Last Updated on November 2, 2023
Risk management is one of the most important processes in cybersecurity. As a comprehensive cybersecurity standard, the US Department of Defense (DoD) Cybersecurity Maturity Model Certification (CMMC) includes multiple risk management and risk assessment requirements.
This article explains the role of cybersecurity risk management in achieving CMMC certification.
What is cybersecurity risk management?
Cybersecurity risk management is the ongoing process of assessing, identifying, prioritizing, monitoring, and managing risks to information systems and data. Its purpose is to reduce the likelihood and impacts of cyber-attacks and other threats.
Some of the steps in a cybersecurity risk management process include:
- Cataloging all your digital assets, including information systems and data
- Analyzing current cybersecurity controls
- Implementing solutions to mitigate new or emerging cybersecurity risks that may pose a significant threat
Risk assessment and vulnerability assessment are key risk management tools. Risk assessment identifies, evaluates, and prioritizes cyber risks to a company’s assets and operations. For CMMC, that explicitly includes risks posed by vendors, supply chain partners, and other third parties. Vulnerability assessment uses automated scanning and other techniques to detect vulnerabilities in the CUI environment.
Risk assessment has three basic elements:
- How important is the asset at risk?
- How critical is the threat to the asset?
- How vulnerable is the asset to the threat?
Using those elements, the risk of financial loss and/or reputational damage can be represented as:
Risk = Asset x Threat x Vulnerability
Why is cybersecurity risk management important?
Cybersecurity risk management is essential to protect organizations from unaddressed risks manifesting as data breaches, data exfiltration, cyber-attacks, and other costly and damaging outcomes.
Part of cybersecurity risk management is developing a company’s cybersecurity risk profile. This is the starting point for making decisions on how to prioritize vulnerabilities and systematically reduce cyber risk.
Risk management is also important for quantifying cyber risk and making it “real,” with metrics to support decision-making. As part of a cyber risk strategy, cybersecurity risk management can help reduce costs, protect against revenue loss, and avoid non-compliance sanctions.
Effective risk management can also increase stakeholder trust and peace of mind that an organization can keep sensitive data safe.
Benefits of cybersecurity risk management
Cyber risk management and risk assessment offers significant business value to organizations. Some of the benefits include:
- Ability to address the most critical risks first
- Support for compliance with regulations that mandate risk management, risk assessment, and/or vulnerability assessment, such as HIPAA, PCI-DSS, SOX, and GDPR
- Better informed decision-making thanks to risk management insights
- A clearer idea where your most valuable and sensitive data resides
- Improved insight into how to invest scarce cybersecurity resources
- Help with identifying and eliminating more vulnerabilities
- Enhanced brand reputation and increased stakeholder trust
- Stronger security to reduce the risk and impacts from phishing attacks, business email compromise, credential theft, etc.
- Opportunity to reduce vendor, third-party, and supply chain risks
- Developing a “security culture” and company-wide security focus
What is needed to comply with CMMC Level 2 risk management requirements?
If your business doesn’t currently have a formal risk management program, you face significant changes to reach compliance with CMMC Level 2 to protect controlled unclassified information (CUI). This could include establishing new policies and procedures, initiating vulnerability scans, and potentially engaging with a third-party partner to boost your risk management expertise and bandwidth.
CMMC recognizes a Risk Management (RM) domain, as mitigating risks and impacts from cyber-attacks is a company-wide risk management concern. The huge range of potential threats compels organizations to discern and manage the most significant cyber risks effectively.
The RM domain’s objective is for organizations to identify, evaluate, and manage risk. Risks are identified through risk assessments and vulnerability assessments.
The CMMC Level 2 capabilities that organizations must demonstrate are:
- Identify and evaluate risk
- Manage risk
- Manage supply chain risk
CMMC Level 2 risk management controls
Risk management controls at CMMC Level 2 include:
RM.2.141: Assess dangers posed by ongoing operations associated with CUI.
To protect CUI, organizations need to periodically assess cyber risks, including how operational changes create new threats and/or exacerbate current threats.
RM 2.142: Do ongoing scanning for potential vulnerabilities.
Regularly scanning the CUI environment for vulnerabilities is essential to detecting emerging risks and threats.
RM 2.143: Fix discovered vulnerabilities promptly according to specified rules outlined by the company.
Having identified vulnerabilities, organizations should remediate them in alignment with policy.
CMMC Level 3 risk management controls
At this time the CMMC Level 3 (Expert) controls to combat advanced persistent threats (APTs) are not finalized. Additional risk management requirements from the NIST 800-172 standard that may apply at CMMC Level 3 include:
- Threat intelligence gathering capabilities to help nullify evolving threats
- Threat hunting capabilities to complement passive threat detection, such as penetration testing, red team exercises, and threat intelligence sharing
- Machine learning and other automated capabilities to analyze security data and detect threats
- Expanded risk assessment across the supply chain, such as managed service providers and cloud service providers
With threats, technology, and compliance demands all changing faster than ever, cybersecurity risk management can be a significant challenge—especially if you lack experience.
CBIZ Pivot Point Security specializes in helping companies assess their cybersecurity and compliance risk. Contact us to talk about how we can augment your team on both strategic and tactical levels, while transferring risk management expertise.