Advancing Cybersecurity Capability Measurement Using the CERT(registered trademark)-RMM Maturity Indicator Level Scale.

摘要

A 'maturity model' is a set of characteristics, attributes, indicators, or patterns that represent progression and achievement in a particular domain or discipline. Maturity models typically have levels arranged in an evolutionary scale that defines measurable transitions from one level of maturity to another. The current version of the CERT (registered trademark) Resilience Management Model (CERT-RMM v1.2) utilizes the maturity architecture (levels and descriptions) as provided in the Capability Maturity Model Integration (CMMI) constellation models to ensure consistency with CMMI. The spacing between maturity levels often causes CERT-RMM practitioners some difficulty. To address some of these issues, the CERT Division of Carnegie Mellon University's Software Engineering Institute did a comprehensive review of the existing specific and generic goals and practices in CERT-RMM to determine if a better scale could be developed to help users of the model show incremental improvement in maturity without breaking the original intent of the CMMI maturity levels. This technical note presents the results: the Maturity Indicator Level Scale, or CERT-RMM MIL scale. The first application of the MIL scale was in the Cyber Resilience Review (CRR), a comprehensive review process based on CERT-RMM and developed in collaboration with the Department of Homeland Security to measure the effectiveness of resilience practices by owners and operators of critical infrastructure. Upon successful application in the CRR, the MIL scale was adapted for use in the Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2), which was developed collaboratively with the Department of Energy to comply with a White House initiative to examine and characterize the cybersecurity posture of the electric grid. The application of the MIL scale in the CRR and the ES-C2M2 is addressed in the appendices to this note.