NIST CSF, DoD CMMP and NIST SP 800-171b

Extending NIST CSF and DoD CMMP by reference to the NIST SP 800-171Bdraft

Cyber Maturity Models can be easily translated - just use NIST CSF, SP 800-82 and SP 800-171 for enhanced coverage that maps bidirectionally
Ron Brash

When considering the various cyber security frameworks, I can’t help to wonder how it all comes together: Who is the audience? Does it actively portray risk? Does it help with threat reductions? And the biggest of all questions – is it usable?

While the Department of Defense’s Cyber Maturity Model (CMMP) is now onto its 0.4 release, when looking at it – I see something that looks very similar to the NIST CSF. It has tables that outline:

  • Domain
  • Capability
  • Target level of maturity


Figure 1: DoD CMMP table

Anyone with a simple spreadsheet or Excel could merely transfer the CMMP framework over to a simple file-based questionnaire.  This is great news for resources and organization that are focused on implementing NIST CSF.

But this doesn't come without a couple of challenges:

  • Do individuals following these vague details truly understand what is required for cybersecurity? Or do they pick and choose applicability (to a similar extent) for the standard based on their interpretation? Often customers looking at NIST see a whole bunch of information, and the interpretation could lead to some perilous decisions/assumptions.
  • Is the coverage sufficient in this document for enhanced controls? The model is highly generic, which isn’t necessarily a bad thing, but it could be insufficient where stronger security level targets are not being addressed.

The latter point speaks more directly to today's topic: if NIST CSF and DoD CMMP do not have adequate language or clarity on defining scenarios or organization/target security levels, where do I find that answer?

Well the answer (today at least) is currently in draft form – NIST SP 800-171B, and the concept of overlays used in SP 800-82 to enhance NIST CSF controls for usage with critical infrastructure. The first document sticks to the same terminology used to cluster capabilities and domains, but it has several sections for each item within it (where applicable) to discuss challenges, and the logic/solutions for each. Additionally, there is typically a hyperlink to cross-reference related NIST special publications to help readers find and be aware that additional reference documentation can be used.

Draft NIST Special Publication 800-171B
Figure 2: Example discussion for enhancement

In particular, some of the most noticeable areas to explore are related to:

  • Reducing the extent of malicious code propagation
  • Disrupting attack surfaces
  • Isolation techniques (physical included)
  • System integrity including PKI
  • Ongoing monitoring for specific conditions
  • Convergent and future technologies (e.g., IoT/IIoT)

Regardless of whether other documents previously existed, or that contractors might be looking for a one stop shop for DoD CMMP, the answer is that it will be a series of several documents in order to be able to answer these assessments on the surface. And as for asset owners, or product vendors, reaching some of these targets are lower and of less importance when compared to many of the SP 800-171 requirements because high-level requirements leave room to interpretation, and implementation errors.

In fact, the higher-level frameworks do not tell a product owner how to engineer for security or reduce risks related to cyber-enabled threats. I’m not saying any of these frameworks or guidelines are wrong. On the contrary, I believe NIST CSF, 800-82 & 800-171 could be easily mapped together to provide a more comprehensive level of definition and description than that contained in the CMMP today. 


Achieve NIST CSF Maturity
OT cyber security expertise, trends and best practices to protect your industrial systems
Verve Security Center Brochure

Recent Blogs