The Secure Controls Framework (SCF) release 2023.2 containscompletely new content for its Security & Privacy Capability Maturity Model(SP-CMM). This effort was conducted to help streamline and standardize maturitycriteria. If you are unfamiliar with the SP-CMM, it has been around for about 4years and is a component that is built into the SCF. The SP-CMM draws upon thehigh-level structure of the SystemsSecurity Engineering Capability Maturity Model v2.0 (SSE-CMM).

The SP-CMM’s control-level maturity criteria are designed sothat each succeeding level of maturity is built upon its predecessor.Essentially, you cannot run without first learning how to walk. Likewise, youcannot walk without first learning how to crawl. This approach to definingcybersecurity & privacy control maturity is how the SP-CMM is structured.

Maturity Model Use Cases

The SP-CMM is meant to solve the problem of objectivity in bothestablishing and evaluating cybersecurity and privacy controls. There are four(4) main objectives for the SP-CMM:

1. Provide CISO/CPOs/CIOs with objective criteria that can be used toestablish expectations for a cybersecurity & privacy program;
2. Provide objective criteria for project teams so that securepractices are appropriately planned and budgeted for; and
3. Provide minimum criteria that can be used to evaluate third-partyservice provider controls.
4. Provide a means to perform due diligence of cybersecurity andprivacy practices as part of Mergers & Acquisitions (M&A).

Divining A Maturity Level Decision FromControl-Level Maturity Criteria

Doyou need to answer “yes” to every bullet pointed criteria under a level ofmaturity in the SP-CMM? No. We recognize that every organization is different. Therefore, thematurity criteria items associated with SCF controls are to help establish whatwould reasonably exist for each level of maturity. Fundamentally, thedecision comes down to assessor experience, professional competence and commonsense.

The following two (2) questions should be kept in mind whenevaluating the maturity of a control or Assessment Objective (AO):

1. Do I havereasonable evidence to defend my analysis/decision?
2. If there wasan incident and I was deposed in a legal setting, can I justify myanalysis/decision without perjuring myself?

Maturity (Governance) ≠ Assurance (Security)

While a more mature implementation of controls can equate toan increased level of security, higher maturity and higher assurance are notmutually inclusive. Froma practical perspective, maturity is simply a measure of governance activitiespertaining to a specific control or set of controls. Maturity does notequate to an in-depth analysis of the strength and depth of the control beingevaluated (e.g., rigor).

According to NIST, assurance is “grounds for confidencethat the set of intended security controls in an information system areeffective in their application.”[1]Increased rigor in control testing is what leads to increased assurance.Therefore, increased rigor and increased assurance are mutually inclusive.

The SCFConformity Assessment Program (SCF CAP) leverages (3) three levels ofrigor. The SCF CAP’slevels of rigor utilize maturity-based criteria to evaluate a control, since amaturity target can provide context for “what right looks like” at a particularorganization:

• Level 1(Basic) - Basic assessments provide a level of understanding of the securitymeasures necessary for determining whether the safeguards are implemented and freeof obvious errors.

• Level 2(Focused) - Focused assessments provide a level of understanding of the securitymeasures necessary for determining whether the safeguards are implemented andfree of obvious / apparent errors and whether there are increased grounds forconfidence that the safeguards are implemented correctly and operating asintended.

• Level 3(Comprehensive) - Comprehensive assessments provide a level ofunderstanding of the security measures necessary for determining whether thesafeguards are implemented and free of obvious errors and whether there arefurther increased grounds for confidence that the safeguards are implementedcorrectly and operating as intended on an ongoing and consistent basis and thatthere is support for continuous improvement in the effectiveness of thesafeguards.

Defining SP-CMM Levels

SP-CMM Level 0 (L0) - Not Performed

This level of maturity is defined as “non-existencepractices,” where the control is not being performed:

• Practices are non-existent, where a reasonableperson would conclude the control is not being performed.

• Evidence of due care[2]and due diligence[3] donot exist to demonstrate compliance with applicable statutory, regulatoryand/or contractual obligations.

L0practices, or a lack thereof, are generally considered to be negligent.The reason for this is if a control is reasonably-expected to exist, by notperforming the control that is negligent behavior. The need for the controlcould be due to a law, regulation or contractual obligation (e.g., clientcontract or industry association requirement).

SP-CMMLevel 1 (L1) - Performed Informally

This level of maturity is defined as “ad hoc practices,”where the control is being performed, but lacks completeness & consistency:

• Practices are “ad hoc” where the intent of acontrol is not met due to a lack consistency and formality.

• Whenthe control is met, it lacks consistency and formality (e.g.,rudimentary practices are performed informally).

• A reasonable person would conclude the controlis not consistently performed in a structured manner.

• Performance depends on specific knowledge andeffort of the individual performing the task(s), where the performance of thesepractices is not proactively governed.

• Limited evidence of due care and due diligenceexists, where it would be difficult to legitimately disprove a claim ofnegligence for how cybersecurity/privacy controls are implemented andmaintained.

L1practices are generally considered to be negligent. The reason for thisis if a control is reasonably-expected to exist, by only implementing ad-hocpractices in performing the control that could be considered negligentbehavior. The need for the control could be due to a law, regulation orcontractual obligation (e.g., client contract or industry associationrequirement).

SP-CMMLevel 2 (L2) - Planned & Tracked

Practicesare “requirements-driven” where the intent of control is met in somecircumstances, but not standardized across the entire organization:

• Practices are “requirements-driven” (e.g.,specified by a law, regulation or contractual obligation) and are tailored tomeet those specific compliance obligations (e.g., evidence of due diligence).

• Performance of a control is planned and trackedaccording to specified procedures and work products conform to specifiedstandards (e.g., evidence of due care).

• Controls are implemented in some, but not allapplicable circumstances/environments (e.g., specific enclaves, facilities orlocations).

• A reasonable person would conclude controls are“compliance-focused” to meet a specific obligation, since the practices areapplied at a local/regional level and are not standardized practices across theenterprise.

• Sufficient evidence of due care and due diligenceexists to demonstrate compliance with specific statutory, regulatory and/orcontractual obligations.

L2 practices are generally considered to be “audit ready”with an acceptable level of evidence to demonstrate due diligence and due carein the execution of the control. L2 practices are generally targeted onspecific systems, networks, applications or processes that require the controlto be performed for a compliance need (e.g., PCI DSS, HIPAA, CMMC, NIST800-171, etc.). It can beargued that L2 practices focus more on compliance over security. Thereason for this is the scoping of L2 practices are narrowly-focused and are notenterprise-wide.

SP-CMMLevel 3 (L3) - Well Defined

This level of maturity is defined as “enterprise-widestandardization,” where the practices are well-defined and standardized acrossthe organization:

• Practices are standardized “enterprise-wide”where the control is well-defined and standardized across the entireenterprise.

• Controls are implemented in all applicablecircumstances/environments (deviations are documented and justified).

• Practices are performed according to awell-defined process using approved, tailored versions of standardizedprocesses.

• Performance of a control is according tospecified well-defined and standardized procedures.

• Control execution is planned and managed usingan enterprise-wide, standardized methodology.

• A reasonable person would conclude controls are“security-focused” that address both mandatory and discretionary requirements. Compliancecould reasonably be viewed as a “natural byproduct” of secure practices.

• Sufficient evidence of due care and duediligence exists to demonstrate compliance with specific statutory, regulatoryand/or contractual obligations.

• The Chief Information Security Officer (CISO) ,or similar function, develops a security-focused Concept of Operations (CONOPS)that documents organization-wide management, operational and technical measuresto apply defense-in-depth techniques (note - in this context, a CONOPS is averbal or graphic statement of intent and assumptions regardingoperationalizing the identified tasks to achieve the CISO’s stated objectives. The result of the CONOPS isoperating the organization’s cybersecurity and data protection program so thatit meets business objectives). Control or domain-specific CONOPS may beincorporated as part of a broader operational plan for the cybersecurity andprivacy program (e.g., cybersecurity-specific business plan).

L3 practices are generally considered to be “audit ready”with an acceptable level of evidence to demonstrate due diligence and due carein the execution of the control. Unlike L2 practices that are narrowly focused,L3 practices are standardized across the organization. It can be argued that L3 practices focus onsecurity over compliance, where compliance is a natural byproduct of thosesecure practices. These are well-defined and properly-scoped practicesthat span the organization, regardless of the department or geographicconsiderations.

SP-CMMLevel 4 (L4) - Quantitatively Controlled

This level of maturity is defined as “metrics-drivenpractices,” where in addition to being well-defined and standardized practicesacross the organization, there are detailed metrics to enable governance oversight:

• Practices are “metrics-driven” and providesufficient management insight (based on a quantitative understanding of processcapabilities) to predict optimal performance, ensure continued operations, andidentify areas for improvement.

• Practices build upon established L3 maturitycriteria and have detailed metrics to enable governance oversight.

• Detailed measures of performance are collectedand analyzed. This leads to a quantitative understanding of process capabilityand an improved ability to predict performance.

• Performance is objectively managed, and thequality of work products is quantitatively known.

L4 practices are generally considered to be “audit ready”with an acceptable level of evidence to demonstrate due diligence and due carein the execution of the control, as well as detailed metrics enable anobjective oversight function. Metrics may be daily, weekly, monthly, quarterly,etc.

SP-CMMLevel 5 (L5) - Continuously Improving

This level of maturity is defined as “world-classpractices,” where the practices are not only well-defined and standardizedacross the organization, as well as having detailed metrics, but the process iscontinuously improving:

• Practices are “world-class” capabilities thatleverage predictive analysis.

• Practices build upon established L4 maturitycriteria and are time-sensitiveto support operational efficiency, which likely includes automated actionsthrough machine learning or Artificial Intelligence (AI).

• Quantitative performance goals (targets) forprocess effectiveness and efficiency are established, based on the businessgoals of the organization.

• Process improvements are implemented accordingto “continuous improvement” practices to affect process changes.

L5 practices are generally considered to be “audit ready”with an acceptable level of evidence to demonstrate due diligence and due carein the execution of the control and incorporates a capability to continuouslyimprove the process. Interestingly,this is where Artificial Intelligence(AI) and Machine Learning (ML) wouldexist, since AI/ML would focus on evaluating performance and making continuousadjustments to improve the process. However, AI/ML are not required tobe L5.