In the world of cybersecurity, IT and risk managers have long touted the benefits of using maturity models and control frameworks to help assess preparedness. Specifically, these models and frameworks have helped create more ways for companies and governments to evaluate resiliency.

However, while newer frameworks such as 2020’s Cybersecurity Maturity Model Certification (CMMC) gain attention for helping U.S. companies earn national defense contracts, it’s important to understand that a model like CMMC owes a lot to frameworks that came before it. In fact, many of the ideas first presented in older models still impact how cybersecurity works today.

This topic was explored during a recent cybersecurity framework webinar hosted by Axio. During the presentation, Axio Co-Founder and President David White and GRC Consultant at Seiso LLC Richard Caralli discussed the evolution of maturity models and control frameworks that existed long before CMMC came onto the scene. Below, we examine the timeline of cybersecurity and control frameworks that are widely used today to protect companies and governments and how these models evolved.

Two Types: Maturity Models and Control Frameworks

Before we get into the timeline, it’s essential first to understand the difference between maturity models and control frameworks. Both are frequently used to bolster cybersecurity at governments and companies, but they are distinctly different in their aims.

Maturity models such as the popular Cybersecurity Capability Maturity Model (C2M2) from the U.S. Department of Energy help determine how well you are doing something. They are typically developed in collaboration by experts of different backgrounds who can help ensure the model takes into account organizations of different sizes and abilities. Maturity models take a continuous improvement approach that helps determine what improvement looks like. They have become more broadly accepted over time in both small and large organizations.

Caralli notes that when companies and governments adopt maturity models, it drastically improves the odds of creating a cultural shift. “As you get up to 2020 and 2022, there is a tacit and full acceptance that maturity concepts of institutionalization are becoming the way that security culture is created,” Caralli said.

On the other hand, control frameworks such as the popular NIST Cybersecurity Framework (NIST CSF) are explicitly outcome-driven and helps you assess whether you perform specific actions. This means organizations generally have flexibility in implementing the practices as long as they achieve ideal outcomes.

Caralli said that control frameworks have also been given more prevalence in organizations over the past ten years and that making frameworks standard can improve security cultures.

“Frameworks, which were once a collection of practices, are now being institutionalized,” Caralli said. “[Over time] what you’re really seeing is an acknowledgment that you have to be able to implement that framework in the culture, or you’re just going to do it one and done, and you’re going to move on.”

It All Starts with Maturity Models

Maturity models began to emerge in the mid-to-late 1980s, with the Capability Maturity Model (CMM) from Watts Humphrey taking center stage in software development. Humphrey developed the CMM based on the earlier Quality Management Maturity Grid developed by Philip B. Crosby. The U.S. government looked at the CMM as a vital tool for evaluating the success of government contractors in performing software projects. While the CMM originally intended to be used for software development, it was later applied to other areas, including cybersecurity.

White notes CMM effectively goes on to influence the development of modern maturity models, including Capability Maturity Model Integrated (CMMI), CERT Resilience Management Model (RMM), C2M2, and CMMC. The CMMM model also plays a role in shaping popular frameworks, including those from the National Institute of Standards and Technology (NIST).

“I think that the seminal work of Watts Humphrey and team on CMM — that’s still the language that the world uses to talk about maturity in any business pursuit or organizational pursuit is that language from CMM,” White said. “I’m continually amazed by the number of folks that I see and hear using those CMM maturity concepts, even in the NIST cybersecurity framework, assessments, and use.”

Notably, software development practices that you find at large tech companies and startups also continue to be influenced by CMM.

“In the now 30-year-old history of CMM and CMMI, a lot of other methods and software development life cycles have come about,” Caralli said. “You have DevOps; you have secure DevOps, you have CI/CD pipelines, you have agile [development]. But the core principles of defect reduction and making practices stick continues.”

Control Frameworks Go Mainstream with NIST 800-53

Unlike maturity models, it took a lot longer for control frameworks to become commonplace in business and government. The most important early framework was NIST 800-53, which was first released in 2005 by the National Institute of Standards in Technology and the U.S. Department of Commerce. NIST 800-53 was developed initially to create standards for all federal information systems unrelated to national security.

Showing its staying power, NIST 800-53 has gone through five revisions, and the latest version was released publicly in September 2020. Revision five expands the framework’s scope, but it no longer applies only to federal systems and could be used for any organization. The provisions in NIST 800-53 have influenced other essential and popular frameworks, including the NIST CSF and the NIST 800-171.

The NIST CSF was developed collaboratively by the government, academics, and the tech industry. It was first published in 2014 and later updated in 2018. The NIST CSF framework can be adopted by organizations of any size and any sector, but it retains best practices from NIST 800-53. NIST CSF also has easier-to-understand language so that non-IT workers can use it as well.

The most recent notable framework from NIST is the NIST 800-171, which was first released in 2015 and has been updated multiple times in response to new and dangerous cyber threats. Its primary goal is to create practices that will better protect controlled unclassified information (CUI) managed by organizations. CUI is not classified but still needs protection from national adversaries. The NIST 800-171 was most recently updated in 2021 and must be followed by defense contractors, for example, to show they are serious about cybersecurity.

All Models Are Wrong But …

George E.P. Box, a British statistician, coined a phrase that gets thrown around often when talking about maturity models and control frameworks. He said, “All models are wrong, but some are useful.”

White suggests that Box’s famous quotation informs an enormous amount of discussions concerning the adoption of a specific model or framework, as they are all inherently incorrect.

“One of the things that I think you and I became really conscious of throughout our journey with RMM and several other models and frameworks is the extent to which these are approximations,” White said. “They are models or frameworks if you want to call them that, but they’re approximations… One of the first key takeaways is that all of these models are wrong. And so the first answer to, ‘Which cybersecurity framework should I use?’ is to use one that’s useful, and use one that’s useful for you and for how you’re using it.”

Effectively, this means governments and businesses alike can’t rely on just one model or framework to improve cybersecurity. The model won’t totally do what it needs to do, so you need to seek improvement constantly. Perhaps more important than choosing a model is figuring out your “why” first.

“When you start to really think about components like, ‘Is a framework robust enough?’, it’s all going to depend on what your ‘why’ is,” White said. “Why are you taking this on? What is driving your need to adopt a framework?”

To better understand these “why’s,” keep an eye out for the next blog post in this series. In it, we will explore the fundamentals of cybersecurity frameworks, including components and use cases.

Learn More about Maturity Models
and Security Frameworks from Axio

If your organization is looking to improve cybersecurity practices or adopt a new framework, Axio can help you assess your next steps. Users can perform free single-user assessments for NIST CSF, C2M2, and Axio ransomware preparedness. Additionally, subscribers can take advantage of CMMC, CIS 20, and other custom assessments. Try the free tool here.