After the last 2020 Global Leading voices webinar, comparing ISO27001 with CCPA and NYC Shield Act, we're taking a look at the next level of information and cybersecurity management. How can you assess your security management? The CMMI model (using the 1 to 5 grading) is a well-known system. Early 2020 the US DOD launched the CMMC, Cybersecurity Maturity Model Certification which matches the same levels for cybersecurity. This session we'll discuss the maturity evaluation principles for information security, cybersecurity and application security and how you can use it in practice. The webinar covers: - What's the CMMI? - What's the CMMC? - Maturity in security governance (ISMS, cyber, application) - Security maturity vs audit cycles Recorded Webinar: https://youtu.be/9BpETh_nAOw

2. • Introduction
• ISO/IEC 27001 & 27701- quick recap (prev. sessions)
• Introduction to CMMC
• CMMC components
• How to implement CMMC - highlights
• CMMC > CMMI > ISO27001
• Q & A
Agenda

3. Introduction

4. Before we start…
Previous session recap

5. 1. Quick Guide to ISO/IEC 27701 - The Newest Privacy Information
Standard - (2019-12-09)
2. ISO/IEC 27701 vs GDPR - What you need to know (2020-01-29)
3. Privacy Trends: Key practical steps on ISO/IEC 27701:2019
implementation (2020-04-15)
4. Key Data Privacy Roles Explained: Data Protection Officer,
Information Security Manager, and Information Security Auditor
(2020-06-24)
5. Session 5: PECB Webinar: ISO/IEC 27701 vs. ISO/IEC 27001 vs.
NIST: Essential Things You Need to Know (2020-10-14)
Previous sessions

6. Check the past webinars on the PECB website at
• https://pecb.com/past-webinars
Find all sessions with Q&A + collaterals (decks, recording) at:
http://ffwd2.me/PECB_ISO27001_webinars (short cut to LinkedIN page)
Previous sessions

7. • ISO27001 = ISMS
• ISO27701 = PIMS
For today also:
• NIST = (US) National Institute of Standards and
Technology (= Dept. of Commerce)
Quick Recap

8. ISO or NIST deep dive
• Course material reference see later
• NIST document reference see later
The nuts and bolts of ISMS
Just know that it has
• 10 chapters, 7 clauses (Clause 4..10, built on PDCA)
• Annex with
• 14 main categories (A5..A18)
• 35 subcategories
• 114 controls / measures
• Course material reference, see later
What this session is not about

9. ISO/IEC 27000 series
• ISO27001 and ISO27701 = certifiable
• Total 59 documents
ISO27000 series including
• Code of practices
• Guidance
• Auditing (ISO27006)
• Incident management (ISO27035)
• Cybersecurity (ISO27032)
• Business continuity, Communications security, Application Security, Supply Chain,
Storage, …
• More info: https://www.iso.org/committee/45306/x/catalogue/p/1/u/0/w/0/d/0
And also

10. The nuts and bolts of PIMS
Just know that it
• Is certifiable like ISMS
• Is Privacy & GDPR add-on to ISMS
• Add specifications to interpretation of information security
• Now including PII/personal data
• Extra requirements from GDPR & other legislation
• Interesting annex
• GDPR mapping
• ISO29100 (Privacy) mapping
What this session is not about

11. Introduction to CMMC
Cybersecurity Maturity Model Certification
(DoD)

12. Source: https://www.acq.osd.mil/cmmc/index.html
About
• Cybersecurity standard by DoD (US Department of Defense)
• V1 released 31 Jan 2020
• Currently v1.02
Purpose
• set of standards from the DOD
• to enhance the cybersecurity capabilities of defense contractors
Focus
• Cybersecurity (not Information Security)
• USA
• Re-use of existing principles and frameworks
• Controlled Unclassified Information (CUI)
CMMC - Cybersecurity Maturity Model Certification

13. Source: Focalpoint
Timeline
• January 2020: DoD introduces Version 1.0 of the CMMC
• June 2020:The CMMC-AB released program requirements and opens
registration for C3PAOs and third-party assessors
• July 2020: DoD to create and publish a CMMC training
• Summer 2020: DoD to undergo rulemaking to implement the CMMC into the
DFARS regulation
• September 2020: DoD to incorporate CMMC requirements in Requests for
Proposals (RFPs)
• FY 2021 – 2026: Implementation of the CMMC through a phased rollout
• FY 2026: CMMC certification a requirement for all companies doing business
with the DoD
CMMC - Timeline

14. Source: https://www.acq.osd.mil/cmmc/index.html
Based on
• CERT Resilience Management Model (CERT RMM) v1.2
• CIS Controls v7.1
• Draft NIST SP 800-171B
• FAR Clause 52.204-21
• NIST Framework for Improving Critical Infrastructure Cybersecurity (CSF) v1.1
• NIST SP 800-53 Rev 4
CMMC - Reference to other sources

15. Source: https://www.acq.osd.mil/cmmc/index.html
Direct link to
• International Standards
• CMMI
• ISO principles
• Easy plugin to Information Security
• Cybersecurity > data protection & privacy
CMMC - reusing global principles

16. Source: https://www.acq.osd.mil/cmmc/index.html
CMMD, reference to other sources
• CERT Resilience Management Model (CERT RMM) v1.2
• CIS Controls v7.1
• Draft NIST SP 800-171B
• FAR Clause 52.204-21
• NIST Framework for Improving Critical Infrastructure Cybersecurity (CSF) v1.1
• NIST SP 800-53 Rev 4
CMMC

17. CMMC components
The essentials

18. Source: https://www.acq.osd.mil/cmmc/index.html
Core components
• 43 capabilities
• 17 capability domains
• Five levels to define and measure cyber maturity
• 171 controls
CMMC - the essence

19. Source: https://www.acq.osd.mil/cmmc/index.html
CMMC - the model

20. Source: https://www.acq.osd.mil/cmmc/index.html
CMMC - 17 domains

21. NIST SP800-53 (rev 5) Mapping

22. Source: https://www.acq.osd.mil/cmmc/index.html
CMMC - processes & practices

23. Source: https://www.acq.osd.mil/cmmc/index.html
CMMC - levels and focus

24. Source: https://www.acq.osd.mil/cmmc/index.html
CMMC - effort

25. Source: https://www.acq.osd.mil/cmmc/index.html
Core components
• 43 capabilities
• 17 capability domains
• Five levels to define and measure cyber maturity
• 171 controls
CMMC - the essence

26. CMMC vs NIST
CMM-C
• C = Certification
CMMC vs NIST
• CMMC (DOD) - NIST (Dpt of Commerce)
• CMMC has accredited audit, NIST doesn't
• CMMC is reusing a lot of NIST practices
• CMMC = cyber only, NIST has wide range of standards

27. CMMC vs NIST vs ISO
CMMC NIST ISO27001+
Region US focus US focus International
Target technology Cybersecurity Wide range
Info sec
Cyber
Privacy
Info security+
Cyber (27032)+
DP (27701)
…
Type of best practice Operational Mix Governance
Details Practical Deep dive detail High level FrameW
Owner DoD DoC ISO
Audit Yes No Yes
Certifiable Yes No Yes
Maturity CMMI basis PRISMA CMMI

28. CMMC vs CMMI
Quick comparison

29. Source: https://www.acq.osd.mil/cmmc/index.html
CMMC vs CMMI

30. CMMI - Level 0

31. CMMI - Level 1

32. CMMI - Level 2

33. CMMI - Level 3

34. CMMI - Level 4

35. CMMI - Level 5

36. Controlling cyber maturity
Implementing CMMC

37. CMMC Main model description

38. Remember
1. Level 1: Performed = Basic Cyber hygiene
2. Level 2: Documented = intermediate cyber hygiene
3. Level 3: Managed = good cyber hygiene
4. Level 4: Reviewed = Proactive
5. Level 5: Optimizing = advanced/proactive
CMMC Main model description

39. Implementation layers & practices (p11)
CMMC Practices

40. Level 1
CMMC Practices per level
Incl. Excl.
• AC
• IA
• MP
• PE
• SC
• SI
• AM
• AU
• AT
• CM
• IR
• MA
• PS
• RE
• RM
• CA
• SA

41. Level 2
CMMC Practices per level
Incl. Excl.
• AC
• AU
• AT
• CM
• IA
• IR
• MA
• MP
• PS
• PE
• RE
• RM
• CA
• SC
• SI
• AM
• SA

42. Level 3
CMMC Practices per level
Incl. Excl.
• AC
• AM
• AU
• AT
• CM
• IA
• IR
• MA
• MP
• PE
• RE
• RM
• CA
• SC
• SA
• SI
• PS

43. Level 4
CMMC Practices per level
Incl. Excl.
• AC
• AU
• AT
• CM
• IA
• IR
• MA
• MP
• PS
• PE
• RE
• RM
• CA
• SC
• SI
• IA
• MA
• MP
• PS
• PE

44. Level 5
CMMC Practices per level
Incl. Excl.
• AC
• AU
• CM
• IA
• IR
• RE
• RM
• SI
• AM
• AT
• IA
• MA
• MP
• PS
• PE
• CA
• SA

45. Practices (Access control)
• L1:
• limit info access to authorized users, connections to external systerms
• L2:
• privacy notices,
• Least privilege
• Limit unsuccessful logons
• Session lock
• Monitor remote access
• L3
• Segregation of duties
• Wireless Authentication & encryption
• Control Mobile devices
CMMC Practices - main points

46. Practices (AC)
• L4
• Control information flows
• Review access permissions
• L5
• Rogue Wi-Fi control
CMMC Practices - main points

47. Practices (Asset Management)
• L3
• Procedures
• L4
• Discovery
CMMC Practices - main points

48. Practices (Audit & accountability)
• L2
• Trace individual users
• L3
• Review logs
• Collect audit info
• Correlate info
• L4
• Automate analysis
• Review audit info
• L5
• Identify unreported assets
CMMC Practices - main points

49. Practices (Awareness & training)
• L2
• Risk awareness to key roles
• Train to security related duties
• L3
• Security awareness
• L4
• Awareness on threat recognition
• Practical exercise
CMMC Practices - main points

50. Practices (Config management)
• L2
• Baseline configuration & inventory
• Principle of least functionality
• L3
• Manage & document logical access
• L4
• Application whitelisting
• L5
• Verify integrity of critical software (crypto, certificates, …)
CMMC Practices - main points

51. Practices (Identification & AuhtN)
• L1
• Classify users
• Authentication to allow access
• L2
• Password management
• L3
• MFA
• Identity management
CMMC Practices - main points

52. Practices (Incident response)
• L2
• Incident handling procedure
• Detecting & reporting
• Analysis & response + root cause analysis
• L3
• Track & document incidents
• L4
• Knowledge Attacker tactics
• SOC
• L5
• Forensics
• Manual & automated real-time response
• Unannounced exercises
CMMC Practices - main points

53. Practices (Media protection)
• L1
• Sanitize & destroy
• L2
• Protect & limit access
• L3
• Marking
• Prohibit mobile media
• Crypto protection
CMMC Practices - main points

54. Practices (Personnel security)
• L2
• Screening
CMMC Practices - main points

55. Practices (Physical protection)
• L1
• Limit access
• Escort visitors
• L2
• Protect & monitor physical facility & infra
• L3
• Enforcement of safeguards to alternate sites
CMMC Practices - main points

56. Practices (Recovery)
• L2
• Perform and test backups
• L3
• Resilient data backups
• L5
• Information processing facilities redundancy
CMMC Practices - main points

57. Practices (Risk management)
• L2
• Periodical assessments to operations
• Scan for vulnerabilities
• L3
• Periodical assessments according risk categories, resources & measurement criteria
• L4
• Catalog threat profiles
• Threat intelligence
• L5
• Exception process for non-whitelisted software
CMMC Practices - main points

58. Practices (Security assessment)
• L2
• Security plans
• L3
• Monitor security controls
• L4
• Security strategy
• Red teaming
CMMC Practices - main points

59. Practices (Situational Awareness)
• L3
• Use Information sharing forums to collect info
• L4
• Cyber Threat hunting
• Indicators of compromise
CMMC Practices - main points

60. Practices (System & Comm protection)
• L1
• Monitor
• L2
• Prohibit remote activation
• L3 (!)
• Crypto
• Separate users from system management functionality
• …
• L4
• Physical & logical isolation
• Threat intelligence (DNS, …)
• L5
• Tailored Network monitoring
CMMC Practices - main points

61. Practices (System & Info integrity)
• L1
• Monitor system flaws
• L2
• Monitor security alerts
• L3
• Spam protection
• Email forgery protection
• L4
• Threat intelligence
• L5
• Analyse system behaviour
CMMC Practices - main points

62. Maturity indicators for management
Driving the cyber & info security

63. CMMC Main model description

64. CMMC vs CMMI

65. Bringing maturity to management

66. Bringing maturity to management

67. Bringing maturity to management

68. Bringing maturity to management

69. References
Interesting information sources

70. Reference material
CMMC
• https://www.acq.osd.mil/cmmc/index.html
PECB
• PECB as CMMC-AB licensed partner publisher
CMMC audit
• https://www.cmmcaudit.org/cmmc-level-1-certification-and-preparation-how-to/
• CMMC: A Comprehensive Guide For DoD Contractors
• https://www.cmmc-compliance.com/cmmc-compliance-guide
Others, see Linkedin page:

71. Reference material
Other
• Cybersecurity Maturity Model Certification (CMMC) v1.02 & NIST 800-171 rev2
Compliance
CMMI
• https://cmmiinstitute.com/
• https://cmmiinstitute.com/cmmi
• Introduction to CMMI (by BMC)
• CMMI on Wikipedia
• What is CMMI? A model for optimizing development processes

72. Ramping up…
Relevant PECB Training courses

73. Relevant Training
PIMS
• PECB ISO 27701 Foundation
• PECB ISO 27701 LI
• PECB ISO 27701 LA
Information Security
• PECB ISO 27001 LI
• PECB ISO 27001 LA
• PECB ISO 27002 LM

74. Relevant Training
Data protection
• PECB Certified Data protection Officer (GDPR)
Privacy
• PECB ISO29100 LI

75. Other Relevant Training
Incident Management
• PECB ISO 27035 LI
Risk Management
• PECB ISO 27005 LI

76. Check the PECB agenda, select the ISO/IEC 27701 Lead
Implementer
https://pecb.com/en/partnerEvent/event_schedule_list
Training Events
For full detailed information about an event click on the ‘View’ button on the right hand
side under ‘View full details’.
Note: Before applying for any training courses listed below, please make sure you are
registered to PECB
Training Agenda

77. Appendix

78. Relevant Training
PECB ISO 27701 Foundation
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-
27701/iso-iec-27701-foundation
PECB ISO 27701 Lead Implementer
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-
27701/iso-iec-27701-lead-implementer
PECB ISO 27701 Lead Auditor
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-
27701/iso-iec-27701-lead-auditor

79. Relevant Training
PECB ISO 27001
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27001
Lead Implementer
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-
27001/iso-iec-27001-lead-implementer
Lead Auditor
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-
27001/iso-iec-27001-lead-auditor

80. Relevant Training
PECB ISO 27002
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27002
Lead Manager
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-
27002/iso-iec-27002-lead-manager

81. Relevant Training
PECB GDPR
https://pecb.com/en/education-and-certification-for-individuals/gdpr
CDPO
https://pecb.com/en/education-and-certification-for-individuals/gdpr/certified-
data-protection-officer

82. Relevant Training
PECB ISO29100
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-29100-
privacy-implementer
Lead Implementer
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-29100-
privacy-implementer/iso-29100-lead-privacy-implementer

83. Relevant Training
PECB ISO27035 - Incident Management
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27035
Lead Incident Manager
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27035
/iso-iec-27035-lead-incident-manager

84. Relevant Training
PECB ISO27005 - Risk Management
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27005
Lead Risk Manager
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27005
/iso-27005-lead-risk-manager

85. ISO/IEC 27701
Training Courses
• ISO/IEC 27701 Foundation
2 Day Course
• ISO/IEC 27701 Lead Implementer
5Days Course
Exam and certification fees are included in the training price.
https://pecb.com/en/education-and-certification-for-individuals/iso-
27701
www.pecb.com/events

87. THANK YOU
?
info@cyberminute.com CyberMinute
hello@shiftleftsecurity.eu Shift Left Security