Cybersecurity Maturity Model Certification-Objective Measure

Abstract

This paper presents an automated method for Cybersecurity Maturity Model Certification (CMMC) that is objective and measurable. CMMC (9) has recently been mandated by DoD to verify contractors have implemented required security measures necessary to safeguard Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). This ruling is effective in December 2024 and affects the IT networks of many federal agencies and contractors. This work builds on our prior work (8) to develop risk measures built on the NIST Controls captured in 800-53 and 800-171 & 172. We show how Security Controls are foundational to both Risk and Maturity Models. We show how developing measures related to Controls during development supports objective measures of risk and maturity that can provide measurable and objective measures in operations with automated measures for CMMC. Further we show how existing Security Information and Event Management (SIEM) data can be adapted and used to simplify and expedite CMMC measures in real IT systems.