Community Cyber Security Maturity Model

Purpose of the Community Cyber Security Maturity Model

CCSMM Model The Community Cyber Security Maturity Model is a coordinated plan that provides communities or local jurisdictions with a framework to identify what is needed to build a cybersecurity program focused on “whole community” preparedness and response to address a cyber incident or attack. Essentially, the CCSMM is a guide that helps communities establish a cybersecurity baseline at the local level. Once established, the baseline can be used to identify cyber-attacks that impact an organization, an entire sector, or cross-sector organizations and agencies in a specific geographic area. It can also be used to communicate with individuals and communities about capabilities and improvement.

The strategies identified in the framework go beyond protecting systems and networks within local government agencies. The CCSMM can assist communities to identify what needs to be done in building a viable and sustainable cybersecurity program, what is needed to prepare to detect a cyber-attack, develop plans to respond during an attack, and determine what to do after an attack has occurred.

The CCSMM incorporates three critical features:

A yardstick which can be used to measure the current status of a community’s cybersecurity program and posture,
A roadmap to help a community know what steps are needed to improve their security posture, and
A common point of reference that allows individuals from different communities and states to discuss their individual programs and relate them to each other.

The 3-D Model is designed to broaden the capability of the framework allowing it to be flexible and scalable to address all aspects of a cybersecurity program. Expanding the CCSMM into a 3-dimensional model provides the improvement progression for everyone in the nation.

Additionally, it can integrate other frameworks such as the National Institute of Standards and Technology’s (NIST) Cyber Security Framework (CSF) (NIST, 2018) and the DoD’s CMMC outlining the security controls necessary for an organization. It can also support the National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework (NICE Framework) (NIST, 2017), which is a resource that categorizes and describes cybersecurity work and the cybersecurity workforce.

The CCSMM can assist communities to identify what needs to be done in building a viable and sustainable cybersecurity program, what is needed to prepare to detect a cyber-attack, develop plans to respond during an attack, and determine what to do after an attack has occurred. For a more in-depth understanding of the different levels and dimensions in the Model, please see below for more information.

Member Discount on CCSMM Book

“Establishing Cyber Security Programs through the Community Cyber Security Maturity Model (CCSMM)” is an essential reference source that discusses methods in applying sustainable cybersecurity programs and policies within organizations, governments and other communities. Featuring research on topics such as community engagement, incident planning methods, and information sharing, this book is ideally designed for cybersecurity professionals, security analysts, managers, researchers, policymakers, students, practitioners, and academicians seeking coverage on novel policies and programs in cybersecurity implementation. The book can be purchased on igi-global.com. However, the CCSMM book is 50% OFF to Level 2 & 3 members! Contact the CIAS-ISAO for your discount code.

The Four Dimensions of the CCSMM

Awareness

Most people understand that cyber threats exist; however, not as many understand the extent of the threat, the current attack trends, how a cyber incident can impact a community, what the vulnerabilities are that should be addressed, and what the cascading effects may be if a community was under a cyber-attack.

Information Sharing

This dimension addresses what to do with information on a cyber incident and where the information should be reported. In addition, it addresses how one sector can share information with another allowing the second sector to potentially prevent the incident from occurring.

Policy

This addresses the need to integrate cyber elements into the policies or guiding principles and includes all guiding regulations, laws, rules and documents that govern the daily operation of the community. Policies should be evaluated to ensure cybersecurity principles are reflected in everything we do and will establish expectations and limitations.

Plans

Communities have established plans to address many different hazards and this dimension ensures cybersecurity elements are included in those plans enabling the community to address cyber incidents that could impact the operations of the community.

Five Levels of Improvement in the CCSMM

Level 1: Initial
Some processes or programs may be in place, but a community at level 1 does not have all the program elements for a basic program.
Level 2: Established
A basic program has been established with elements and processes in place for all four dimensions..
Level 3: Self-Assessed
A minimal viable and sustainable program has been implemented.
Level 4: Integrated
Cybersecurity is integrated across the community, including all citizens and organizations within the community, and is also working with the state and other communities within the state.

Level 5: Vanguard

The community is maintaining a fully-vigilant cybersecurity posture.

The First Six Steps in Your Community Cybersecurity Program

CCSMM Program Checklist

The CIAS-ISAO has developed a checklist to guide you through the process of developing a community ISAO. The first six steps have been highlighted for you, but you may access the full roadmap when you become a level 2 member.

I want the full checklist!

Find Your Champion

Identify an individual who is passionate about cybersecurity and your community to drive the program for at least 2 years.

Gather Leadership Support

Locate leaders who will support participation by their organization, including compliance, technical, policy, risk management, etc.

Recruit Security Professionals

Recruit a mix of 10-15 city government, industry, and individuals from the critical infrastructures that are interested in the project.

Plan for a Cybersecurity Day

Select a date 9-12 months ahead to engage government, industry and critical infrastructure employees.

Begin Forming Your Community ISAO

Begin planning to announce your ISAO on Cybersecurity Day and recruit members.

Build a Website or Portal

Create a community cybersecurity website and identify who will host it.

Our Services