IAO-02.3: Third-Party Assessments

There is no evidence of a capability to accept and respond to the results of external assessments that are performed by impartial, external organizations.

Information Assurance (IA) is ad hoc and inconsistent. CMM Level 1 control maturity would reasonably expect all, or at least most, the following criteria to exist:

• Pre-production security testing is decentralized.
• IT personnel implement and maintain an informal process to conduct limited control testing of High Value Assets (HVAs) to meet specific statutory, regulatory and/ or contractual requirements for pre-production cybersecurity and data privacy control testing.

Information Assurance (IA) is requirements-driven and governed at a local/regional level, but not consistently across the enterprise. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist:

• Pre-production security testing is decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.
• IT/cybersecurity personnel identify cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements for pre-production cybersecurity and data privacy control testing.
• IT personnel implement and maintain an established a limited Information Assurance Program (IAP) capability to conduct limited control testing to meet specific statutory, regulatory and/ or contractual requirements for pre-production cybersecurity and data privacy control testing.
• IAP operations focus on protecting High Value Assets (HVAs), including environments where sensitive/regulated data is stored, transmitted and processed.
• Administrative processes exist to enable the organization to accept and respond to the results of external assessments that are performed by impartial, external organizations.

Information Assurance (IA) is standardized across the enterprise and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist:

• Cybersecurity personnel implement and maintain an established Information Assurance Program (IAP) capability to conduct “business as usual” pre-production cybersecurity and data privacy control testing focused on the concept of “security and data privacy be design and by default.”
• The IAP validates that systems/applications/services/processes are both secure and compliant.
• A Governance, Risk & Compliance (GRC) function, or similar function, facilitates the implementation of cybersecurity and data protection controls to ensure that secure engineering practices are designed and implemented throughout the lifecycle of systems, applications and services both internal and external to the organization.
• A Project Management Office (PMO), or project management function, ensures project involvement for IAP as part of the organization's established project management processes.
• A Plan of Action and Milestones (POA&M) or similar mechanism, exists to document planned remediation actions to correct weaknesses or deficiencies noted during the assessment of the security controls, helping to reduce or eliminate known vulnerabilities.
• Administrative processes prevent systems/applications/services/processes from “going live” in a production environment without first going through the IAP process.
• The IAP uses a tiered approach to conformity testing, based on (1) the sensitivity of data that is stored, processed and/ or transmitted and (2) the criticality of the system/application/service/process.
• Administrative processes exist to enable the organization to accept and respond to the results of external assessments that are performed by impartial, external organizations.

Information Assurance (IA) is metrics driven and provides sufficient management insight (based on a quantitative understanding of process capabilities) to predict optimal performance, ensure continued operations and identify areas for improvement. In addition to CMM Level 3 criteria, CMM Level 4 control maturity would reasonably expect all, or at least most, the following criteria to exist:

• Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).
• Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).
• Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.
• Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).
• Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.
• Both business and technical stakeholders are involved in the review process for proposed changes.

See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to accept and respond to the results of external assessments that are performed by impartial, external organizations.