Level 5 CMMC - CMMC Practices


Reference: CMMC 1.02

Family: CA

Level Introduced: 4

Create, maintain, and leverage a security strategy and roadmap for organizational cybersecurity improvement.

CMMC Clarification:
An organization must explicitly identify its desired end-state for cybersecurity capabilities and document a roadmap describing the planned path forward. Increasing measures along the way reduces the likelihood of a cyber-attack being successful or minimizes the impact of an attack. The roadmap should have short, medium, and long term goals for the organization. Plan for what the organization wants to accomplish in the next 6-12 months (short term). Also plan for 12-36 months (medium term), and plan for 5-10 years. All of the plans can be adjusted over time, but having the plans will allow for budgeting, priorities, and knowledge as to where to organization is going to keep the environment safe from adversaries.

Example 1
The organization sees its security end-state as being comparable to similar sized companies that are considered to have good cybersecurity capabilities. An immediate shortfall has been identified related to email coming into the organization without any filtering capabilities in place. This requires the organization to thwart email attacks at the endpoint and have additional controls on the enterprise to help thwart such attacks. The security roadmap outlines a plan to have automated spam filters, sandboxing of attachments, and link analysis in place within 6 months to help reduce the likelihood of an attack coming from email.
Example 2

The organization has a VPN solution that does not require multifactor authentication (MFA). The security roadmap outlines a plan to have MFA in place within the next year, which will reduce the likelihood of remote attackers gaining access to the VPN through stolen credentials.

As organizations become more mature in their cyber security operations, it is expected that an organization will create, maintain, and leverage a security roadmap to show their planned path forward for improvements. This demonstrates a maturity level within an organization that is above the average company. The security roadmap will help a company move forward with increasing their overall security posture based on priority, cost, and implementation time. Such planning will help an organization line up vendors to discuss the planning and what solutions they may offer, receiving bids to help with the work, or get a bid on a cybersecurity appliance that will be installed on location or an “as a service” solution from a cloud provider that will be utilized remotely. This roadmap should be used to help plan based on areas of highest risk, latest TTPs, and or knowledge that a specific industry is being targeted and pushing solutions forward that will thwart malicious activities. A roadmap will require updates from time to time based on intelligence or architecture needs. A roadmap will survive people changing positions, and it will provide continuity plan for improving the cybersecurity posture of an organization.

Source: CMMC v1.02



The organization:
    a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
        1. A security planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
        2. Procedures to facilitate the implementation of the security planning policy and associated security planning controls; and
    b. Reviews and updates the current:
        1. Security planning policy [Assignment: organization-defined frequency]; and
        2. Security planning procedures [Assignment: organization-defined frequency].

Supplemental Guidance:
This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the PL family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9.

Source: NIST Special Publication 800-53 Rev. 4

Source: CMMC v1.02