WEB-03: Web Application Firewall (WAF)

There is no evidence of a capability to deploy Web Application Firewalls (WAFs) to provide defense-in-depth protection for application-specific threats.

C|P-CMM1 is N/A, since a structured process is required to deploy Web Application Firewalls (WAFs) to provide defense-in-depth protection for application-specific threats.

Web Security (WEB) efforts are requirements-driven and governed at a local/regional level, but are not consistent across the organization. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist:

• Internet-facing technologies management is decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.
• IT/cybersecurity personnel identify cybersecurity and data protection controls to address applicable statutory, regulatory and contractual requirements for Internet-facing technologies management.
• Administrative processes and technologies focus on protecting High Value Assets (HVAs), including environments where sensitive/regulated data is stored, transmitted and processed (e.g., Demilitarized Zones (DMZs)).
• Internet-facing technologies are configured to protect data with the strength and integrity commensurate with the classification or sensitivity of the information and mostly conform to industry-recognized standards for hardening (e.g., DISA STIGs, CIS Benchmarks or OEM security guides), including cryptographic protections for sensitive/regulated data.

Web Security (WEB) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Utilize Web Application Firewalls (WAFs) to provide defense-in-depth protection for application-specific threats. o Restrict inbound traffic to authorized devices on certain services, protocols and ports.

• A Validated Architecture Design Review (VADR) evaluates Internet-facing design criteria for secure practices and conformance with requirements for applicable statutory, regulatory and contractual controls to determine if the system/application/service is designed, built and operated in a secure and resilient manner.
• A change notification capability exists to scan web pages for changes, which are reviewed by appropriate personnel to determine if changes are authorized or unauthorized.
• Ongoing content reviews are performed to ensure web pages do not contain non-public information.
• Security engineering, or a similar function, ensures that Internet-facing devices conform to industry-recognized standards for configuration hardening (e.g., DISA STIGs, CIS Benchmarks or OEM security guides) for test, development, staging and production environments. This includes creating special hardening requirements for High-Value Assets (HVAs).
• An Identity & Access Management (IAM) function, or similar function, enables the implementation of identification and access management controls for Internet-facing technologies.
• Technologies are configured to implement Strong Customer Authentication (SCA) for consumers to prove their identity.
• Administrative processes exist and technologies are configured to provide Internet-facing individuals (e.g., customers, users, clients, etc.) with clear and precise information about cookies, in accordance with regulatory requirements for cookie management.
• An IT Asset Management (ITAM) function, or similar function, categorizes network devices according to the data the asset stores, transmits and/ or processes and applies the appropriate technology controls to protect the asset and data.
• Boundary protections:

Web Security (WEB) efforts are metrics driven and provide sufficient management insight (based on a quantitative understanding of process capabilities) to predict optimal performance, ensure continued operations and identify areas for improvement. In addition to CMM Level 3 criteria, CMM Level 4 control maturity would reasonably expect all, or at least most, the following criteria to exist:

• Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).
• Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).
• Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.
• Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).
• Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.
• Both business and technical stakeholders are involved in reviewing and approving proposed changes.

See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to deploy Web Application Firewalls (WAFs) to provide defense-in-depth protection for application-specific threats.