When considering the various cyber security frameworks, I can’t help to wonder how it all comes together: Who is the audience? Does it actively portray risk? Does it help with threat reductions? And the biggest of all questions – is it usable?

While the Department of Defense’s Cyber Maturity Model (CMMC) is now onto its 0.4 release, when looking at it – I see something that looks very similar to the NIST CSF. It has tables that outline:

  • Domain
  • Capability
  • Target level of maturity

Figure 1: DoD CMMC table

Anyone with a simple spreadsheet or Excel could merely transfer the CMMC framework over to a simple file-based questionnaire.  This is great news for resources and organization that are focused on implementing NIST CSF.

But this doesn’t come without a couple of challenges:

  • Do individuals following these vague details truly understand what is required for cybersecurity? Or do they pick and choose applicability (to a similar extent) for the standard based on their interpretation? Often customers looking at NIST see a whole bunch of information, and the interpretation could lead to some perilous decisions/assumptions.
  • Is the coverage sufficient in this document for enhanced controls? The model is highly generic, which isn’t necessarily a bad thing, but it could be insufficient where stronger security level targets are not being addressed.

The latter point speaks more directly to today’s topic: if NIST CSF and DoD CMMC do not have adequate language or clarity on defining scenarios or organization/target security levels, where do I find that answer?

Well the answer (today at least) is currently in draft form – NIST SP 800-171B, and the concept of overlays used in SP 800-82 to enhance NIST CSF controls for usage with critical infrastructure. The first document sticks to the same terminology used to cluster capabilities and domains, but it has several sections for each item within it (where applicable) to discuss challenges, and the logic/solutions for each. Additionally, there is typically a hyperlink to cross-reference related NIST special publications to help readers find and be aware that additional reference documentation can be used.

Figure 2: Example discussion for enhancement

In particular, some of the most noticeable areas to explore are related to:

  • Reducing the extent of malicious code propagation
  • Disrupting attack surfaces
  • Isolation techniques (physical included)
  • System integrity including PKI
  • Ongoing monitoring for specific conditions
  • Convergent and future technologies (e.g., IoT/IIoT)

Regardless of whether other documents previously existed, or that contractors might be looking for a one stop shop for DoD CMMC, the answer is that it will be a series of several documents in order to be able to answer these assessments on the surface. And as for asset owners, or product vendors, reaching some of these targets are lower and of less importance when compared to many of the SP 800-171 requirements because high-level requirements leave room to interpretation, and implementation errors.

In fact, the higher-level frameworks do not tell a product owner how to engineer for security or reduce risks related to cyber-enabled threats. I’m not saying any of these frameworks or guidelines are wrong. On the contrary, I believe NIST CSF, 800-82 & 800-171 could be easily mapped together to provide a more comprehensive level of definition and description than that contained in the CMMC today.

Achieve NIST CSF Maturity

Learn how to improve your cyber security maturity using the NIST Cyber Security Framework

Achieving NIST CSF Maturity with Verve Security Center

Related Resources



What is the MITRE ATT&CK framework, how does it relate to NIST CSF, how can they be used together, and how does Verve Industrial assist with MITRE ATT&CK?

Learn More

What is the NIST Cybersecurity Framework?

The NIST Cybersecurity Framework is a US standard for managing & improving cybersecurity, enhancing risk management & resilience. Learn more.

Learn More

5 Principles for Effective OT Security Governance

OT security governance is the set of policies, procedures, and practices that govern the management and security of OT systems.

Learn More

Subscribe to stay in the loop

Subscribe now to receive the latest OT cyber security expertise, trends and best practices to protect your industrial systems.