Towards the quantification of cybersecurity footprint for SMBs using the CMMC 2.0

Yair Levy; Ruti Gafni

doi:https://doi.org/10.36965/OJAKM.2022.10(1)43-61

Volume 10, 2022: Issue 1

PDF Download the article (Free)

Author(s):

Yair Levy, Nova Southeastern University, USA

Ruti Gafni, The Academic College of Tel Aviv Yaffo, Israel

Abstract:

Organizations, small and big, are faced with major cybersecurity challenges over the past several decades, as the proliferation of information systems and mobile devices expand. While larger organizations invest significant efforts in developing approaches to deal with cybersecurity incidents, Small and Medium Businesses (SMBs) are still struggling with ways to both keep their businesses alive and secure their systems to the best of their abilities. When it comes to critical systems, such as defense industries, the interconnectivities of organizations in the supply-chain have demonstrated to be problematic given the depth required to provide a high-level cybersecurity posture. The United States (U.S.) Department of Defense (DoD) with the partnership of the Defense Industry Base (DIB) have developed the Cybersecurity Maturity Model Certification (CMMC) in 2020 with a third-party mandate for Level 1 certification. Following an outcry from many DIB organizations, a newly revised CMMC 2.0 was introduced in late 2021 where Level 1 (Fundamental) was adjusted for annual self-assessment. CMMC 2.0 provides the 17 practices that organizations should self-assess. While these 17 practices provide initial guidance for assessment, the specific level of measurement and how it impacts their overall cybersecurity posture is vague. Specifically, many of these practices use non-quantifiable terms such as “limit”, “verify”, “control”, “identify”, etc. The focus of this work is to provide SMBs with a quantifiable method to self-assess their Cybersecurity Footprint following the CMMC 2.0 Level 1 practices. This paper outlines the foundational literature work conducted in support of the proposed quantification Cybersecurity Footprint Index (CFI) using 26 elements that correspond to the relevant CMMC 2.0 Level 1 practices.

Keywords:

Cybersecurity of SMBs, CMMC, Cybersecurity Footprint, cybersecurity self-assessment, Cybersecurity Footprint Index (CFI), CFI Elements

DOI:

https://doi.org/10.36965/OJAKM.2022.10(1)43-61

Type:

Research paper

Journal:

The Online Journal of Applied Knowledge Management (OJAKM), ISSN: 2325-4688

Publisher:

International Institute for Applied Knowledge Management (IIAKM)

Received:

3 March 2022

Revised:

23 May 2022; 20 July 2022; 22 July 2022; 10 August 2022

Accepted:

6 September 2022

Accepting Editor:

Meir Russ

Pages:

43-61

OJAKM Menu

OJAKM Articles

OJAKM is Indexed in

Volume 10, 2022: Issue 1
		Download the article (Free)
Title:	Towards the quantification of cybersecurity footprint for SMBs using the CMMC 2.0
Author(s):	Yair Levy, Nova Southeastern University, USA Ruti Gafni, The Academic College of Tel Aviv Yaffo, Israel
Abstract:	Organizations, small and big, are faced with major cybersecurity challenges over the past several decades, as the proliferation of information systems and mobile devices expand. While larger organizations invest significant efforts in developing approaches to deal with cybersecurity incidents, Small and Medium Businesses (SMBs) are still struggling with ways to both keep their businesses alive and secure their systems to the best of their abilities. When it comes to critical systems, such as defense industries, the interconnectivities of organizations in the supply-chain have demonstrated to be problematic given the depth required to provide a high-level cybersecurity posture. The United States (U.S.) Department of Defense (DoD) with the partnership of the Defense Industry Base (DIB) have developed the Cybersecurity Maturity Model Certification (CMMC) in 2020 with a third-party mandate for Level 1 certification. Following an outcry from many DIB organizations, a newly revised CMMC 2.0 was introduced in late 2021 where Level 1 (Fundamental) was adjusted for annual self-assessment. CMMC 2.0 provides the 17 practices that organizations should self-assess. While these 17 practices provide initial guidance for assessment, the specific level of measurement and how it impacts their overall cybersecurity posture is vague. Specifically, many of these practices use non-quantifiable terms such as “limit”, “verify”, “control”, “identify”, etc. The focus of this work is to provide SMBs with a quantifiable method to self-assess their Cybersecurity Footprint following the CMMC 2.0 Level 1 practices. This paper outlines the foundational literature work conducted in support of the proposed quantification Cybersecurity Footprint Index (CFI) using 26 elements that correspond to the relevant CMMC 2.0 Level 1 practices.
Keywords:	Cybersecurity of SMBs, CMMC, Cybersecurity Footprint, cybersecurity self-assessment, Cybersecurity Footprint Index (CFI), CFI Elements
DOI:	https://doi.org/10.36965/OJAKM.2022.10(1)43-61
Type:	Research paper
Journal:	The Online Journal of Applied Knowledge Management (OJAKM), ISSN: 2325-4688
Publisher:	International Institute for Applied Knowledge Management (IIAKM)
Received:	3 March 2022
Revised:	23 May 2022; 20 July 2022; 22 July 2022; 10 August 2022
Accepted:	6 September 2022
Accepting Editor:	Meir Russ
Pages:	43-61