Maturity Models like the Capability Maturity Model Integration (CMMI) and the Cybersecurity Model Maturity Certification (CMMC) are used to understand the current maturity level of an enterprise or Organization Unit (OU) and guide the enterprise toward increasing capabilities in Development, Services, Supplier Management and Security.
In this article, SteelToad discusses how existing CMMI enterprises can use their knowledge in maturity model adoption to implement CMMC to achieve security best practices. Using CMMC will guide your organization to ensure an integrated and repeatable security approach to governance and management, not only to meet federal contract requirements, but to streamline security procedures and improve processes. Implemented correctly, organizations may align CMMI and CMMC to meet the enterprise’s business objectives; these efforts should not seem herculean to accomplish and with the right focus and will improve business and security performance. Both CMMI and CMMC models may be adopted as an iterative process.
As CMMI may be required to compete for many government contracts today, CMMC will be required by the Department of Defense for all DoD Contractors to compete for contracts when rule making is complete, expected in Q1 of 2023.
CMMI organizations will find similarities between CMMI Practice Areas (PAs) and CMMC Domains. Both models provide a roadmap and evolutionary pathway for improvement.
Below are several areas of these maturity models which have parallels. Further detailed information and comparisons will be provided by SteelToad in an upcoming whitepaper.
-
CMMI Levels practices Level 1, Level 2, Level 3, Level 4, Level 5
-
CMMC Levels practices Level 1, Level 2, Level 3
-
CMMI Governance, Implementation Infrastructure and Process Assets
-
CMMC Policies, Processes, and Procedures
-
CMMI Organizational Training (OT)
-
CMMC Awareness & Training (AT)
-
CMMI Configuration Management (CM)
-
CMMC Configuration Management (CM)
-
CMMI Incident Resolution and Prevention (IRP)
-
CMMC Incident Response (IR)
-
CMMI Risk and Opportunity Management (RSK)
-
CMMC Risk Assessment (RA)
-
CMMI Managing Security Threats and Vulnerabilities, Enabling Safety, and Enabling Security
-
CMMC Personnel Security (PS), Physical Protection (PE), Vulnerability Scan, Vulnerability Remediation, Plan of Action, Flaw Remediation and Scanning.
-
CMMI Process Management (PA)
-
CMMC Security Assessment
In addition, contractors should consider if and how to integrate CMMI and CMMC models. Organizations integrating ISO, CMMI and CMMC may gain economy of scale for better business performance and return. CMMI organizations usually make CMMI process description, process assets and processes and records available in their internal process asset library.
However, there are considerations for contractors as to why integration of CMMI and CMMC models should not occur. CMMC policies, procedures and records, such as security risks, POA&Ms, security assessment results, audit reports, maintenance activities, configuration management may well have additional security controls with limited user access within the CMMC boundary.
Maturity models like CMMI and CMMC are a way of organizational life. Developing meticulous plans to achieve a CMMI (Rating) and CMMC (Certification) based on company goals are key to both business performance and increasing security capabilities.
For information on SteelToad’s CMMI and CMMC practices, please reach out to us on team@steeltoad.com.
