FI LI PI NI
Unanswered: 10

Buildings Cybersecurity Capability Maturity Model (B-C2M2)

EVALUATION TOOLKIT


For any questions regarding B-C2M2, please contact us.




Information About the Organization


  1. Which of the following best characterizes your organization's ownership structure?


  2. What functions are performed by your organization? (limit 255 characters)


  3. Please describe the scope defined for this evaluation (limit 255 characters)


B-C2M2: Building Maturity Assessment

Evaluation Scoring Report

Version 1.1

March 5, 2014




NOTIFICATION

This report is provided "as is" for informational purposes only. The Department of Energy (DOE) does not provide any warranties of any kind regarding any information contained within. In no event shall the United States Government or its contractors or subcontractors be liable for any damages, including, but not limited to, direct, indirect, special, or consequential damages and including damages based on any negligence of the United States Government or its contractors or subcontractors, arising out of, resulting from, or in any way connected with this report, whether or not based upon warranty, contract, tort, or otherwise, whether or not injury was sustained from, or arose out of the results of, or reliance upon the report.

DOE does not endorse any commercial product or service, including the subject of the analysis in this report. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply their endorsement, recommendation, or favoring by the agencies.

The display of the DOE official seal or other visual identities on this report shall not be interpreted to provide the recipient organization authorization to use the official seal, insignia, or other visual identities of the Department. The DOE insignia or other visual identities shall not be used in any manner to imply endorsement of any commercial product or activity by DOE or the United States Government. Use of the DOE seal without proper authorization violates federal law (e.g., 18 U.S.C. §§ 506, 701, 1017), and is against DOE policies governing usage of their seal.


1. INTRODUCTION

This report represents the results of an evaluation using the Buildings Cybersecurity Capability Maturity Model (B-C2M2). The B-C2M2 evaluation is designed to assist organizations in identifying specific areas to strengthen their cybersecurity program, prioritize cybersecurity actions and investments, and maintain the desired level of security throughout the IT systems life cycle.

The scope defined for this evaluation includes the following:

This evaluation examined ten critical cyber domains for a federal facility with a focus on buildings controls

The results presented in this report are based on participant responses to B-C2M2 Evaluation questions. For the purposes of this evaluation, responses to evaluation questions are considered valid and accurate. The evaluation process did not include document reviews, observation of work, or an examination of security controls in place to support the evaluated function.


2. B-C2M2 STRUCTURE

The B-C2M2 arises from a combination of existing cybersecurity standards, frameworks, programs, and initiatives. The B-C2M2 provides flexible guidance to help organizations develop and improve their cybersecurity capabilities. As a result, the B-C2M2 practices tend to be at a high level of abstraction, so that they can be interpreted for organizations of various structures and sizes.

The B-C2M2 is organized into 10 domains. Each domain is a logical grouping of cybersecurity practices. The practices within a domain are grouped by objective—target achievements that support the domain. Within each objective, the practices are ordered by MIL.

The following sections include additional information about the domains and the MILs.

2.1 Domains

Each of the B-C2M2's 10 domains contains a structured set of cybersecurity practices. Each set of practices represents the activities an organization can perform to establish and mature capability in the domain. For example, the Risk Management domain is a group of practices that an organization can perform to establish and mature cybersecurity risk management capability.

For each domain, the B-C2M2 provides a purpose statement, which is a high-level summary of the intent of the domain. The purpose statement offers context for interpreting the practices in the domain. The practices within each domain are organized into objectives, which represent achievements that support the domain. For example, the Risk Management domain comprises three objectives:

  • Establish Cybersecurity Risk Management Strategy
  • Manage Cybersecurity Risk
  • Management Practices

Each of the objectives in a domain comprises a set of practices, which are ordered by MIL. Figure 2.1 depticts the architecture of the B-C2M2.

Figure 2.1: B-C2M2 Architecture

A brief description of the 10 domains follows in the order in which they appear in the B-C2M2.

Risk Management

Establish, operate, and maintain an enterprise cybersecurity risk management program to identify, analyze, and mitigate cybersecurity risk to the organization, including its business units, subsidiaries, related interconnected infrastructure, and stakeholders.

Asset, Change, and Configuration Management

Manage the organization's information technology (IT) and operations technology (OT) assets, including both hardware and software, commensurate with the risk to critical infrastructure and organizational objectives.

Identity and Access Management

Create and manage identities for entities that may be granted logical or physical access to the organization's assets. Control access to the organization's assets, commensurate with the risk to critical infrastructure and organizational objectives.

Threat and Vulnerability Management

Establish and maintain plans, procedures, and technologies to detect, identify, analyze, manage, and respond to cybersecurity threats and vulnerabilities, commensurate with the risk to the organization's infrastructure (e.g., critical, IT, operational) and organizational objectives.

Situational Awareness

Establish and maintain activities and technologies to collect, analyze, alarm, present, and use operational and cybersecurity information, including status and summary information from the other B-C2M2 domains, to form a common operating picture (COP).

Information Sharing and Communications

Establish and maintain relationships with internal and external entities to collect and provide cybersecurity information, including threats and vulnerabilities, to reduce risks and to increase operational resilience, commensurate with the risk to critical infrastructure and organizational objectives.

Event and Incident Response, Continuity of Operations

Establish and maintain plans, procedures, and technologies to detect, analyze, and respond to cybersecurity events and to sustain operations throughout a cybersecurity event, commensurate with the risk to critical infrastructure and organizational objectives.

Supply Chain and External Dependencies Management

Establish and maintain controls to manage the cybersecurity risks associated with services and assets that are dependent on external entities, commensurate with the risk to critical infrastructure and organizational objectives.

Workforce Management

Establish and maintain plans, procedures, technologies, and controls to create a culture of cybersecurity and to ensure the ongoing suitability and competence of personnel, commensurate with the risk to critical infrastructure and organizational objectives.

Cybersecurity Program Management

Establish and maintain an enterprise cybersecurity program that provides governance, strategic planning, and sponsorship for the organization's cybersecurity activities in a manner that aligns cybersecurity objectives with the organization's strategic objectives and the risk to critical infrastructure.

2.2 Maturity Indicator Levels

The B-C2M2 defines four maturity indicator levels, MIL0 through MIL3, which apply independently to each domain in the B-C2M2.

Four aspects of the MILs are important for understanding and applying the B-C2M2:

  1. The maturity indicator levels apply independently to each domain. As a result, an organization using the B-C2M2 may be operating at different MIL ratings for different domains. For example, an organization could be operating at MIL1 in one domain, MIL2 in another domain, and MIL3 in a third domain.
  2. The MILs are cumulative within each domain; to earn a MIL in a given domain, an organization must perform all of the practices in that level and its predecessor level(s). For example, an organization must perform all of the domain practices in MIL1 and MIL2 to achieve MIL2 in the domain. Similarly, the organization would have to perform all practices in MIL1, MIL2, and MIL3 to achieve MIL3.
  3. Establishing a target MIL for each domain is an effective strategy for using the B-C2M2 to guide cybersecurity program improvement. Organizations should become familiar with the practices in the B-C2M2 prior to determining target MILs. Gap analysis activities and improvement efforts should then focus on achieving those target levels.
  4. Practice performance and MIL achievement need to align with business objectives and the organization's cybersecurity strategy. Striving to achieve the highest MIL in all domains may not be optimal. Companies should evaluate the costs of achieving a specific MIL against potential benefits. However, the B-C2M2 was developed so that all companies, regardless of size, should be able to achieve MIL1 across all domains.

3. SUMMARY OF RESULTS BY DOMAIN

The B-C2M2 includes 10 domains, or logical groupings of cybersecurity practices. A description of the each domain is provided in Section 2.1. Domains. This section provides a summary of MIL scores and answer input by MIL for each of the 10 domains included in the B-C2M2. See Appendix A: Evaluation Scoring Process for a detailed explanation of the scoring process and Section 5. Using the Evaluation Results for further detail regarding interpretation of evaluation results.

RM ACM IAM TVM SA ISC IR EDM WM CPM
MIL3
MIL2
MIL1
MIL1 is a subset of MIL2; MIL2 is a subset of MIL3. For non-subset type independent results of MILs, please refer to Appendix C Figure 3.1: Summary of Answer Input by MIL and Domain Select a circle for an expanded view

Fully Implemented Largely Implemented Partially Implemented Not Implemented

4. DETAILED EVALUATION RESULTS

This section provides the level of implementation (i.e., Fully Implemented, Largely Implemented, Partially Implemented, and Not Implemented) input to the Evaluation Survey for each B-C2M2 practice by domain, objective, and MIL. See Appendix A: Evaluation Scoring Process for a detailed explanation of the scoring process and Section 5. Using the Evaluation Results for further detail regarding evaluation results.

5. USING THE EVALUATION RESULTS

The B-C2M2 is meant to be used by an organization to evaluate its cybersecurity capabilities consistently, to communicate its capability levels in meaningful terms, and to inform the prioritization of its cybersecurity investments. Figure 5.1 summarizes the recommended approach for using the B-C2M2. An organization performs an evaluation against the B-C2M2, uses that evaluation to identify gaps in capability, prioritizes those gaps and develops plans to address them, and finally implements plans to address the gaps. As plans are implemented, business objectives change, and the risk environment evolves, the process is repeated.

Figure 5.1: Recommended Approach for Using the B-C2M2

To aid in the analysis of identified gaps, survey questions that were recorded as either "Partially Implemented" or "Not Implemented" are consolidated in Section 5.1-Summary of Identified Gaps.

Table 5.1 presents a more detailed process for using evaluation results.

Table 5.1: Detailed Process for Using the Evaluation Results

Note: For further detail regarding activities in the table above, see the B-C2M2 Version 1.1.


5.1 Summary of Identified Gaps


APPENDIX A: EVALUATION SCORING PROCESS

Evaluation scores are derived from responses entered into the B-C2M2 Self Evaluation Toolkit. Each question includes a four-point answer scale: Fully Implemented (FI), Largely Implemented (LI), Partially Implemented (PI), and Not Implemented (NI). The answers of FI or LI are required for a practice to be considered implemented for scoring. Credit is not applied for answers of PI or NI.

The evaluation questionnaire answer options are explained in more detail in the following table:

Table A.1: Evaluation Answer Scale

Domain Maturity Indicator Level Scoring Process

Achieving a specific MIL for a given domain in the B-C2M2 requires the following:

  1. Implementation of all of the practices for that level
  2. The achievement of all preceding MILs in that domain

For example, to achieve MIL1 in a domain with four MIL1 practices, all four MIL1 practices must be in place. To achieve MIL2 in that same domain, all MIL1 and MIL2 practices must be in place.


APPENDIX B: ORGANIZATION INFORMATION

Organization Ownership Structure
No response


Organization Functions
No response


Evaluation Scope
No response

APPENDIX C: ALTERNATE SUMMARY FIGURE


Fully Implemented Largely Implemented Partially Implemented Not Implemented


Data Visualizations


Fluid Summary


Results by Selection

Choosing individual mils will show results like those in Appendix C, while selecting multiple mils will show results like those in Figure 3.1.
Domain
All
Maturity Indicator Level
All MIL 1 MIL 2 MIL 3


Partition Graph



Treemap Graph


FI- Fully Implimented   PI- Partially Implimented   LI- Largely Implemented   NI- Not Implimented

Expandable Tree Graph





Last Updated: March 30th 2017
Save |
Disclaimer | Security and Privacy | Contact Us