Incorporating Other Models and Technology Into the CCSMM

One thing about the nature of computer science in general and cybersecurity in particular is that they are both fields that are constantly changing. Whether it is because of a new version of an operating system being released, new technology that has been introduced, or a disclosure of a newly discovered vulnerability, the field is continually changing. Some changes will not have any impact on the CCSMM. Others may necessitate a change in some aspect at one or more levels. The model itself is extremely flexible and frequently does not specify the precise items that need to be covered but rather the more abstract concept that must be considered. This is true for not just changes in technology but also the introduction of new government guidance or regulations as well as the creation of other maturity models that are focused on some other aspect of cybersecurity. This chapter explores incorporating other models and technology into the CCSMM.

Policies

Local governments provide public services including police, fire departments, emergency services, and others. Operations are accomplished by following policies, laws, and regulations. Communities will need to integrate cybersecurity concepts into established community policies. Existing policies need to be reviewed for cybersecurity evaluating them for cyber integration and identifying critical services that could be disrupted or impacted by a cyber incident. Communities need to identify an authorization hierarchy that will makes decisions in regard to critical services being impacted by a cyber-attack. Roles need to be established and integrated into policies to identify existing capabilities to address cyber incidents and ultimately who will respond if needed. Public-private partnerships need to be reviewed and legal agreements crafted and signed before an incident occurs. These considerations are initial steps that can be taken as the community strives to improve its cybersecurity posture where community policies are concerned.

Information Sharing

From the first community cybersecurity exercise the CIAS at UTSA conducted in San Antonio in 2002, information sharing has been a key element of the community cybersecurity program. Information sharing is essential in the protection and detection aspects of programs such as the NIST cyber security framework. Information sharing helps to alert other organizations to ongoing reconnaissance and attack efforts by attackers. When it comes to cybersecurity, organizations are not in competition with each other but instead are partners in a mutual defense against attackers. This has not been an easy lesson to learn, and it has taken time, but today, there are many robust information sharing programs that help various sectors and geographic regions to band together to help each other in efforts to thwart attacks against any member of the group. Information sharing is an integral part of the community cyber security maturity model and can in fact help provide a catalyst to launch an overall cybersecurity program for a community.

Awareness

Awareness is a term used to describe an individual's knowledge of a topic. One would expect that awareness of the cybersecurity threat is well understood because of the continual reports of cyber incidents and attacks impacting individuals, organizations, and cyber-attacks on communities and states. The CIAS found it was true that people understood cyber incidents and attacks were happening. They also understood they needed to protect their assets and information, and they needed to be able to respond and recover from incidents that might occur. The significant gap was they did not understand all the impacts that could occur from a cyber incident, and they didn't understand the cascading impacts that could domino from a single attack. The lessons learned regarding awareness are incorporated into the awareness dimension of the CCSMM and include what each member of a community needs to know based on their role in the community.

The Two-Dimensional CCSMM

The community cyber security maturity model (CCSMM) defines four dimensions and five implementation mechanisms in describing the relative maturity of an organization or an SLTT's cybersecurity program. These are used in defining levels of maturity and the cybersecurity characteristics of an organization or SLTT at each level. In order to progress from one level to the next, a variety of activities should take place, and these are defined in terms of five different mechanisms. In between two levels are a variety of activities that should take place to help the entity to advance from one level to the next. These groups of activities describe four phases, each of which takes place between two levels. Thus, Phase 1 defines the activities that should occur for an entity to advance from Level 1 to Level 2.

The NIST Cybersecurity Framework

With the increase in cybercrimes over the last few years, a growing realization for the need for cybersecurity has begun to be recognized by the nation. Unfortunately, being aware that cybersecurity is something you need to worry about and knowing what steps to take are two different things entirely. In the United States, the National Institute of Standards and Technology (NIST) developed the Cyber Security Framework (CSF) to assist critical infrastructures in determining what they need in order to secure their computer systems and networks. While aimed at organizations, much of the guidance provided by the CSF, especially the basic functions it identifies, are also valuable for communities attempting to put together a community cybersecurity program.

Building Your Community Cybersecurity Program

Communities and states are targets of cyber-attacks. Cities are popular because of generally lax cybersecurity postures and the fact that they have money. States and communities also have personal information on citizens, which can be used for identity theft. With the realization they are becoming frequent targets, communities are looking to enhance their cybersecurity programs, but many do not know where or how to start. The community cyber security maturity model is designed for this purpose – to help states and communities to develop their own viable and sustainable cybersecurity programs. There has also been considerable media attention on the NIST Cyber Security Framework. This is a program designed for organizations, and it contains a lot of good information organizations can use to enhance their cybersecurity posture. From a whole community perspective, however, it is not as useful though there are parts of it that are applicable to a community.

Plans

Communities have been planning for disasters for a very long time, especially for natural disasters. The capability to predict when the hurricane will hit a coastal area or island is available. Precautions are reported to the public, and preparedness activities are posted continuously. Planning for cyber incidents is a much newer activity, and it has been getting increasingly more sophisticated as time goes on. A community plans for physical events such as a hurricane, flood, or tornado because they are in geographic areas that are prone to these threats. All communities need to prepare for a cyber incident or attack. In the early 2000s, the CIAS would hear comments such as “Our county is too small” or “No one would target us, we don't have anything they would want.” No matter how small the organization and no matter what the size of the community, everyone is a target today. Preparing for “when” the cyber incident happens is the best approach, and that means every municipality, county, and parish should have a plan in place to continue business and to respond to an incident.

The Three-Dimensional Model for a Community

The community cyber security maturity model (CCSMM) was designed and developed to provide communities with an action plan to build a viable and sustainable cybersecurity program focused on improving their overall cybersecurity capability. Not long after the initial development of the model, it was realized that there are intertwined relationships that needed to be addressed. This drove the creation of the three-dimensional model broadening the scope to include individuals, organizations, communities, states, and the nation. This chapter will provide an overview of the development and importance of the 3-D model and will describe the scope areas that were included.

The Community Cybersecurity Maturity Model (CCSMM)

Lessons learned from the community cyber security exercises showed common threads each community needed to focus on in order to improve the community's cyber security posture. These similarities were grouped into four areas of improvement called dimensions. The dimensions are awareness, information sharing, policies, and planning. The methods in which communities can implement improvement are called implementation mechanisms. These mechanisms are common approaches used every day such as establishing metrics, implementing technologies, creating processes and procedures, and conducting training and assessments.