Requirement text: CA.4.163: Create, maintain, and leverage a security roadmap for improvement.
DISCUSSION FROM SOURCE: CMMC
As organizations become more mature in their cyber security operations, it is expected that
an organization will create, maintain, and leverage a security roadmap to show their planned
path forward for improvements. This demonstrates a maturity level within an organization
that is above the average company. The security roadmap will help a company move forward
with increasing their overall security posture based on priority, cost, and implementation
time. Such planning will help an organization line up vendors to discuss the planning and
what solutions they may offer, receiving bids to help with the work, or get a bid on a
cybersecurity appliance that will be installed on location or an “as a service” solution from a
cloud provider that will be utilized remotely. This roadmap should be used to help plan
based on areas of highest risk, latest TTPs, and or knowledge that a specific industry is being
targeted and pushing solutions forward that will thwart malicious activities. A roadmap will
require updates from time to time based on intelligence or architecture needs. A roadmap
will survive people changing positions, and it will provide continuity plan for improving the
cybersecurity posture of an organization.
CMMC CLARIFICATION
An organization must explicitly identify its desired end-state for cybersecurity capabilities
and document a roadmap describing the planned path forward. Increasing measures along
the way reduces the likelihood of a cyber-attack being successful or minimizes the impact of
an attack. The roadmap should have short, medium, and long term goals for the organization.
Plan for what the organization wants to accomplish in the next 6-12 months (short term).
Also plan for 12-36 months (medium term), and plan for 5-10 years. All of the plans can be
adjusted over time, but having the plans will allow for budgeting, priorities, and knowledge
as to where to organization is going to keep the environment safe from adversaries.
Example 1
The organization sees its security end-state as being comparable to similar sized companies
that are considered to have good cybersecurity capabilities. An immediate shortfall has been
identified related to email coming into the organization without any filtering capabilities in
place. This requires the organization to thwart email attacks at the endpoint and have
additional controls on the enterprise to help thwart such attacks. The security roadmap
outlines a plan to have automated spam filters, sandboxing of attachments, and link analysis
in place within 6 months to help reduce the likelihood of an attack coming from email.
Example 2
The organization has a VPN solution that does not require multifactor authentication (MFA).
The security roadmap outlines a plan to have MFA in place within the next year, which will
reduce the likelihood of remote attackers gaining access to the VPN through stolen
credentials.
References
• NIST CSF v1.1 ID.RM-1, RS.IM-1, RS.IM-2, RC.IM-1, and RC.IM-2
• NIST SP 800-53 Rev 4 PL-1