ofinfrastructure that is available so howdo we submit this uh scores what are wevalidating these scores against whetherit is based on the severity whether itis based on the type ofequipments or the type of infrastructurewe have inside the networkso what is acceptable under the cmmctype post that they recommendand again involving some of these uh security assessments uh will help in identifyingan accurate maturity score that can thenhelp us build a fully cyber resilient uhecosystem i would say now mapping theserisks to our organizational riskswhile we have some compliance andmandates there are about 17 domains 171practices against the maturity levelthat needs to bemapped so why we are doing this how doesit positively affectour organization how is this going tohelp our organization to be OT security another way to map these complianceand and you know eventually finallystaying compliant which is not aone-time activity uh there is level fiveand above which details that it has tohave a continuous monitoring acontinuous update uh to some of the uhinfrastructure uhin innovation that is going onespecially in the ot space so stayingcompliant obtaining this uh constantmonitoring andchecking that box off that uh we’re notjust doing it once a year to be auditedor to be able to uh certify ourselvesand then uh we look at it once everyyear but this ongoing processor a continuous model helps helps thecompanies are staying compliant so thisis where majority of the organizationsthat we have seen at least about 60 to65 percentof the customers that we talk to todayare investing in what should be theirtarget profile when it comes to cybersecurity maturity uh within theorganization some of them earlieradopters in thein their overall security journey haveseen that this has helped him to buildthose baseline profiles and build thatframework which then gets easier uh someorganizations and customers where wetalk toare already in the path of implementingsome controls but then they’re alwaysconstantly looking at what othertechnologies can i include to enhancethe current process modelas well

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to Top