Comparison between the NIST Cybersecurity Framework 1.1 and the Cybersecurity Capability Maturity Model (C2m2) 1.1
We present the main reference frameworks to evaluate the current maturity level of an organization with respect to the cybersecurity of its industrial environments and/or critical infrastructures.
It is very common that one of the first interventions required by an organization concerned with improving OT security levels is to carry out an assessment of its current maturity level with respect to the cybersecurity of its industrial environments and/or critical infrastructures. To do this, there are different reference frameworks, best practices, regulations and/or standards that help to perform this analysis. Among them we can highlight the following:
- C2M2 (Cybersecurity Capability Maturity Model)
- NIST Cybersecurity Framework 1.1
- DHS Catalog of Control Systems Security: Recommendations for Standards Developers
- NERC Critical Infrastructure Protection (CIP) Standards 002-009
- NIST Special Publication 800-82, Guide to Industrial Control Systems Security
- NIST Special Publication 800-53, Recommended Security Controls for Federal Information Systems
- NIST Cybersecurity Framework NRC Regulatory Guide 5.71 Cyber Security Programs for Nuclear Facilities
- Committee on National Security Systems Instruction (CNSSI) 1253
- INGAA Control Systems Cyber Security Guidelines for the Natural Gas Pipeline Industry
- NISTIR 7628 Guidelines for Smart Grid Cyber Security.
As we said at the beginning, most of them help organizations to assess their level of maturity with respect to the cybersecurity of their industrial environments, establish the target level that the organization wants to achieve in this area and define a set of initiatives and/or projects that allow reaching that target level in a time and resources to be determined.
In this whitepaper we outline the scope of two widely used frameworks: The Cybersecurity Framework v1.1, developed by the NIST (National Institute of Standards and Technology)and the Cybersecurity Capability Maturity Model (C2M2) 1.1, developed by the DHS (Department of Homeland Security) and, in turn, endorsed by the NIST.
In addition, we propose a series of criteria that will help organizations select the most appropriate framework, taking into account their idiosyncrasies, as well as their temporal and budgetary constraints.
