uniform_resource_scf_2024_2 (table) Content

uniform_resource_scf_2024_2 (table) Schema
Cybersecurity & Data Protection Governance Cybersecurity & Data Protection Governance Program FII-SCF-GOV-0001 Mechanisms exist to facilitate the implementation of cybersecurity & data protection governance controls. #NAME? E-GOV-01 E-GOV-02 Does the organization facilitate the implementation of cybersecurity & data protection governance controls? 10 x Govern x x x There is no evidence of a capability to facilitate the implementation of cybersecurity & data privacy governance controls. Cybersecurity & Privacy Governance (GOV) efforts are ad hoc and inconsistent. CMM Level 1 control maturity would reasonably expect all, or at least most, the following criteria to exist: • No formal cybersecurity and/ or data privacy principles are identified for the organization. • No formal Governance, Risk & Compliance (GRC) team exists. GRC roles are assigned to existing IT/cybersecurity personnel. • Governance efforts are narrowly-limited to certain compliance requirements. • Formal roles and responsibilities for cybersecurity and/ or data privacy may exist. • Cybersecurity and data privacy governance is informally assigned as an additional duty to existing IT/cybersecurity personnel. • Basic cybersecurity policies and standards are documented [not based on any industry framework] • Basic procedures are established for important tasks, but are ad hoc and not formally documented. • Documentation is made available to internal personnel. • Organizational leadership maintains an informal process to review and respond to observed trends. • Compliance efforts are not tied into an enterprise-wide cybersecurity and/ or data privacy program. Cybersecurity & Privacy Governance (GOV) efforts are requirements-driven and formally governed at a local/regional level, but are not consistent across the organization. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist: • Cybersecurity and data privacy governance activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure and compliant practices. • IT/cybersecurity personnel identify cybersecurity & data privacy controls that are appropriate to address applicable statutory, regulatory and contractual requirements for cybersecurity & data privacy governance activities. • The Chief Information Officer (CIO), or similar function, analyzes the organization’s business strategy and prioritizes the objectives of the security function, based on business requirements. • A qualified individual is assigned the role and responsibilities to centrally manage, coordinate, develop, implement and maintain a cybersecurity & data privacy program (e.g., cybersecurity director or Chief Information Security Officer (CISO)). • No formal Governance, Risk & Compliance (GRC) team exists. GRC roles are assigned to existing cybersecurity personnel. • Compliance requirements for cybersecurity & data privacy are identified and documented. • Cybersecurity policies and standards exist that are aligned with a leading cybersecurity framework (e.g., SCF, NIST 800-53, ISO 27002 or NIST Cybersecurity Framework). • Controls are assigned to sensitive/regulated assets to comply with specific compliance requirements. • Procedures are established for sensitive/regulated obligations, but are not standardized across the organization. • Documentation is made available to internal personnel. Cybersecurity & Privacy Governance (GOV) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist: • Statutory, regulatory and contractual compliance requirements for cybersecurity & data privacy are identified and documented. Recurring testing is utilized to assess adherence to internal standards and/or external compliance requirements. • A Governance, Risk & Compliance (GRC) function, or similar function, provides scoping guidance to determine control applicability. • Internal policies and standards address all statutory, regulatory and contractual obligations for cybersecurity & data privacy. • Controls are standardized across the organization to ensure uniformity and consistent execution. • Corporate governance (executive oversight) exists for the cybersecurity and data privacy, which includes regular briefings to ensure executives have sufficient situational awareness to properly govern the organization. • Procedures are established for sensitive/regulated compliance obligations that are standardized across the organization. • Defined roles & responsibilities require data/process owners to define, implement and maintain cybersecurity & data privacy controls for each system, application and/ or service of which they have accountability. • The organization designates one or more qualified individuals to govern the cybersecurity and data privacy programs (e.g., Chief Information Security Officer or Chief Privacy Officer). • Risk management processes are defined, to include materiality considerations. Cybersecurity & Privacy Governance (GOV) efforts are metrics driven and provide sufficient management insight (based on a quantitative understanding of process capabilities) to predict optimal performance, ensure continued operations and identify areas for improvement. In addition to CMM Level 3 criteria, CMM Level 4 control maturity would reasonably expect all, or at least most, the following criteria to exist: ▪ Metrics are developed that provide management insight, per a quantitative understanding of process capabilities, to predict optimal performance, ensure continued operations and identify areas for improvement. ▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs). ▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs). ▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity & data privacy controls, including functions performed by third-parties. ▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review). ▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes. ▪ Both business and technical stakeholders are involved in reviewing and approving proposed changes. See SP-CMM4. SP-CMM5 is N/A, since a continuously-improving process is not necessary to facilitate the implementation of cybersecurity & data privacy governance controls. CC1.1 CC1.1-POF1 CC1.2 CC2.3-POF5 4 4.1 4.2 4.3 4.4 5 7 7.1 7.2 7.4 7.5 8 8.1 8.2 8.4 10 10.1 10.2 10.2.1 10.2.2 EDM01.02 APO01.09 APO04.01 APO13.01 APO13.02 Principle 2 GRC-05 GRC-07 GVN-01 GVN-02 8.2.1 RQ-05-02.a RQ-05-02.b 5.2 5.2.1 5.2.2 4.3 4.4 5.1 6.1.1 4.4 5.1 5.1(a) 5.1(b) 5.1(c) 5.1(d) 5.1(e) 5.1(f) 5.1(g) 5.1(h) 6.1.1 6.1.1(a) 6.1.1(b) 6.1.1(c) 6.1.1(d) 6.1.1(e)(1) 6.1.1(e)(2) 8.1 10.1 5.1 5.1.1 5.1 5.4 5.37 5.1 5.1.1 5.3.1 5.3.2 5.3.3 5.4 5.4.1 5.4.1.1 5.4.2 5.5 5.5.1 5.5.2 5.5.3 5.5.4 5.5.5 5.5.5.1 5.5.5.2 5.5.5.3 5.6.1 5.6.2 5.6.3 5.7 5.7.1 5.7.2 5.7.3 5.8 5.8.1 5.8.1 6.2 6.2.1 6.2.1.1 6.5 5.1 5.10 5.11 7.5 7.5.1 7.5.1(a) 7.5.1(b) 7.5.2 7.5.3 7.5.3(a) 7.5.3(b) OR-1.0 Sec 4(A) Sec 4(B)(1) Sec 4(B)(2) Sec 4(B)(3) Sec 4(B)(4) Sec 4(D)(1) Sec 4(E)(1) Sec 4(G) GV.PO-P1 GV.PO-P6 PM-1 PM-1 PM-1 3.15.1.a 03.15.01.a GV GV.RM-01 GV.RM-03 GV.RR-01 GV.SC GV.SC-01 GV.SC-03 GV.SC-09 ID.RA PR PR.IR 12.1 12.1.1 A3.1.2 C.2 CM0005 1.2 1.2.1 9.1 7.1.2 7.1.2 PROGRAM-2.A.MIL1 PROGRAM-2.B.MIL2 PROGRAM-2.C.MIL2 PROGRAM-2.D.MIL2 PROGRAM-2.E.MIL2 PROGRAM-2.F.MIL2 PROGRAM-2.G.MIL3 PROGRAM-2.H.MIL3 PROGRAM-2.I.MIL3 PROGRAM-2.J.MIL3 EF:SG2.SP1 EF:SG2.SP2 OPF:SG1.SP1 5.1 5.1.1 5.1.1.1 5.1.1.2 PM-1 252.204-7008 252.204-7012 3.UNI.PEPAR § 1232h S-P (17 CFR §248.30) 314.3(a) 314.3(b)(1) 314.3(b)(2) 314.3(b)(3) 314.4(a) 314.4(b) 314.4(c) 164.306 164.306(a) 164.306(b) 164.306(c) 164.306(d) 164.306(e) 164.308(a)(1)(i) 164.530(j) 164.316 164.316(a) 164.316(b) 10.S.A 8.M.A 8.M.A 10.M.A PM-1 8-100 5.1 45.48.530 17.03(1) 17.04 17.03(2)(b)(2) 500.2(a) 500.2(b) 500.2(b)(1) 500.2(b)(2) 500.2(b)(3) 500.2(b)(4) 500.2(b)(5) 500.2(b)(6) 500.2(d) 500.2(e) 500.3(a) Sec 4(2)(a) Sec 4(2)(b)(ii) Sec 4(2)(b)(ii)(A) Sec 4(2)(b)(ii)(A)(1) Sec 4(2)(b)(ii)(A)(2) Sec 4(2)(b)(ii)(A)(3) Sec 4(2)(b)(ii)(A)(4) Sec 4(2)(b)(ii)(A)(5) Sec 4(2)(b)(ii)(A)(6) Sec 4(2)(b)(ii)(B)(1) Sec 4(2)(b)(ii)(B)(2) Sec 4(2)(b)(ii)(B)(3) Sec 4(2)(b)(ii)(B)(4) Sec 4(2)(b)(ii)(C)(1) Sec 4(2)(b)(ii)(C)(2) Sec 4(2)(b)(ii)(C)(3) Sec 4(2)(b)(ii)(C)(4) 38-99-20(A) 38-99-20(B)(1) 38-99-20(B)(2) 38-99-20(B)(3) 38-99-20(B)(4) 38-99-20(D)(1) 38-99-20(E)(1) 38-99-20(G) Sec. 521.052 Sec 10 PM-1 59.1-578.3 § 2447(a) § 2447(a)(1) § 2447(a)(1)(A) § 2447(a)(1)(B) § 2447(a)(1)(C) § 2447(a)(1)(D) § 2447(a)(2) § 2447(b) § 2447(c) § 2447(c)(1) § 2447(c)(1)(A) § 2447(c)(1)(A)(i) § 2447(c)(1)(A)(ii) § 2447(c)(1)(A)(iii) § 2447(c)(1)(A)(iv) § 2447(c)(1)(A)(v) Article 16.1(a) Article 16.1(b) Article 16.1(c) Article 16.1(d) Article 16.1(e) Article 16.1(f) Article 16.1(g) Article 16.1(h) Article 16.2 Article 5.1 Article 9.4 Art 32.1 Art 32.2 Art 32.3 Art 32.4 Article 21.1 Article 21.2 Article 21.2(a) Article 21.2(b) Article 21.2(c) Article 21.2(d) Article 21.2(e) Article 21.2(f) Article 21.2(g) Article 21.2(h) Article 21.2(i) Article 21.2(j) Art 3 Sec 14 Sec 15 Art 16 Art 13 Art 41 Sec 5 Sec 32 Sec 33 Sec 34 Sec 35 Art 34 Sec 9 Sec 9a Annex 4.1 OIS-01 Art 10 Sec 7 Sec 2 3.2 4.25 Sec 16 Sec 17 Sec 31 Sec 33 Sec 34 Sec 35 Art 3 Art 4 Sec 12 Sec 13 Sec 14 Sec 13 Sec 14 Art 1 Art 36 Art 14 Art 15 Art 16 Art 17 Art 7 Art 19 TPC-25 3.1.1 1-2-1 1-3-2 01-Jan Sec 19 Sec 21 Article 13.1 Article 35.1 Article 5 Article 6.1 Article 6.2 6.1 [ORG.1] Sec 31 Art 7 Art 12 Sec 15 Sec 16 A1.a B1.a B1.b A1 APP Part 1 APP Part 11 888 13 18 19 Sec 4 Article 58 Article 58(1) Article 58(2) Article 58(3) Article 58(4) Principle 4 Sec 8 Art 9 Art 10 Art 12 Art 13 Art 14 Art 15 Art 16 Art 17 Art 18 Art 19 Art 20 Art 21 Art 22 Art 23 Art 24 Art 28 Article 20 4.1 4.2 4.3 4.4 4.4.1 4.4.2 4.4.2.1 4.4.4 4.4.5 4.4.5.3 4.5 4.5.1 4.5.1.1 4.5.1.2 4.5.2 4.6 4.6.1 4.9.1 4.9.1.1 4.9.2 4.9.2.1 4.9.2.2 5.1 5.1.1 5.1.2 Sec 9 3.1 9.1 5.1.14.C.01 Sec 25 Sec 27 Sec 28 Sec 12 Sec 24 Art 3 Art 29 Art 30 Art 27 Art 9 Art 30 Sec 6 4 5.4 6.5 6.6 6.7 6.23 1 1.1.2 1.3.1 2.1.1 3 Principle 7 Art 7 Art 4 Art 10 Art 19 Art 9 Art 16 Art 17 x MA 201 CMR 17 NAIC x AICPA TSC 2017 (SOC 2) CSA CCM v4 FAR 252.204-7008 ISO 27001:2022 ISO 27002:2022 NAIC MDL-668 NIST Privacy Framework 1.0 NIST 800-171 R3 NIST CSF 2.0 DHS CISA TIC 3.0 GLBA R-AC-1 R-AC-2 R-AC-3 R-AC-4 R-AM-1 R-AM-2 R-BC-1 R-BC-2 R-BC-3 R-BC-4 R-BC-5 R-EX-1 R-EX-2 R-EX-3 R-EX-4 R-EX-5 R-EX-6 R-EX-7 R-GV-1 R-GV-2 R-GV-3 R-GV-4 R-GV-5 R-GV-6 R-GV-7 R-GV-8 R-IR-1 R-IR-2 R-IR-3 R-IR-4 R-SA-1 R-SA-2 R-AC-1 R-AC-2 R-AC-3 R-AC-4 R-AM-1 R-AM-2 R-BC-1 R-BC-2 R-BC-3 R-BC-4 R-BC-5 R-EX-1 R-EX-2 R-EX-3 R-EX-4 R-EX-5 R-EX-6 R-EX-7 R-GV-1 R-GV-2 R-GV-3 R-GV-4 R-GV-5 R-GV-6 R-GV-7 R-GV-8 R-IR-1 R-IR-2 R-IR-3 R-IR-4 R-SA-1 R-SA-2 NT-7 MT-1 MT-2 MT-7 MT-8 MT-9 MT-11 MT-12 MT-13 MT-14 MT-15 MT-16 NT-7 MT-1 MT-2 MT-7 MT-8 MT-9 MT-11 MT-12 MT-13 MT-14 MT-15 MT-16 #NAME?
Cybersecurity & Data Protection Governance Steering Committee & Program Oversight FII-SCF-GOV-0001.1 Mechanisms exist to coordinate cybersecurity, data protection and business alignment through a steering committee or advisory board, comprised of key cybersecurity, data privacy and business executives, which meets formally and on a regular basis. - Steering committee - Digital Security Program (DSP) - Cybersecurity & Data Protection Program (CDPP) - SEC Form Form 20-F E-GOV-03 Does the organization coordinate cybersecurity, data protection and business alignment through a steering committee or advisory board, comprised of key cybersecurity, data privacy and business executives, which meets formally and on a regular basis? 7 x Govern x x There is no evidence of a capability to coordinate cybersecurity, data privacy and business alignment through a steering committee or advisory board, comprised of key cybersecurity, data privacy and business executives, which meets formally and on a regular basis. Cybersecurity & Privacy Governance (GOV) efforts are ad hoc and inconsistent. CMM Level 1 control maturity would reasonably expect all, or at least most, the following criteria to exist: • No formal cybersecurity and/ or data privacy principles are identified for the organization. • No formal Governance, Risk & Compliance (GRC) team exists. GRC roles are assigned to existing IT/cybersecurity personnel. • Governance efforts are narrowly-limited to certain compliance requirements. • Formal roles and responsibilities for cybersecurity and/ or data privacy may exist. • Cybersecurity and data privacy governance is informally assigned as an additional duty to existing IT/cybersecurity personnel. • Basic cybersecurity policies and standards are documented [not based on any industry framework] • Basic procedures are established for important tasks, but are ad hoc and not formally documented. • Documentation is made available to internal personnel. • Organizational leadership maintains an informal process to review and respond to observed trends. Cybersecurity & Privacy Governance (GOV) efforts are requirements-driven and formally governed at a local/regional level, but are not consistent across the organization. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist: • Cybersecurity and data privacy governance activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure and compliant practices. • IT/cybersecurity personnel identify cybersecurity & data privacy controls that are appropriate to address applicable statutory, regulatory and contractual requirements for cybersecurity & data privacy governance activities. • The Chief Information Officer (CIO), or similar function, analyzes the organization’s business strategy and prioritizes the objectives of the security function, based on business requirements. • A qualified individual is assigned the role and responsibilities to centrally manage, coordinate, develop, implement and maintain a cybersecurity & data privacy program (e.g., cybersecurity director or Chief Information Security Officer (CISO)). • No formal Governance, Risk & Compliance (GRC) team exists. GRC roles are assigned to existing cybersecurity personnel. • Compliance requirements for cybersecurity & data privacy are identified and documented. • Cybersecurity policies and standards exist that are aligned with a leading cybersecurity framework (e.g., SCF, NIST 800-53, ISO 27002 or NIST Cybersecurity Framework). • Controls are assigned to sensitive/regulated assets to comply with specific compliance requirements. • Procedures are established for sensitive/regulated obligations, but are not standardized across the organization. • Documentation is made available to internal personnel. • Quarterly Business Review (QBR), or similar status reporting, exists to provide recurring reports on the state of the cybersecurity & data privacy program. • Organizational leadership maintains an informal process to review and respond to trends. • Procedures for important tasks are documented and assigned to individuals or teams. Cybersecurity & Privacy Governance (GOV) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist: • Statutory, regulatory and contractual compliance requirements for cybersecurity & data privacy are identified and documented. Recurring testing is utilized to assess adherence to internal standards and/or external compliance requirements. • A Governance, Risk & Compliance (GRC) function, or similar function, provides scoping guidance to determine control applicability. • Internal policies and standards address all statutory, regulatory and contractual obligations for cybersecurity & data privacy. • Controls are standardized across the organization to ensure uniformity and consistent execution. • Corporate governance (executive oversight) exists for the cybersecurity and data privacy, which includes regular briefings to ensure executives have sufficient situational awareness to properly govern the organization. • Procedures are established for sensitive/regulated compliance obligations that are standardized across the organization. • Defined roles & responsibilities require data/process owners to define, implement and maintain cybersecurity & data privacy controls for each system, application and/ or service of which they have accountability. • The organization designates one or more qualified individuals to govern the cybersecurity and data privacy programs (e.g., Chief Information Security Officer or Chief Privacy Officer). • Risk management processes are defined, to include materiality considerations. Cybersecurity & Privacy Governance (GOV) efforts are metrics driven and provide sufficient management insight (based on a quantitative understanding of process capabilities) to predict optimal performance, ensure continued operations and identify areas for improvement. In addition to CMM Level 3 criteria, CMM Level 4 control maturity would reasonably expect all, or at least most, the following criteria to exist: ▪ Metrics are developed that provide management insight, per a quantitative understanding of process capabilities, to predict optimal performance, ensure continued operations and identify areas for improvement. ▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs). ▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs). ▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity & data privacy controls, including functions performed by third-parties. ▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review). ▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes. ▪ Both business and technical stakeholders are involved in reviewing and approving proposed changes. See SP-CMM4. SP-CMM5 is N/A, since a continuously-improving process is not necessary to coordinate cybersecurity, data privacy and business alignment through a steering committee or advisory board, comprised of key cybersecurity, data privacy and business executives, which meets formally and on a regular basis. CC1.2 CC1.2-POF1 CC1.2-POF2 CC1.2-POF3 CC1.2-POF4 CC1.3-POF1 CC1.3-POF3 CC1.5-POF3 CC1.5-POF4 CC1.5-POF5 CC2.2-POF12 CC2.2-POF4 CC2.3-POF3 CC3.1-POF11 CC3.4-POF3 CC4.2 CC4.2-POF1 CC4.2-POF2 4.1 4.1.1 4.1.2 4.1.3 4.1.4 4.1.5 4.1.6 4.2 4.4 7.5 8.3 8.4 RQ-05-08 4.3 5.1 6.2 7.4 9.3 10.2 4.4 5.3 5.3(a) 5.3(b) 9.3 9.3.1 9.3.2(a) 9.3.2(b) 9.3.2(c) 9.3.2(d) 9.3.2(d)(1) 9.3.2(d)(2) 9.3.2(d)(3) 9.3.2(d)(4) 9.3.2(e) 9.3.2(f) 9.3.2(g) 9.3.3 10.1 5.1 9.2.2(c) 9.3 9.3.1 9.3.2 9.3.2(a) 9.3.2(b) 9.3.2(c) 9.3.2(d) 9.3.2(d)(1) 9.3.2(d)(2) 9.3.2(d)(3) 9.3.2(e) Sec 4(B)(1) Sec 4(B)(2) Sec 4(B)(3) Sec 4(B)(4) Sec 4(D)(1) Sec 4(E)(2)(a) Sec 4(E)(2)(b) GOVERN 2.3 MAP 3.5 MAP 5.2 3.12.3 03.12.03 GV.OV GV.OV-01 GV.OV-02 GV.OV-03 GV.RM-01 GV.RM-03 GV.RR-01 GV.SC GV.SC-01 GV.SC-03 GV.SC-09 ID ID.RA PR PR.IR C.6 ASSET-5.E.MIL3 ASSET-5.F.MIL3 THREAT-3.F.MIL3 RISK-1.E.MIL2 RISK-1.F.MIL2 RISK-1.H.MIL3 RISK-5.F.MIL3 ACCESS-4.D.MIL3 ACCESS-4.F.MIL3 SITUATION-4.D.MIL3 RESPONSE-5.D.MIL3 THIRD-PARTIES-3.D.MIL3 WORKFORCE-4.D.MIL3 ARCHITECTURE-5.D.MIL3 PROGRAM-2.C.MIL2 PROGRAM-2.D.MIL2 PROGRAM-2.E.MIL2 PROGRAM-2.F.MIL2 PROGRAM-2.G.MIL3 PROGRAM-2.H.MIL3 PROGRAM-2.I.MIL3 PROGRAM-2.J.MIL3 PROGRAM-3.D.MIL3 3.UNI.PEPAR 314.4(a)(2) 17 CFR 229.106(b)(1)(iii) 17 CFR 229.106(c)(1) 17 CFR 229.106(c)(2) 17 CFR 229.106(c)(2)(i) 17 CFR 229.106(c)(2)(iii) Form 8-K Item 1.05(a) 500.4(b) 500.4(b)(1) 500.4(b)(2) 500.4(b)(3) 500.4(b)(4) 500.4(b)(5) 500.4(b)(6) 500.4(d) 500.4(d)(1) 500.4(d)(2) 500.4(d)(3) 500.4(d)(4) 38-99-20(B)(1) 38-99-20(B)(2) 38-99-20(B)(3) 38-99-20(B)(4) 38-99-20(D)(1) 38-99-20(E)(2)(a) 38-99-20(E)(2)(b) 3.2.1(2) 3.2.1(3) 3.2.1(4) Article 5.2 Article 5.2(a) Article 5.2(b) Article 5.2(c) Article 5.2(d) Article 5.2(e) Article 5.2(f) Article 5.2(g) Article 5.2(h) Article 5.2(i)(i) Article 5.2(i)(ii) Article 5.2(i)(iii) Article 21.2(f) 1.1 1.2 1.2(a) 1.2(b) 1.2(c) 1.2(d) 1.2(e) 1.2(f) 2.1 2.2 2.3 2.4 2.5 3.1.1 Article 27 Article 5 A1.a A1.c D2.a 725 20 21 22(a) 20 21 22(a) 22(b) 22(c) 23 24 25 13 19 4.1 4.4.1.2 4.4.1.3 4.4.2 4.4.2.1 4.4.4 4.4.5 4.5.3 4.6 4.6 4.6.1.1 4.6.1.2 4.6.2 4.6.3 4.6.3.1 4.6.3.2 4.6.2.3 4.6.2.4 4.9 4.9.1 4.9.1.1 4.9.2 4.9.2.1 4.9.2.2 3.2.9.C.01 3.1.1 3.1.2 3.1.3 3.1.4 3.1.5 3.1.6 3.1.7(a) 3.1.7(b) 3.1.7(c) 3.1.7(d) 3.1.7(e) 3.1.7(f) 3.1.7(g) 3.1.8(a) 3.1.8(b) 3.1.8(c) 3.1.8(d) 3.1.8(e) 5.1 5.6 6.5 6.6 6.7 6.21 6.22 6.23 6.24 1 1.1.2 1.3.1 NAIC AICPA TSC 2017 (SOC 2) ISO 27001:2022 NAIC MDL-668 NIST 800-171 R3 NIST CSF 2.0 DHS CISA TIC 3.0 GLBA SEC Cyber Rule x R-AC-1 R-AC-2 R-AC-3 R-AC-4 R-AM-1 R-AM-2 R-BC-1 R-BC-2 R-BC-3 R-BC-4 R-BC-5 R-EX-1 R-EX-2 R-EX-3 R-EX-4 R-EX-5 R-EX-6 R-EX-7 R-GV-1 R-GV-2 R-GV-3 R-GV-4 R-GV-5 R-GV-6 R-GV-7 R-GV-8 R-IR-1 R-IR-2 R-IR-3 R-IR-4 R-SA-1 R-SA-2 R-AC-1 R-AC-2 R-AC-3 R-AC-4 R-AM-1 R-AM-2 R-BC-1 R-BC-2 R-BC-3 R-BC-4 R-BC-5 R-EX-1 R-EX-2 R-EX-3 R-EX-4 R-EX-5 R-EX-6 R-EX-7 R-GV-1 R-GV-2 R-GV-3 R-GV-4 R-GV-5 R-GV-6 R-GV-7 R-GV-8 R-IR-1 R-IR-2 R-IR-3 R-IR-4 R-SA-1 R-SA-2 NT-7 MT-1 MT-2 MT-3 MT-4 MT-5 MT-6 MT-7 MT-8 MT-9 MT-11 MT-12 MT-13 MT-14 MT-15 NT-7 MT-1 MT-2 MT-3 MT-4 MT-5 MT-6 MT-7 MT-8 MT-9 MT-11 MT-12 MT-13 MT-14 MT-15
Cybersecurity & Data Protection Governance Status Reporting To Governing Body FII-SCF-GOV-0001.2 Mechanisms exist to provide governance oversight reporting and recommendations to those entrusted to make executive decisions about matters considered material to the organization’s cybersecurity & data protection program. E-CPL-05 E-CPL-09 E-GOV-03 E-GOV-04 E-GOV-05 E-GOV-06 E-GOV-07 E-GOV-13 Does the organization provide governance oversight reporting and recommendations to those entrusted to make executive decisions about matters considered material to the organization’s cybersecurity & data protection program? 5 x Govern x x There is no evidence of a capability to provide governance oversight reporting and recommendations to those entrusted to make executive decisions about matters considered material to the organization’s cybersecurity & data privacy program. SP-CMM1 is N/A, since a structured process is required to provide governance oversight reporting and recommendations to those entrusted to make executive decisions about matters considered material to the organization’s cybersecurity & data privacy program. Cybersecurity & Privacy Governance (GOV) efforts are requirements-driven and formally governed at a local/regional level, but are not consistent across the organization. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist: • Cybersecurity and data privacy governance activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure and compliant practices. • IT/cybersecurity personnel identify cybersecurity & data privacy controls that are appropriate to address applicable statutory, regulatory and contractual requirements for cybersecurity & data privacy governance activities. • The Chief Information Officer (CIO), or similar function, analyzes the organization’s business strategy and prioritizes the objectives of the security function, based on business requirements. • A qualified individual is assigned the role and responsibilities to centrally manage, coordinate, develop, implement and maintain a cybersecurity & data privacy program (e.g., cybersecurity director or Chief Information Security Officer (CISO)). • No formal Governance, Risk & Compliance (GRC) team exists. GRC roles are assigned to existing cybersecurity personnel. • Compliance requirements for cybersecurity & data privacy are identified and documented. • Cybersecurity policies and standards exist that are aligned with a leading cybersecurity framework (e.g., SCF, NIST 800-53, ISO 27002 or NIST Cybersecurity Framework). • Controls are assigned to sensitive/regulated assets to comply with specific compliance requirements. • Procedures are established for sensitive/regulated obligations, but are not standardized across the organization. • Documentation is made available to internal personnel. Cybersecurity & Privacy Governance (GOV) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist: • Statutory, regulatory and contractual compliance requirements for cybersecurity & data privacy are identified and documented. Recurring testing is utilized to assess adherence to internal standards and/or external compliance requirements. • A Governance, Risk & Compliance (GRC) function, or similar function, provides scoping guidance to determine control applicability. • Internal policies and standards address all statutory, regulatory and contractual obligations for cybersecurity & data privacy. • Controls are standardized across the organization to ensure uniformity and consistent execution. • Corporate governance (executive oversight) exists for the cybersecurity and data privacy, which includes regular briefings to ensure executives have sufficient situational awareness to properly govern the organization. • Procedures are established for sensitive/regulated compliance obligations that are standardized across the organization. • Defined roles & responsibilities require data/process owners to define, implement and maintain cybersecurity & data privacy controls for each system, application and/ or service of which they have accountability. • The organization designates one or more qualified individuals to govern the cybersecurity and data privacy programs (e.g., Chief Information Security Officer or Chief Privacy Officer). • Risk management processes are defined, to include materiality considerations. See SP-CMM3. SP-CMM4 is N/A, since a quantitatively-controlled process is not necessary to provide governance oversight reporting and recommendations to those entrusted to make executive decisions about matters considered material to the organization’s cybersecurity & data privacy program. See SP-CMM4. SP-CMM5 is N/A, since a continuously-improving process is not necessary to provide governance oversight reporting and recommendations to those entrusted to make executive decisions about matters considered material to the organization’s cybersecurity & data privacy program. CC2.2-POF2 CC2.3-POF3 CC2.3-POF5 CC3.1-POF10 CC3.1-POF11 CC4.2 CC4.2-POF1 CC4.2-POF2 4.2 4.3 4.4 8.3 8.4 7.4 7.4(a) 7.4(b) 7.4(c) 7.4(d) 9.1 9.1(a) 9.1(b) 9.1(c) 9.1(d) 9.1(e) 9.1(f) 9.3 9.3.1 9.3.2(a) 9.3.2(b) 9.3.2(c) 9.3.2(d) 9.3.2(d)(1) 9.3.2(d)(2) 9.3.2(d)(3) 9.3.2(d)(4) 9.3.2(e) 9.3.2(f) 9.3.2(g) 9.3.3 5.1 9.3.3 GOVERN 2.3 MAP 3.5 3.12.3 03.12.03 GV.OV GV.OV-01 GV.OV-03 GV.SC GV.SC-09 ID A.1.6 ASSET-5.E.MIL3 ASSET-5.F.MIL3 THREAT-3.F.MIL3 RISK-1.E.MIL2 RISK-1.F.MIL2 RISK-5.F.MIL3 ACCESS-4.F.MIL3 SITUATION-4.F.MIL3 RESPONSE-5.F.MIL3 THIRD-PARTIES-3.F.MIL3 WORKFORCE-4.F.MIL3 ARCHITECTURE-5.F.MIL3 PROGRAM-3.F.MIL3 314.4(i) 314.4(i)(1) 314.4(i)(2) 17 CFR 229.106(b)(1)(iii) 17 CFR 229.106(c)(1) 17 CFR 229.106(c)(2)(ii) 17 CFR 229.106(c)(2)(iii) 7102(a)(1)(A) 7102(a)(1)(B) 7102(a)(1)(C) 7102(a)(1)(D) 7102(a)(1)(E) 7102(a)(1)(F) 7102(a)(2) 7102(b) 500.4(b) 500.4(c) 3.3.1(13)(e) 3.3.5(24) Article 13.5 Article 5.2(i) 3.9 3.11 4.10 7.5 A1.c D2.a 30 58(a) 58(b) 58(c) 4.4.1.2 4.6 4.6.1.1 4.6.1.2 4.6.2 4.6.3 4.6.3.1 4.6.3.2 4.6.2.3 4.6.2.4 4.7 4.9 4.9.1 4.9.1.1 4.9.2 4.9.2.1 4.9.2.2 1 1.1.2 AICPA TSC 2017 (SOC 2) ISO 27001:2022 NIST 800-171 R3 NIST CSF 2.0 DHS CISA TIC 3.0 GLBA SEC Cyber Rule R-AC-1 R-EX-3 R-EX-4 R-GV-1 R-GV-4 R-GV-5 R-GV-6 R-GV-7 R-AC-1 R-EX-3 R-EX-4 R-GV-1 R-GV-4 R-GV-5 R-GV-6 R-GV-7 NT-1 NT-2 NT-3 NT-4 NT-5 NT-6 NT-7 NT-8 NT-9 NT-10 NT-11 NT-12 NT-13 NT-14 MT-8 MT-9 MT-12 MT-13 MT-14 MT-15 NT-1 NT-2 NT-3 NT-4 NT-5 NT-6 NT-7 NT-8 NT-9 NT-10 NT-11 NT-12 NT-13 NT-14 MT-8 MT-9 MT-12 MT-13 MT-14 MT-15
Cybersecurity & Data Protection Governance Publishing Cybersecurity & Data Protection Documentation FII-SCF-GOV-0002 Mechanisms exist to establish, maintain and disseminate cybersecurity & data protection policies, standards and procedures. #NAME? E-GOV-08 E-GOV-09 E-GOV-11 Does the organization establish, maintain and disseminate cybersecurity & data protection policies, standards and procedures? 10 x Govern x x x There is no evidence of a capability to establish, maintain and disseminate cybersecurity & data privacy policies, standards and procedures. Cybersecurity & Privacy Governance (GOV) efforts are ad hoc and inconsistent. CMM Level 1 control maturity would reasonably expect all, or at least most, the following criteria to exist: • No formal cybersecurity and/ or data privacy principles are identified for the organization. • No formal Governance, Risk & Compliance (GRC) team exists. GRC roles are assigned to existing IT/cybersecurity personnel. • Governance efforts are narrowly-limited to certain compliance requirements. • Formal roles and responsibilities for cybersecurity and/ or data privacy may exist. • Cybersecurity and data privacy governance is informally assigned as an additional duty to existing IT/cybersecurity personnel. • Basic cybersecurity policies and standards are documented [not based on any industry framework] • Basic procedures are established for important tasks, but are ad hoc and not formally documented. • Documentation is made available to internal personnel. • Organizational leadership maintains an informal process to review and respond to observed trends. Cybersecurity & Privacy Governance (GOV) efforts are requirements-driven and formally governed at a local/regional level, but are not consistent across the organization. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist: • Cybersecurity and data privacy governance activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure and compliant practices. • IT/cybersecurity personnel identify cybersecurity & data privacy controls that are appropriate to address applicable statutory, regulatory and contractual requirements for cybersecurity & data privacy governance activities. • The Chief Information Officer (CIO), or similar function, analyzes the organization’s business strategy and prioritizes the objectives of the security function, based on business requirements. • A qualified individual is assigned the role and responsibilities to centrally manage, coordinate, develop, implement and maintain a cybersecurity & data privacy program (e.g., cybersecurity director or Chief Information Security Officer (CISO)). • No formal Governance, Risk & Compliance (GRC) team exists. GRC roles are assigned to existing cybersecurity personnel. • Compliance requirements for cybersecurity & data privacy are identified and documented. • Cybersecurity policies and standards exist that are aligned with a leading cybersecurity framework (e.g., SCF, NIST 800-53, ISO 27002 or NIST Cybersecurity Framework). • Controls are assigned to sensitive/regulated assets to comply with specific compliance requirements. • Procedures are established for sensitive/regulated obligations, but are not standardized across the organization. • Documentation is made available to internal personnel. Cybersecurity & Privacy Governance (GOV) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist: • Statutory, regulatory and contractual compliance requirements for cybersecurity & data privacy are identified and documented. Recurring testing is utilized to assess adherence to internal standards and/or external compliance requirements. • A Governance, Risk & Compliance (GRC) function, or similar function, provides scoping guidance to determine control applicability. • Internal policies and standards address all statutory, regulatory and contractual obligations for cybersecurity & data privacy. • Controls are standardized across the organization to ensure uniformity and consistent execution. • Corporate governance (executive oversight) exists for the cybersecurity and data privacy, which includes regular briefings to ensure executives have sufficient situational awareness to properly govern the organization. • Procedures are established for sensitive/regulated compliance obligations that are standardized across the organization. • Defined roles & responsibilities require data/process owners to define, implement and maintain cybersecurity & data privacy controls for each system, application and/ or service of which they have accountability. • The organization designates one or more qualified individuals to govern the cybersecurity and data privacy programs (e.g., Chief Information Security Officer or Chief Privacy Officer). • Risk management processes are defined, to include materiality considerations. Cybersecurity & Privacy Governance (GOV) efforts are metrics driven and provide sufficient management insight (based on a quantitative understanding of process capabilities) to predict optimal performance, ensure continued operations and identify areas for improvement. In addition to CMM Level 3 criteria, CMM Level 4 control maturity would reasonably expect all, or at least most, the following criteria to exist: ▪ Metrics are developed that provide management insight, per a quantitative understanding of process capabilities, to predict optimal performance, ensure continued operations and identify areas for improvement. ▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs). ▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs). ▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity & data privacy controls, including functions performed by third-parties. ▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review). ▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes. ▪ Both business and technical stakeholders are involved in reviewing and approving proposed changes. See SP-CMM4. SP-CMM5 is N/A, since a continuously-improving process is not necessary to establish, maintain and disseminate cybersecurity & data privacy policies, standards and procedures. CC1.2-POF1 CC1.4-POF1 CC2.2-POF1 CC2.2-POF7 CC5.3 CC5.3-POF1 CC7.2-POF1 P1.1-POF5 4.2 7.3 APO01.09 Principle 12 A&A-01 AIS-01 BCR-01 CCC-01 CEK-01 DCS-01 DCS-02 DCS-03 DCS-04 DSP-01 GRC-01 GRC-02 HRS-01 HRS-02 HRS-03 HRS-04 IAM-01 IAM-02 IPY-01 IVS-01 LOG-01 SEF-01 SEF-02 STA-01 STA-12 TVM-01 TVM-02 UEM-01 GVN-01 GVN-02 POL-03 SO1 8.2.1 RQ-05-01.a RQ-05-01.b 5.2.1 5.2.2 4.3 5.2 7.5.1 7.5.2 7.5.3 5.1(a) 5.2 5.2(a) 5.2(b) 5.2(c) 5.2(d) 5.2(e) 5.2(f) 5.2(g) 7.5 7.5.1 7.5.1(a) 7.5.1(b) 7.5.2 7.5.2(a) 7.5.2(b) 7.5.2(c) 7.5.3 7.5.3(a) 7.5.3(b) 7.5.3(c) 7.5.3(d) 7.5.3(e) 7.5.3(f) 5.1.1 6.2.1 9.1.1 5.1 5.37 5.1.1 6.2.1 9.1.1 6.2 6.2.1 6.2.1.1 5.1 5.2 5.2(a) 5.2(b) 5.2(c) 5.2(d) 7.5 7.5.1 7.5.1(a) 7.5.1(b) 7.5.2 7.5.3 7.5.3(a) 7.5.3(b) A.2 A.2.2 A.2.3 OR-1.0 OR-3.0 OP-2.0 PS-2.0 TS-2.4 TS-2.6 TS-2.8 TS-2.11 TS-3.0 GOVERN 1.0 GOVERN 1.2 GOVERN 1.4 GOVERN 2.2 GOVERN 3.2 GOVERN 4.1 GOVERN 5.1 GOVERN 6.0 GOVERN 6.1 MAP 3.5 GV.PO-P1 GV.PO-P6 GV.MT-P3 GV.MT-P4 GV.MT-P5 GV.MT-P6 GV.MT-P7 CT.PO-P1 CT.PO-P2 CT.PO-P3 CM.PO-P1 PR.PO-P4 P-5 PM-1 AC-1 AT-1 AU-1 CA-1 CM-1 CP-1 IA-1 IR-1 MA-1 MP-1 PE-1 PL-1 PM-1 PS-1 PT-1 RA-1 SA-1 SC-1 SI-1 SR-1 PM-1 AC-1 AT-1 AU-1 CA-1 CM-1 CP-1 IA-1 IR-1 MA-1 MP-1 PE-1 PL-1 PS-1 RA-1 SC-1 SI-1 SR-1 3.15.1.a 03.15.01.a 3.4.9[a] 3.9.2[a] A.03.15.01.a[01] A.03.15.01.a[02] A.03.15.01.a[03] A.03.15.01.a[04] ID.GV-1 GV.PO GV.PO-01 GV.SC-01 GV.SC-03 ID.RA 12.1 12.1.1 1.1.1 2.1.1 3.1.1 4.1.1 5.1.1 6.1.1 7.1.1 8.1.1 8.3.8 9.1.1 10.1.1 11.1.1 12.1 12.1.1 12.1.2 12.1.3 3.1.1 1.1.1 2.1.1 3.1.1 4.1.1 5.1.1 6.1.1 8.1.1 8.3.8 12.1.1 12.1.2 12.1.3 3.1.1 12.1.1 12.1.2 12.1.3 3.1.1 8.1.1 9.1.1 12.1.1 12.1.2 12.1.3 2.1.1 3.1.1 5.1.1 8.1.1 8.3.8 9.1.1 10.1.1 12.1.1 12.1.2 12.1.3 2.1.1 3.1.1 8.1.1 9.1.1 12.1.1 12.1.2 1.1.1 2.1.1 3.1.1 4.1.1 5.1.1 6.1.1 7.1.1 8.1.1 8.3.8 9.1.1 10.1.1 11.1.1 12.1.1 12.1.2 12.1.3 1.1.1 2.1.1 3.1.1 4.1.1 5.1.1 6.1.1 7.1.1 8.1.1 8.3.8 9.1.1 10.1.1 11.1.1 12.1.1 12.1.2 12.1.3 3.1.1 9.1.1 12.1.1 12.1.2 12.1.3 C.1 CM0088 1.1 1.1.1 7.1.1 ASSET-5.C.MIL3 THREAT-3.C.MIL3 RISK-5.C.MIL3 ACCESS-4.C.MIL3 SITUATION-4.C.MIL3 RESPONSE-5.C.MIL3 THIRD-PARTIES-3.C.MIL3 WORKFORCE-4.C.MIL3 ARCHITECTURE-5.C.MIL3 PROGRAM-3.C.MIL3 EF:SG2.SP1 EF:SG2.SP2 5.2 5.3 5.4 5.5 5.6 5.8 5.9 MA-1 PM-1 252.204-7008 252.204-7012 3.UNI.PEPAR 3.UNI.IDMRP 3.UNL.GPAUD 3.PEP.WE.ACONT § 11.10 § 11.10(j) § 1232h D1.G.SP.B.4 S-P (17 CFR §248.30) 314.4(c) 314.4(c)(8) 314.4(e) 164.306 164.308 164.308(a)(1)(i) 164.312 164.316 164.316(a) 164.316(b) 164.316(b)(1) 164.316(b)(1)(i) 164.316(b)(1)(ii) 164.316(b)(2)(ii) 164.530(i) 164.530(i)(1) 164.530(i)(2) 164.530(i)(3) 164.530(j) 164.530(j)(1) 4.S.A 10.S.A 4.M.B 4.M.B 10.M.A 1.8.2 2.C.2 PM-1 5.1 5.2 III.B III.B.1.d III.C III.C.1 III.C.1.a III.C.1.b III.C.3 III.D 45.48.530 17.03(1) 17.04 17.03(2)(b)(2) 500.11(a) 500.13(a) 500.14(a)(1) 500.15(a) 500.2(b)(2) 500.3 500.3(a) 500.3(b) 500.3(c) 500.3(d) 500.3(e) 500.3(f) 500.3(g) 500.3(h) 500.3(i) 500.3(j) 500.3(k) 500.3(l) 500.3(m) 500.3(n) 500.3(o) 500.5 500.7(b) 500.8(a) Sec 10 PM-1 Sec 11.175(b) § 2447(b)(3) 3.4.1(28) 3.4.1(29) 3.4.5(38) Article 6.2 Article 9.4(a) Article 9.4(d) Article 9.4(e) Article 9.4(f) Art 32.1 Art 32.2 Art 32.3 Art 32.4 Article 21.1 Article 21.2(a) Article 21.2(b) Article 21.2(c) Article 21.2(d) Article 21.2(e) Article 21.2(f) Article 21.2(g) Article 21.2(h) Article 21.2(i) Article 21.2(j) Art 3 Sec 14 Sec 15 Art 16 4.2 4.3 4.8 OIS-01 OIS-02 SP-01 1.1 4.1 4.25 5.2 5.3 9.1 10.1 11.2 12.1 13.1 14.1 15.1 17.1 18.1 20.1 21.1 22.1 24.1 25.1 4.1(1) Article 8.4 TPC-25 3.1.3 1-3-1 1-3-3 1-1 1-1-1 Article 12.1 Article 12.1(a) Article 12.1(b) Article 12.1(c) Article 12.1(d) Article 12.1(e) Article 12.1(f) Article 12.2 Article 12.6 Article 12.6(a) Article 12.6(b) Article 12.6(c) Article 12.6(d) Article 12.6(e) Article 12.6(f) Article 12.6(g) Article 12.6(h) Article 12.6(i) Article 12.6(j) Article 12.6(k) Article 12.6(l) Article 12.6(m) Article 12.6(n) Article 12.6(ñ) Article 12.7 6.1 [ORG.1] 6.2 [ORG.2] A1.a B1.a B1.b A1 A5 APP 1 0047 0888 1478 1602 1784 1785 1551 18 19 4.4.1 4.4.4 4.4.5 4.4.5.1 4.4.5.3 4.5.1 4.5.2 4.5.3 4.5.3.1 4.6 4.6.1 4.8.1 4.8.1.1 4.8.2 4.8.2.1 4.8.2.2 5.1.1 1.4.2 1.5 3.2 4.1 4.2 5.2 6.2 7.2 8.2 9.2 10.2 11.2 12.2 13.2 14.2 15.2 16.2 17.2 18.2 19.2 5.1.7.C.01 5.1.14.C.01 5.1.16.C.01 5.1.16.C.02 5.1.17.C.01 5.1.18.C.01 5.1.19.C.01 5.1.20.C.01 5.1.20.C.02 5.2.3.C.01 5.2.3.C.02 3.2.1 6.1 6.3 1 3 x MA 201 CMR 17 AICPA TSC 2017 (SOC 2) CSA CCM v4 FAR 252.204-7008 ISO 27001:2022 ISO 27002:2022 NIST Privacy Framework 1.0 NIST 800-171 R3 NIST CSF 2.0 DHS CISA TIC 3.0 GLBA x R-AC-1 R-AC-2 R-AC-3 R-AC-4 R-AM-1 R-AM-2 R-BC-1 R-BC-2 R-BC-3 R-BC-4 R-BC-5 R-EX-1 R-EX-2 R-EX-3 R-EX-4 R-EX-5 R-EX-6 R-EX-7 R-GV-1 R-GV-2 R-GV-3 R-GV-4 R-GV-5 R-GV-6 R-GV-7 R-GV-8 R-IR-1 R-IR-2 R-IR-3 R-IR-4 R-SA-1 R-SA-2 R-AC-1 R-AC-2 R-AC-3 R-AC-4 R-AM-1 R-AM-2 R-BC-1 R-BC-2 R-BC-3 R-BC-4 R-BC-5 R-EX-1 R-EX-2 R-EX-3 R-EX-4 R-EX-5 R-EX-6 R-EX-7 R-GV-1 R-GV-2 R-GV-3 R-GV-4 R-GV-5 R-GV-6 R-GV-7 R-GV-8 R-IR-1 R-IR-2 R-IR-3 R-IR-4 R-SA-1 R-SA-2 NT-7 MT-1 MT-2 MT-7 MT-8 MT-9 MT-11 MT-12 MT-13 MT-14 MT-15 NT-7 MT-1 MT-2 MT-7 MT-8 MT-9 MT-11 MT-12 MT-13 MT-14 MT-15 - updated NIST 800-161 R1 mapping
Cybersecurity & Data Protection Governance Exception Management FII-SCF-GOV-0002.1 Mechanisms exist to prohibit exceptions to standards, except when the exception has been formally assessed for risk impact, approved and recorded. Does the organization prohibit exceptions to standards, except when the exception has been formally assessed for risk impact, approved and recorded? 8 x Govern x x x There is no evidence of a capability to prohibit exceptions to standards, except when the exception has been formally assessed for risk impact, approved and recorded. Cybersecurity & Privacy Governance (GOV) efforts are ad hoc and inconsistent. CMM Level 1 control maturity would reasonably expect all, or at least most, the following criteria to exist: • No formal cybersecurity and/ or data privacy principles are identified for the organization. • No formal Governance, Risk & Compliance (GRC) team exists. GRC roles are assigned to existing IT/cybersecurity personnel. • Governance efforts are narrowly-limited to certain compliance requirements. • Formal roles and responsibilities for cybersecurity and/ or data privacy may exist. • Cybersecurity and data privacy governance is informally assigned as an additional duty to existing IT/cybersecurity personnel. • Basic cybersecurity policies and standards are documented [not based on any industry framework] • Basic procedures are established for important tasks, but are ad hoc and not formally documented. • Documentation is made available to internal personnel. • Organizational leadership maintains an informal process to review and respond to observed trends. Cybersecurity & Privacy Governance (GOV) efforts are requirements-driven and formally governed at a local/regional level, but are not consistent across the organization. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist: • Cybersecurity and data privacy governance activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure and compliant practices. • IT/cybersecurity personnel identify cybersecurity & data privacy controls that are appropriate to address applicable statutory, regulatory and contractual requirements for cybersecurity & data privacy governance activities. • The Chief Information Officer (CIO), or similar function, analyzes the organization’s business strategy and prioritizes the objectives of the security function, based on business requirements. • A qualified individual is assigned the role and responsibilities to centrally manage, coordinate, develop, implement and maintain a cybersecurity & data privacy program (e.g., cybersecurity director or Chief Information Security Officer (CISO)). • No formal Governance, Risk & Compliance (GRC) team exists. GRC roles are assigned to existing cybersecurity personnel. • Compliance requirements for cybersecurity & data privacy are identified and documented. • Cybersecurity policies and standards exist that are aligned with a leading cybersecurity framework (e.g., SCF, NIST 800-53, ISO 27002 or NIST Cybersecurity Framework). • Controls are assigned to sensitive/regulated assets to comply with specific compliance requirements. • Procedures are established for sensitive/regulated obligations, but are not standardized across the organization. • Documentation is made available to internal personnel. Cybersecurity & Privacy Governance (GOV) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist: • Statutory, regulatory and contractual compliance requirements for cybersecurity & data privacy are identified and documented. Recurring testing is utilized to assess adherence to internal standards and/or external compliance requirements. • A Governance, Risk & Compliance (GRC) function, or similar function, provides scoping guidance to determine control applicability. • Internal policies and standards address all statutory, regulatory and contractual obligations for cybersecurity & data privacy. • Controls are standardized across the organization to ensure uniformity and consistent execution. • Corporate governance (executive oversight) exists for the cybersecurity and data privacy, which includes regular briefings to ensure executives have sufficient situational awareness to properly govern the organization. • Procedures are established for sensitive/regulated compliance obligations that are standardized across the organization. • Defined roles & responsibilities require data/process owners to define, implement and maintain cybersecurity & data privacy controls for each system, application and/ or service of which they have accountability. • The organization designates one or more qualified individuals to govern the cybersecurity and data privacy programs (e.g., Chief Information Security Officer or Chief Privacy Officer). • Risk management processes are defined, to include materiality considerations. See SP-CMM3. SP-CMM4 is N/A, since a quantitatively-controlled process is not necessary to prohibit exceptions to standards, except when the exception has been formally assessed for risk impact, approved and recorded. See SP-CMM4. SP-CMM5 is N/A, since a continuously-improving process is not necessary to prohibit exceptions to standards, except when the exception has been formally assessed for risk impact, approved and recorded. ID.RA-07 C.2.2 500.12(b) 500.15(b) 500.9(b)(3) NIST CSF 2.0 R-AC-1 R-AC-2 R-AC-3 R-AC-4 R-AM-1 R-AM-2 R-AM-3 R-BC-1 R-BC-2 R-BC-3 R-BC-4 R-BC-5 R-EX-1 R-EX-2 R-EX-3 R-EX-4 R-EX-5 R-EX-6 R-EX-7 R-GV-1 R-GV-2 R-GV-3 R-GV-4 R-GV-5 R-GV-6 R-GV-7 R-GV-8 R-IR-1 R-IR-2 R-IR-3 R-IR-4 R-SA-1 R-SA-2 R-AC-1 R-AC-2 R-AC-3 R-AC-4 R-AM-1 R-AM-2 R-AM-3 R-BC-1 R-BC-2 R-BC-3 R-BC-4 R-BC-5 R-EX-1 R-EX-2 R-EX-3 R-EX-4 R-EX-5 R-EX-6 R-EX-7 R-GV-1 R-GV-2 R-GV-3 R-GV-4 R-GV-5 R-GV-6 R-GV-7 R-GV-8 R-IR-1 R-IR-2 R-IR-3 R-IR-4 R-SA-1 R-SA-2 NT-7 MT-1 MT-2 MT-3 MT-4 MT-6 MT-7 MT-8 MT-9 MT-11 MT-12 MT-13 MT-14 MT-15 NT-7 MT-1 MT-2 MT-3 MT-4 MT-6 MT-7 MT-8 MT-9 MT-11 MT-12 MT-13 MT-14 MT-15
Cybersecurity & Data Protection Governance Periodic Review & Update of Cybersecurity & Data Protection Program FII-SCF-GOV-0003 Mechanisms exist to review the cybersecurity & data privacy program, including policies, standards and procedures, at planned intervals or if significant changes occur to ensure their continuing suitability, adequacy and effectiveness. #NAME? E-GOV-12 Does the organization review the cybersecurity & data privacy program, including policies, standards and procedures, at planned intervals or if significant changes occur to ensure their continuing suitability, adequacy and effectiveness? 7 x Govern x x x There is no evidence of a capability to review the cybersecurity & data privacy program, including policies, standards and procedures, at planned intervals or if significant changes occur to ensure their continuing suitability, adequacy and effectiveness. Cybersecurity & Privacy Governance (GOV) efforts are ad hoc and inconsistent. CMM Level 1 control maturity would reasonably expect all, or at least most, the following criteria to exist: • No formal cybersecurity and/ or data privacy principles are identified for the organization. • No formal Governance, Risk & Compliance (GRC) team exists. GRC roles are assigned to existing IT/cybersecurity personnel. • Governance efforts are narrowly-limited to certain compliance requirements. • Formal roles and responsibilities for cybersecurity and/ or data privacy may exist. • Cybersecurity and data privacy governance is informally assigned as an additional duty to existing IT/cybersecurity personnel. • Basic cybersecurity policies and standards are documented [not based on any industry framework] • Basic procedures are established for important tasks, but are ad hoc and not formally documented. • Documentation is made available to internal personnel. • Organizational leadership maintains an informal process to review and respond to observed trends. • Documentation change control processes do not exist or are not formal. • People affected by documentation changes are provided notification of the policy and standard changes. • Informal recommendations are leveraged to update existing policies and standards. • Unstructured review of the cybersecurity and/ or data privacy program is performed on an annual basis. Cybersecurity & Privacy Governance (GOV) efforts are requirements-driven and formally governed at a local/regional level, but are not consistent across the organization. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist: • Cybersecurity and data privacy governance activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure and compliant practices. • IT/cybersecurity personnel identify cybersecurity & data privacy controls that are appropriate to address applicable statutory, regulatory and contractual requirements for cybersecurity & data privacy governance activities. • The Chief Information Officer (CIO), or similar function, analyzes the organization’s business strategy and prioritizes the objectives of the security function, based on business requirements. • A qualified individual is assigned the role and responsibilities to centrally manage, coordinate, develop, implement and maintain a cybersecurity & data privacy program (e.g., cybersecurity director or Chief Information Security Officer (CISO)). • No formal Governance, Risk & Compliance (GRC) team exists. GRC roles are assigned to existing cybersecurity personnel. • Compliance requirements for cybersecurity & data privacy are identified and documented. • Cybersecurity policies and standards exist that are aligned with a leading cybersecurity framework (e.g., SCF, NIST 800-53, ISO 27002 or NIST Cybersecurity Framework). • Controls are assigned to sensitive/regulated assets to comply with specific compliance requirements. • Procedures are established for sensitive/regulated obligations, but are not standardized across the organization. • Documentation is made available to internal personnel. • Formal documentation review process is performed on an annual basis. • Documentation review process includes the scope of applicable statutory, regulatory and contractual obligations. • Recommendations for documentation edits are submitted for review and are handled in accordance with documentation change control processes. • Updated documentation versions are published at least annually, based on the review process. • People affected by documentation changes are provided notification of the policy and standard changes. Cybersecurity & Privacy Governance (GOV) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist: • Statutory, regulatory and contractual compliance requirements for cybersecurity & data privacy are identified and documented. Recurring testing is utilized to assess adherence to internal standards and/or external compliance requirements. • A Governance, Risk & Compliance (GRC) function, or similar function, provides scoping guidance to determine control applicability. • Internal policies and standards address all statutory, regulatory and contractual obligations for cybersecurity & data privacy. • Controls are standardized across the organization to ensure uniformity and consistent execution. • Corporate governance (executive oversight) exists for the cybersecurity and data privacy, which includes regular briefings to ensure executives have sufficient situational awareness to properly govern the organization. • Procedures are established for sensitive/regulated compliance obligations that are standardized across the organization. • Defined roles & responsibilities require data/process owners to define, implement and maintain cybersecurity & data privacy controls for each system, application and/ or service of which they have accountability. • The organization designates one or more qualified individuals to govern the cybersecurity and data privacy programs (e.g., Chief Information Security Officer or Chief Privacy Officer). • Risk management processes are defined, to include materiality considerations. Cybersecurity & Privacy Governance (GOV) efforts are metrics driven and provide sufficient management insight (based on a quantitative understanding of process capabilities) to predict optimal performance, ensure continued operations and identify areas for improvement. In addition to CMM Level 3 criteria, CMM Level 4 control maturity would reasonably expect all, or at least most, the following criteria to exist: ▪ Metrics are developed that provide management insight, per a quantitative understanding of process capabilities, to predict optimal performance, ensure continued operations and identify areas for improvement. ▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs). ▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs). ▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity & data privacy controls, including functions performed by third-parties. ▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review). ▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes. ▪ Both business and technical stakeholders are involved in reviewing and approving proposed changes. See SP-CMM4. SP-CMM5 is N/A, since a continuously-improving process is not necessary to review the cybersecurity & data privacy program, including policies, standards and procedures, at planned intervals or if significant changes occur to ensure their continuing suitability, adequacy and effectiveness. CC2.2-POF7 CC5.3 CC5.3-POF6 4.3 4.4 8.3 8.4 EDM01.01 EDM01.03 EDM05.01 APO02.02 APO13.03 Principle 12 A&A-01 AIS-01 BCR-01 CCC-01 CEK-01 DCS-01 DCS-02 DCS-03 DCS-04 DSP-01 GRC-01 GRC-02 GRC-03 HRS-01 HRS-02 HRS-03 HRS-04 IAM-01 IAM-02 IPY-01 IVS-01 LOG-01 SEF-01 SEF-02 STA-01 TVM-01 TVM-02 UEM-01 SO1 8.2.1 RQ-05-08 6.1.1 7.4 7.5.2 7.5.2(a) 7.5.2(b) 7.5.2(c) 5.1.2 5.1 5.37 5.1.2 6.2.1.2 7.5.2 A.2.4 OP-2.0 Sec 4(G) GV.MT-P2 PM-1 AC-1 AT-1 AU-1 CA-1 CM-1 CP-1 IA-1 IR-1 MA-1 MP-1 PE-1 PL-1 PM-1 PS-1 PT-1 RA-1 SA-1 SC-1 SI-1 SR-1 PM-1 AC-1 AT-1 AU-1 CA-1 CM-1 CP-1 IA-1 IR-1 MA-1 MP-1 PE-1 PL-1 PS-1 PT-1 RA-1 SA-1 SC-1 SI-1 SR-1 3.15.1.b 03.15.01.b 03.15.03.d A.03.15.01.ODP[01] A.03.15.01.b[01] A.03.15.01.b[02] GV.OV GV.OV-01 GV.OV-02 GV.PO-02 1.1.1 2.1.1 3.1.1 4.1.1 5.1.1 6.1.1 7.1.1 8.1.1 9.1.1 10.1.1 11.1.1 12.1 12.1.1 12.1.2 3.1.1 1.1.1 2.1.1 3.1.1 4.1.1 5.1.1 6.1.1 8.1.1 8.3.8 12.1.1 12.1.2 12.1.3 3.1.1 12.1.1 12.1.2 12.1.3 3.1.1 8.1.1 9.1.1 12.1.1 12.1.2 12.1.3 2.1.1 3.1.1 5.1.1 8.1.1 8.3.8 9.1.1 10.1.1 12.1.1 12.1.2 12.1.3 2.1.1 3.1.1 8.1.1 9.1.1 12.1.1 12.1.2 1.1.1 2.1.1 3.1.1 4.1.1 5.1.1 6.1.1 7.1.1 8.1.1 8.3.8 9.1.1 10.1.1 11.1.1 12.1.1 12.1.2 12.1.3 1.1.1 2.1.1 3.1.1 4.1.1 5.1.1 6.1.1 7.1.1 8.1.1 8.3.8 9.1.1 10.1.1 11.1.1 12.1.1 12.1.2 12.1.3 3.1.1 9.1.1 12.1.1 12.1.2 P.3.4 EF:SG2.SP1 EF:SG2.SP2 OPF:SG1.SP2 OPF:SG1.SP3 OPF:SG2.SP1 5.2 5.3 5.4 5.5 5.6 5.8 5.9 MA-1 PM-1 § 1232h 314.4(b) 314.4(g) 164.306(e) 164.316(b) 164.316(b)(1) 164.316(b)(1)(i) 164.316(b)(1)(ii) 164.316(b)(2)(iii) 164.530(i)(2) 10.S.A 10.M.A PM-1 CIP-003-6 R1 45.48.530 500.8(b) Sec 4(2)(b)(ii)(A)(6) 38-99-20(G) Sec 10 PM-1 § 2447(b)(8)(B) § 2447(b)(9) § 2447(b)(9)(A) § 2447(b)(9)(B) 3.3.1(14) Art 32.1 Art 32.2 Art 32.3 Art 32.4 Art 3 Sec 14 Sec 15 Art 16 4.2 4.8 OIS-01 SP-02 1.1 5.2 9.1 10.1 11.2 13.1 14.1 15.1 17.1 18.1 21.1 22.1 24.1 25.1 1-1-3 1-3-4 1-6-4 1-9-6 1-10-5 2-2-4 2-3-4 2-4-4 2-5-4 2-6-4 2-7-4 2-8-4 2-9-4 2-10-4 2-11-4 2-12-4 2-13-4 2-14-4 2-15-4 3-1-4 4-1-4 4-2-4 5-1-4 01-01-2003 Article 27 B1.a B1.b 1617 19 4.5.3 4.5.3.1 4.6 4.6.2 4.6.2.1 4.7 4.8.2 4.8.2.1 4.8.2.2 5.1.2 5.1.14.C.01 5.1.21.C.01 5.1.21.C.02 3.2.2 1 1.3.1 x NAIC AICPA TSC 2017 (SOC 2) CSA CCM v4 ISO 27001:2022 ISO 27002:2022 NAIC MDL-668 NIST Privacy Framework 1.0 NIST 800-171 R3 NIST CSF 2.0 DHS CISA TIC 3.0 GLBA x R-AC-1 R-BC-4 R-BC-5 R-EX-2 R-EX-5 R-GV-1 R-GV-2 R-GV-3 R-GV-4 R-GV-5 R-GV-6 R-GV-7 R-GV-8 R-IR-3 R-SA-1 R-SA-2 R-AC-1 R-BC-4 R-BC-5 R-EX-2 R-EX-5 R-GV-1 R-GV-2 R-GV-3 R-GV-4 R-GV-5 R-GV-6 R-GV-7 R-GV-8 R-IR-3 R-SA-1 R-SA-2 NT-7 MT-1 MT-2 MT-7 MT-8 MT-9 MT-11 MT-12 MT-13 MT-14 MT-15 NT-7 MT-1 MT-2 MT-7 MT-8 MT-9 MT-11 MT-12 MT-13 MT-14 MT-15 - updated NIST 800-161 R1 mapping
Cybersecurity & Data Protection Governance Assigned Cybersecurity & Data Protection Responsibilities FII-SCF-GOV-0004 Mechanisms exist to assign one or more qualified individuals with the mission and resources to centrally-manage, coordinate, develop, implement and maintain an enterprise-wide cybersecurity & data protection program. #NAME? E-HRS-01 E-HRS-05 E-HRS-06 E-HRS-07 E-HRS-08 E-HRS-09 E-HRS-10 E-HRS-13 E-HRS-15 Does the organization assign one or more qualified individuals with the mission and resources to centrally-manage, coordinate, develop, implement and maintain an enterprise-wide cybersecurity & data protection program? 10 x Govern x x x There is no evidence of a capability to assign a qualified individual with the mission and resources to centrally-manage, coordinate, develop, implement and maintain an enterprise-wide cybersecurity & data privacy program. SP-CMM1 is N/A, since a structured process is required to assign a qualified individual with the mission and resources to centrally-manage, coordinate, develop, implement and maintain an enterprise-wide cybersecurity & data privacy program. Cybersecurity & Privacy Governance (GOV) efforts are requirements-driven and formally governed at a local/regional level, but are not consistent across the organization. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist: • Cybersecurity and data privacy governance activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure and compliant practices. • IT/cybersecurity personnel identify cybersecurity & data privacy controls that are appropriate to address applicable statutory, regulatory and contractual requirements for cybersecurity & data privacy governance activities. • The Chief Information Officer (CIO), or similar function, analyzes the organization’s business strategy and prioritizes the objectives of the security function, based on business requirements. • A qualified individual is assigned the role and responsibilities to centrally manage, coordinate, develop, implement and maintain a cybersecurity & data privacy program (e.g., cybersecurity director or Chief Information Security Officer (CISO)). • No formal Governance, Risk & Compliance (GRC) team exists. GRC roles are assigned to existing cybersecurity personnel. • Compliance requirements for cybersecurity & data privacy are identified and documented. • Cybersecurity policies and standards exist that are aligned with a leading cybersecurity framework (e.g., SCF, NIST 800-53, ISO 27002 or NIST Cybersecurity Framework). • Controls are assigned to sensitive/regulated assets to comply with specific compliance requirements. • Procedures are established for sensitive/regulated obligations, but are not standardized across the organization. • Documentation is made available to internal personnel. Cybersecurity & Privacy Governance (GOV) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist: • Statutory, regulatory and contractual compliance requirements for cybersecurity & data privacy are identified and documented. Recurring testing is utilized to assess adherence to internal standards and/or external compliance requirements. • A Governance, Risk & Compliance (GRC) function, or similar function, provides scoping guidance to determine control applicability. • Internal policies and standards address all statutory, regulatory and contractual obligations for cybersecurity & data privacy. • Controls are standardized across the organization to ensure uniformity and consistent execution. • Corporate governance (executive oversight) exists for the cybersecurity and data privacy, which includes regular briefings to ensure executives have sufficient situational awareness to properly govern the organization. • Procedures are established for sensitive/regulated compliance obligations that are standardized across the organization. • Defined roles & responsibilities require data/process owners to define, implement and maintain cybersecurity & data privacy controls for each system, application and/ or service of which they have accountability. • The organization designates one or more qualified individuals to govern the cybersecurity and data privacy programs (e.g., Chief Information Security Officer or Chief Privacy Officer). • Risk management processes are defined, to include materiality considerations. See SP-CMM3. SP-CMM4 is N/A, since a quantitatively-controlled process is not necessary to assign a qualified individual with the mission and resources to centrally-manage, coordinate, develop, implement and maintain an enterprise-wide cybersecurity & data privacy program. See SP-CMM4. SP-CMM5 is N/A, since a continuously-improving process is not necessary to assign a qualified individual with the mission and resources to centrally-manage, coordinate, develop, implement and maintain an enterprise-wide cybersecurity & data privacy program. CC1.1 CC1.3 CC5.3-POF2 4.1 4.1.1 4.1.2 4.1.3 4.1.4 4.1.5 4.1.6 APO01.05 Principle 1 Principle 3 GRC-06 STA-04 8.2.7 RQ-05-03 RQ-06-04 5.1 5.3 5.3 5.1(f) 5.1(h) 5.3 5.3(a) 5.3(b) 5.2 6.1.1 5.3 5.3(a) 5.3(b) A.3.2 Sec 4(C)(1) GOVERN 2.3 GOVERN 5.0 ID.IM-P2 GV.PO-P3 CM.PO-P2 P-1 PL-9 PM-2 PM-6 PL-9 PM-2 PM-6 PM-29 PL-9 PM-2 PM-6 PM-29 PL-9 PM-2 PM-6 PM-29 PL-9 PM-2 PM-6 PM-29 PL-9 PM-2 PM-6 PO.2.3 ID.AM-6 GV.RM GV.RM-05 GV.RR-01 GV.RR-02 12.5 12.5.1 12.5.2 12.5.3 12.5.4 12.5.5 1.1.2 2.1.2 3.1.2 4.1.2 5.1.2 6.1.2 7.1.2 8.1.2 9.1.2 10.1.2 11.1.2 12.1.3 12.1.4 A3.1.1 A3.1.3 12.1.3 12.1.4 12.1.3 12.1.3 1.1.2 2.1.2 3.1.2 4.1.2 5.1.2 6.1.2 7.1.2 8.1.2 9.1.2 10.1.2 11.1.2 12.1.3 12.1.4 A3.1.1 A3.1.3 1.1.2 2.1.2 3.1.2 4.1.2 5.1.2 6.1.2 7.1.2 8.1.2 9.1.2 10.1.2 11.1.2 12.1.3 12.1.4 A3.1.1 A3.1.3 12.1.3 C.2 1.2.2 ASSET-5.D.MIL3 THREAT-3.D.MIL3 RISK-1.E.MIL2 RISK-1.F.MIL2 RISK-5.D.MIL3 ACCESS-4.D.MIL3 SITUATION-4.D.MIL3 RESPONSE-5.D.MIL3 THIRD-PARTIES-3.D.MIL3 WORKFORCE-4.D.MIL3 ARCHITECTURE-5.D.MIL3 PROGRAM-3.D.MIL3 EF:SG2.SP2 EF:SG4.SP2 GG2.GP1 MA:SG1.SP1 MON:SG1.SP1 MON:SG1.SP3 4.1 4.2 PM-2 PM-6 D1.R.St.B.1 D1.TC.Cu.B.1 314.4(a) 314.4(a)(1) 314.4(a)(2) 314.4(a)(3) 164.308(a)(2) 5.S.B 10.S.A 5.M.B 8.M.A 5.M.B 8.M.A 10.M.A 1.5 PM-2 PM-29 CIP-003-6 R3 & R4 8-101 8-311 17 CFR 229.106(b)(1)(ii) 17 CFR 229.106(c)(1) 17 CFR 229.106(c)(2)(i) Form 8-K Item 1.05(a) 17.03(2)(a) 500.4(a) Sec 4(2)(b)(ii)(A)(1) 622(2)(d)(A)(i) 38-99-20(C)(1) Sec 9 PM-2 PM-6 Sec 11.175(d) § 2447(b)(1) 3.3.1(11) 3.3.1(12) 3.7.5(91) Article 5.2 Article 5.2(a) Article 5.2(b) Article 5.2(c) Article 5.2(d) Article 5.2(e) Article 5.2(f) Article 5.2(g) Article 5.2(h) Article 5.2(i)(i) Article 5.2(i)(ii) Article 5.2(i)(iii) Article 5.3 Sec 14 Sec 15 Art 16 4.4 4.5 4.6 OIS-03 3.1.4 1-2-2 1-4-1 1-4-2 1-5-2 1-2 1-2-1-2 A1.b A1.c Article 5(2) 0714 0717 0718 0735 21 24 14 19 Article 45 Article 46 Article 52 4.3.1 4.3.1.1 4.4.1.2 6.1.1.13.PB 6.1.3.13.PB 1.8 3.1.8.C.01 3.1.8.C.02 3.1.8.C.03 3.1.9.C.01 3.2.8.C.01 3.2.8.C.02 3.2.8.C.03 3.2.8.C.04 3.2.8.C.05 3.2.9.C.01 3.2.10.C.01 3.2.10.C.02 3.2.10.C.03 3.2.10.C.04 3.2.11.C.01 3.2.11.C.02 3.2.11.C.03 3.2.12.C.01 3.2.12.C.02 3.2.12.C.03 3.2.13.C.01 3.2.13.C.02 3.2.14.C.01 3.2.15.C.01 3.2.16.C.01 3.2.17.C.01 3.2.18.C.01 3.2.19.C.01 3.1.7(a) 3.1.7(b) 3.1.7(c) 3.1.7(d) 3.1.7(e) 3.1.7(f) 3.1.7(g) 3.1.8(a) 3.1.8(b) 3.1.8(c) 3.1.8(d) 3.1.8(e) 5.2 1.1 1.2 6.2 1 1.1 1.1.1 1.1.2 x MA 201 CMR 17 OR 6464A NAIC AICPA TSC 2017 (SOC 2) CSA CCM v4 ISO 27001:2022 ISO 27002:2022 NAIC MDL-668 NIST CSF 2.0 NIST Privacy Framework 1.0 DHS CISA TIC 3.0 GLBA SEC Cyber Rule x R-AC-1 R-BC-3 R-BC-4 R-BC-5 R-EX-1 R-EX-2 R-EX-3 R-EX-4 R-EX-5 R-EX-6 R-EX-7 R-GV-1 R-GV-2 R-GV-3 R-GV-4 R-GV-5 R-GV-6 R-GV-7 R-GV-8 R-IR-1 R-IR-2 R-IR-3 R-IR-4 R-SA-1 R-SA-2 R-AC-1 R-BC-3 R-BC-4 R-BC-5 R-EX-1 R-EX-2 R-EX-3 R-EX-4 R-EX-5 R-EX-6 R-EX-7 R-GV-1 R-GV-2 R-GV-3 R-GV-4 R-GV-5 R-GV-6 R-GV-7 R-GV-8 R-IR-1 R-IR-2 R-IR-3 R-IR-4 R-SA-1 R-SA-2 NT-7 MT-1 MT-2 MT-3 MT-4 MT-5 MT-6 MT-7 MT-8 MT-9 MT-11 MT-12 MT-13 MT-14 MT-15 NT-7 MT-1 MT-2 MT-3 MT-4 MT-5 MT-6 MT-7 MT-8 MT-9 MT-11 MT-12 MT-13 MT-14 MT-15
Cybersecurity & Data Protection Governance Stakeholder Accountability Structure FII-SCF-GOV-0004.1 Mechanisms exist to enforce an accountability structure so that appropriate teams and individuals are empowered, responsible and trained for mapping, measuring and managing data and technology-related risks. #NAME? E-HRS-15 Does the organization enforce an accountability structure so that appropriate teams and individuals are empowered, responsible and trained for mapping, measuring and managing data and technology-related risks? 8 x Govern x x x There is no evidence of a capability to enforce an accountability structure so that appropriate teams and individuals are empowered, responsible and trained for mapping, measuring and managing data and technology-related risks. SP-CMM1 is N/A, since a structured process is required to enforce an accountability structure so that appropriate teams and individuals are empowered, responsible and trained for mapping, measuring and managing data and technology-related risks. SP-CMM2 is N/A, since a well-defined process is required to enforce an accountability structure so that appropriate teams and individuals are empowered, responsible and trained for mapping, measuring and managing data and technology-related risks. Cybersecurity & Privacy Governance (GOV) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist: • Statutory, regulatory and contractual compliance requirements for cybersecurity & data privacy are identified and documented. Recurring testing is utilized to assess adherence to internal standards and/or external compliance requirements. • A Governance, Risk & Compliance (GRC) function, or similar function, provides scoping guidance to determine control applicability. • Internal policies and standards address all statutory, regulatory and contractual obligations for cybersecurity & data privacy. • Controls are standardized across the organization to ensure uniformity and consistent execution. • Corporate governance (executive oversight) exists for the cybersecurity and data privacy, which includes regular briefings to ensure executives have sufficient situational awareness to properly govern the organization. • Procedures are established for sensitive/regulated compliance obligations that are standardized across the organization. • Defined roles & responsibilities require data/process owners to define, implement and maintain cybersecurity & data privacy controls for each system, application and/ or service of which they have accountability. • The organization designates one or more qualified individuals to govern the cybersecurity and data privacy programs (e.g., Chief Information Security Officer or Chief Privacy Officer). • Risk management processes are defined, to include materiality considerations. See SP-CMM3. SP-CMM4 is N/A, since a quantitatively-controlled process is not necessary to enforce an accountability structure so that appropriate teams and individuals are empowered, responsible and trained for mapping, measuring and managing data and technology-related risks. See SP-CMM4. SP-CMM5 is N/A, since a continuously-improving process is not necessary to enforce an accountability structure so that appropriate teams and individuals are empowered, responsible and trained for mapping, measuring and managing data and technology-related risks. CC1.2-POF1 CC1.3 CC1.3-POF1 CC1.3-POF2 CC1.3-POF3 CC1.3-POF4 CC1.3-POF5 CC1.3-POF6 CC1.5-POF1 CC5.3-POF2 5.1 A.3 GOVERN 2.0 MANAGE 2.4 PO.2.3 GV.RM-05 GV.RR-01 R.6 17 CFR 229.106(c)(1) 500.4(b) 500.4(b)(6) 3.3.1(11) 3.7.5(91) 4.5 4.6 4.10 A1.b A1.c B1.b 21 1 1.1 1.1.1 1.1.2 AICPA TSC 2017 (SOC 2) NIST CSF 2.0 DHS CISA TIC 3.0 SEC Cyber Rule R-AC-1 R-AC-2 R-AC-3 R-AC-4 R-AM-1 R-AM-2 R-BC-1 R-BC-2 R-BC-3 R-BC-4 R-BC-5 R-EX-1 R-EX-2 R-EX-3 R-EX-4 R-EX-5 R-EX-6 R-EX-7 R-GV-1 R-GV-2 R-GV-3 R-GV-4 R-GV-5 R-GV-6 R-GV-7 R-GV-8 R-IR-1 R-IR-2 R-IR-3 R-IR-4 R-SA-1 R-SA-2 R-AC-1 R-AC-2 R-AC-3 R-AC-4 R-AM-1 R-AM-2 R-BC-1 R-BC-2 R-BC-3 R-BC-4 R-BC-5 R-EX-1 R-EX-2 R-EX-3 R-EX-4 R-EX-5 R-EX-6 R-EX-7 R-GV-1 R-GV-2 R-GV-3 R-GV-4 R-GV-5 R-GV-6 R-GV-7 R-GV-8 R-IR-1 R-IR-2 R-IR-3 R-IR-4 R-SA-1 R-SA-2 NT-1 NT-2 NT-3 NT-4 NT-5 NT-6 NT-7 NT-8 NT-9 NT-10 NT-11 NT-12 NT-13 NT-14 MT-1 MT-2 MT-3 MT-6 MT-9 MT-12 MT-13 MT-14 MT-15 NT-1 NT-2 NT-3 NT-4 NT-5 NT-6 NT-7 NT-8 NT-9 NT-10 NT-11 NT-12 NT-13 NT-14 MT-1 MT-2 MT-3 MT-6 MT-9 MT-12 MT-13 MT-14 MT-15
Cybersecurity & Data Protection Governance Authoritative Chain of Command FII-SCF-GOV-0004.2 Mechanisms exist to establish an authoritative chain of command with clear lines of communication to remove ambiguity from individuals and teams related to managing data and technology-related risks. #NAME? E-HRS-15 Does the organization establish an authoritative chain of command with clear lines of communication to remove ambiguity from individuals and teams related to managing data and technology-related risks? 7 x Govern x x x There is no evidence of a capability to establish an authoritative chain of command with clear lines of communication to remove ambiguity from individuals and teams related to managing data and technology-related risks. SP-CMM1 is N/A, since a structured process is required to establish an authoritative chain of command with clear lines of communication to remove ambiguity from individuals and teams related to managing data and technology-related risks. SP-CMM2 is N/A, since a well-defined process is required to establish an authoritative chain of command with clear lines of communication to remove ambiguity from individuals and teams related to managing data and technology-related risks. Cybersecurity & Privacy Governance (GOV) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist: • Statutory, regulatory and contractual compliance requirements for cybersecurity & data privacy are identified and documented. Recurring testing is utilized to assess adherence to internal standards and/or external compliance requirements. • A Governance, Risk & Compliance (GRC) function, or similar function, provides scoping guidance to determine control applicability. • Internal policies and standards address all statutory, regulatory and contractual obligations for cybersecurity & data privacy. • Controls are standardized across the organization to ensure uniformity and consistent execution. • Corporate governance (executive oversight) exists for the cybersecurity and data privacy, which includes regular briefings to ensure executives have sufficient situational awareness to properly govern the organization. • Procedures are established for sensitive/regulated compliance obligations that are standardized across the organization. • Defined roles & responsibilities require data/process owners to define, implement and maintain cybersecurity & data privacy controls for each system, application and/ or service of which they have accountability. • The organization designates one or more qualified individuals to govern the cybersecurity and data privacy programs (e.g., Chief Information Security Officer or Chief Privacy Officer). • Risk management processes are defined, to include materiality considerations. See SP-CMM3. SP-CMM4 is N/A, since a quantitatively-controlled process is not necessary to establish an authoritative chain of command with clear lines of communication to remove ambiguity from individuals and teams related to managing data and technology-related risks. See SP-CMM4. SP-CMM5 is N/A, since a continuously-improving process is not necessary to establish an authoritative chain of command with clear lines of communication to remove ambiguity from individuals and teams related to managing data and technology-related risks. CC1.2-POF1 CC1.3 CC1.3-POF1 CC1.3-POF2 CC1.3-POF3 CC1.3-POF4 CC1.3-POF5 CC1.3-POF6 CC1.5-POF1 5.1 A.3 GOVERN 2.1 R.29.1.3 17 CFR 229.106(c)(1) 500.4(b) 3.7.5(91) 4.5 4.6 4.10 A1.b A1.c 21 1 1.1.2 AICPA TSC 2017 (SOC 2) DHS CISA TIC 3.0 SEC Cyber Rule R-AC-1 R-AC-2 R-AC-3 R-AC-4 R-AM-1 R-AM-2 R-BC-1 R-BC-2 R-BC-3 R-BC-4 R-BC-5 R-EX-1 R-EX-2 R-EX-3 R-EX-4 R-EX-5 R-EX-6 R-EX-7 R-GV-1 R-GV-2 R-GV-3 R-GV-4 R-GV-5 R-GV-6 R-GV-7 R-GV-8 R-IR-1 R-IR-2 R-IR-3 R-IR-4 R-SA-1 R-SA-2 R-AC-1 R-AC-2 R-AC-3 R-AC-4 R-AM-1 R-AM-2 R-BC-1 R-BC-2 R-BC-3 R-BC-4 R-BC-5 R-EX-1 R-EX-2 R-EX-3 R-EX-4 R-EX-5 R-EX-6 R-EX-7 R-GV-1 R-GV-2 R-GV-3 R-GV-4 R-GV-5 R-GV-6 R-GV-7 R-GV-8 R-IR-1 R-IR-2 R-IR-3 R-IR-4 R-SA-1 R-SA-2 NT-1 NT-2 NT-3 NT-4 NT-5 NT-6 NT-7 NT-8 NT-9 NT-10 NT-11 NT-12 NT-13 NT-14 MT-1 MT-2 MT-3 MT-6 MT-9 MT-12 MT-13 MT-14 MT-15 NT-1 NT-2 NT-3 NT-4 NT-5 NT-6 NT-7 NT-8 NT-9 NT-10 NT-11 NT-12 NT-13 NT-14 MT-1 MT-2 MT-3 MT-6 MT-9 MT-12 MT-13 MT-14 MT-15
Cybersecurity & Data Protection Governance Measures of Performance FII-SCF-GOV-0005 Mechanisms exist to develop, report and monitor cybersecurity & data privacy program measures of performance. #NAME? E-GOV-13 Does the organization develop, report and monitor cybersecurity & data privacy program measures of performance? 6 x Govern x x There is no evidence of a capability to develop, report and monitor cybersecurity & data privacy program measures of performance. Cybersecurity & Privacy Governance (GOV) efforts are ad hoc and inconsistent. CMM Level 1 control maturity would reasonably expect all, or at least most, the following criteria to exist: • No formal cybersecurity and/ or data privacy principles are identified for the organization. • No formal Governance, Risk & Compliance (GRC) team exists. GRC roles are assigned to existing IT/cybersecurity personnel. • Governance efforts are narrowly-limited to certain compliance requirements. • Formal roles and responsibilities for cybersecurity and/ or data privacy may exist. • Cybersecurity and data privacy governance is informally assigned as an additional duty to existing IT/cybersecurity personnel. • Basic cybersecurity policies and standards are documented [not based on any industry framework] • Basic procedures are established for important tasks, but are ad hoc and not formally documented. • Documentation is made available to internal personnel. • Organizational leadership maintains an informal process to review and respond to observed trends. Cybersecurity & Privacy Governance (GOV) efforts are requirements-driven and formally governed at a local/regional level, but are not consistent across the organization. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist: • Cybersecurity and data privacy governance activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure and compliant practices. • IT/cybersecurity personnel identify cybersecurity & data privacy controls that are appropriate to address applicable statutory, regulatory and contractual requirements for cybersecurity & data privacy governance activities. • The Chief Information Officer (CIO), or similar function, analyzes the organization’s business strategy and prioritizes the objectives of the security function, based on business requirements. • A qualified individual is assigned the role and responsibilities to centrally manage, coordinate, develop, implement and maintain a cybersecurity & data privacy program (e.g., cybersecurity director or Chief Information Security Officer (CISO)). • No formal Governance, Risk & Compliance (GRC) team exists. GRC roles are assigned to existing cybersecurity personnel. • Compliance requirements for cybersecurity & data privacy are identified and documented. • Cybersecurity policies and standards exist that are aligned with a leading cybersecurity framework (e.g., SCF, NIST 800-53, ISO 27002 or NIST Cybersecurity Framework). • Controls are assigned to sensitive/regulated assets to comply with specific compliance requirements. • Procedures are established for sensitive/regulated obligations, but are not standardized across the organization. • Documentation is made available to internal personnel. • Simple metrics exist to provide operational oversight of a limited scope of cybersecurity & data privacy controls. Cybersecurity & Privacy Governance (GOV) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist: • Statutory, regulatory and contractual compliance requirements for cybersecurity & data privacy are identified and documented. Recurring testing is utilized to assess adherence to internal standards and/or external compliance requirements. • A Governance, Risk & Compliance (GRC) function, or similar function, provides scoping guidance to determine control applicability. • Internal policies and standards address all statutory, regulatory and contractual obligations for cybersecurity & data privacy. • Controls are standardized across the organization to ensure uniformity and consistent execution. • Corporate governance (executive oversight) exists for the cybersecurity and data privacy, which includes regular briefings to ensure executives have sufficient situational awareness to properly govern the organization. • Procedures are established for sensitive/regulated compliance obligations that are standardized across the organization. • Defined roles & responsibilities require data/process owners to define, implement and maintain cybersecurity & data privacy controls for each system, application and/ or service of which they have accountability. • The organization designates one or more qualified individuals to govern the cybersecurity and data privacy programs (e.g., Chief Information Security Officer or Chief Privacy Officer). • Risk management processes are defined, to include materiality considerations. Cybersecurity & Privacy Governance (GOV) efforts are metrics driven and provide sufficient management insight (based on a quantitative understanding of process capabilities) to predict optimal performance, ensure continued operations and identify areas for improvement. In addition to CMM Level 3 criteria, CMM Level 4 control maturity would reasonably expect all, or at least most, the following criteria to exist: ▪ Metrics are developed that provide management insight, per a quantitative understanding of process capabilities, to predict optimal performance, ensure continued operations and identify areas for improvement. ▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs). ▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs). ▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity & data privacy controls, including functions performed by third-parties. ▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review). ▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes. ▪ Both business and technical stakeholders are involved in reviewing and approving proposed changes. Cybersecurity & Privacy Governance (GOV) efforts are “world-class” capabilities that leverage predictive analysis (e.g., machine learning, AI, etc.). In addition to CMM Level 4 criteria, CMM Level 5 control maturity would reasonably expect all, or at least most, the following criteria to exist: ▪ Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions. ▪ Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes. CC1.1-POF3 CC1.2 CC1.5 CC1.5-POF2 CC1.5-POF5 CC2.1-POF4 CC2.2 CC4.1 CC4.1-POF2 CC4.2-POF1 CC5.3-POF6 4.3 7.5 8.3 8.4 EDM01.03 EDM05.01 EDM05.03 APO02.02 MEA01.04 Principle 2 Principle 5 Principle 14 Principle 16 Principle 19 Principle 20 AIS-03 SEF-05 TVM-09 TVM-10 SO11 S12 S13 S14 S15 RQ-05-08 9.1 9.1 9.1 9.1(a) 9.1(b) 9.1(c) 9.1(d) 9.1(e) 9.1(f) 5.6 5.1 9.3.2(d) 9.3.2(d)(1) 9.3.2(d)(2) 9.3.2(d)(3) Sec 4(E)(1) GOVERN 1.5 MAP 5.2 MEASURE 1.0 MEASURE 1.1 MEASURE 1.2 MEASURE 4.0 MEASURE 4.3 GV.MT-P4 PR.PO-P5 PR.PO-P6 M-5 PM-6 PM-6 PM-6 3.3.7 3.3.8 PM-6 PM-6 PM-6 3.12.3 03.12.03 NIST Tenet 7 PR.IP-8 GV GV.OV GV.OV-01 GV.OV-03 GV.SC GV.SC-09 ID.IM-03 A.4.2 ASSET-5.E.MIL3 ASSET-5.F.MIL3 THREAT-3.F.MIL3 RISK-1.E.MIL2 RISK-5.F.MIL3 ACCESS-4.F.MIL3 SITUATION-4.F.MIL3 RESPONSE-5.F.MIL3 THIRD-PARTIES-3.F.MIL3 WORKFORCE-4.F.MIL3 ARCHITECTURE-5.F.MIL3 PROGRAM-3.F.MIL3 EF:SG4.SP2 EF:SG4.SP3 GG2.GP8 GG3.GP2 HRM:SG3.SP2 MA:SG1.SP1 MA:SG1.SP3 MA:SG1.SP4 MA:SG2.SP1 MA:SG2.SP2 MA:SG2.SP3 MON:SG1.SP1 MON:SG1.SP3 PM-6 D2.IS.Is.B.1 D2.IS.Is.E.2 10.S.A 10.M.A 8-311 Sec 404 5.7 7102(a)(1)(A) 7102(a)(1)(B) 7102(a)(1)(C) 7102(a)(1)(D) 7102(a)(1)(E) 7102(a)(1)(F) 7102(a)(2) 7102(b) 17.03(2)(j) 622(2)(d)(A)(vi) 622(2)(d)(B)(iii) 38-99-20(E)(1) Sec 10 Sec 11 PM-6 Article 13.4 Article 21.2(f) Art 3 COM-04 7.6.2 [OP.MON.2] 724 4.6 4.6.1 4.6.2.1 4.5.3 7.8.3 5.7 6.9 1 1.2 2.8.1 x MA 201 CMR 17 OR 6464A NAIC AICPA TSC 2017 (SOC 2) CSA CCM v4 ISO 27001:2022 NAIC MDL-668 NIST Privacy Framework 1.0 NIST 800-171 R3 NIST ZTA Tenet NIST CSF 2.0 NIST Tenet 7 R-AC-1 R-GV-1 R-GV-2 R-GV-6 R-GV-7 R-SA-1 R-SA-2 R-AC-1 R-GV-1 R-GV-2 R-GV-6 R-GV-7 R-SA-1 R-SA-2 NT-7 MT-1 MT-2 MT-7 MT-8 MT-9 MT-10 MT-11 MT-12 MT-13 MT-14 MT-15 NT-7 MT-1 MT-2 MT-7 MT-8 MT-9 MT-10 MT-11 MT-12 MT-13 MT-14 MT-15
Cybersecurity & Data Protection Governance Key Performance Indicators (KPIs) FII-SCF-GOV-0005.1 Mechanisms exist to develop, report and monitor Key Performance Indicators (KPIs) to assist organizational management in performance monitoring and trend analysis of the cybersecurity & data privacy program. #NAME? Does the organization develop, report and monitor Key Performance Indicators (KPIs) to assist organizational management in performance monitoring and trend analysis of the cybersecurity & data privacy program? 6 x Govern x There is no evidence of a capability to develop, report and monitor Key Performance Indicators (KPIs) to assist organizational management in performance monitoring and trend analysis of the cybersecurity & data privacy program. SP-CMM1 is N/A, since a structured process is required to develop, report and monitor Key Performance Indicators (KPIs) to assist organizational management in performance monitoring and trend analysis of the cybersecurity & data privacy program. SP-CMM2 is N/A, since a well-defined process is required to develop, report and monitor Key Performance Indicators (KPIs) to assist organizational management in performance monitoring and trend analysis of the cybersecurity & data privacy program. Cybersecurity & Privacy Governance (GOV) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist: • Statutory, regulatory and contractual compliance requirements for cybersecurity & data privacy are identified and documented. Recurring testing is utilized to assess adherence to internal standards and/or external compliance requirements. • A Governance, Risk & Compliance (GRC) function, or similar function, provides scoping guidance to determine control applicability. • Internal policies and standards address all statutory, regulatory and contractual obligations for cybersecurity & data privacy. • Controls are standardized across the organization to ensure uniformity and consistent execution. • Corporate governance (executive oversight) exists for the cybersecurity and data privacy, which includes regular briefings to ensure executives have sufficient situational awareness to properly govern the organization. • Procedures are established for sensitive/regulated compliance obligations that are standardized across the organization. • Defined roles & responsibilities require data/process owners to define, implement and maintain cybersecurity & data privacy controls for each system, application and/ or service of which they have accountability. • The organization designates one or more qualified individuals to govern the cybersecurity and data privacy programs (e.g., Chief Information Security Officer or Chief Privacy Officer). • Risk management processes are defined, to include materiality considerations. Cybersecurity & Privacy Governance (GOV) efforts are metrics driven and provide sufficient management insight (based on a quantitative understanding of process capabilities) to predict optimal performance, ensure continued operations and identify areas for improvement. In addition to CMM Level 3 criteria, CMM Level 4 control maturity would reasonably expect all, or at least most, the following criteria to exist: ▪ Metrics are developed that provide management insight, per a quantitative understanding of process capabilities, to predict optimal performance, ensure continued operations and identify areas for improvement. ▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs). ▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs). ▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity & data privacy controls, including functions performed by third-parties. ▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review). ▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes. ▪ Both business and technical stakeholders are involved in reviewing and approving proposed changes. Cybersecurity & Privacy Governance (GOV) efforts are “world-class” capabilities that leverage predictive analysis (e.g., machine learning, AI, etc.). In addition to CMM Level 4 criteria, CMM Level 5 control maturity would reasonably expect all, or at least most, the following criteria to exist: ▪ Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions. ▪ Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes. CC1.2 CC1.5 CC2.2 CC4.1 APO02.02 MEA01.04 Principle 2 Principle 5 Principle 14 Principle 16 5.6 MEASURE 4.1 MEASURE 4.3 A.4 GG3.GP2 HRM:SG3.SP2 HRM:SG3.SP3 5.7 2.8.1 x AICPA TSC 2017 (SOC 2) R-AC-1 R-GV-1 R-GV-2 R-GV-6 R-GV-7 R-SA-1 R-SA-2 R-AC-1 R-GV-1 R-GV-2 R-GV-6 R-GV-7 R-SA-1 R-SA-2 NT-7 MT-1 MT-2 MT-7 MT-8 MT-9 MT-10 MT-11 MT-12 MT-13 MT-14 MT-15 NT-7 MT-1 MT-2 MT-7 MT-8 MT-9 MT-10 MT-11 MT-12 MT-13 MT-14 MT-15
Cybersecurity & Data Protection Governance Key Risk Indicators (KRIs) FII-SCF-GOV-0005.2 Mechanisms exist to develop, report and monitor Key Risk Indicators (KRIs) to assist senior management in performance monitoring and trend analysis of the cybersecurity & data privacy program. #NAME? Does the organization develop, report and monitor Key Risk Indicators (KRIs) to assist senior management in performance monitoring and trend analysis of the cybersecurity & data privacy program? 6 x Govern x There is no evidence of a capability to develop, report and monitor Key Risk Indicators (KRIs) to assist senior management in performance monitoring and trend analysis of the cybersecurity & data privacy program. SP-CMM1 is N/A, since a structured process is required to develop, report and monitor Key Risk Indicators (KRIs) to assist senior management in performance monitoring and trend analysis of the cybersecurity & data privacy program. SP-CMM2 is N/A, since a well-defined process is required to develop, report and monitor Key Risk Indicators (KRIs) to assist senior management in performance monitoring and trend analysis of the cybersecurity & data privacy program. Cybersecurity & Privacy Governance (GOV) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist: • Statutory, regulatory and contractual compliance requirements for cybersecurity & data privacy are identified and documented. Recurring testing is utilized to assess adherence to internal standards and/or external compliance requirements. • A Governance, Risk & Compliance (GRC) function, or similar function, provides scoping guidance to determine control applicability. • Internal policies and standards address all statutory, regulatory and contractual obligations for cybersecurity & data privacy. • Controls are standardized across the organization to ensure uniformity and consistent execution. • Corporate governance (executive oversight) exists for the cybersecurity and data privacy, which includes regular briefings to ensure executives have sufficient situational awareness to properly govern the organization. • Procedures are established for sensitive/regulated compliance obligations that are standardized across the organization. • Defined roles & responsibilities require data/process owners to define, implement and maintain cybersecurity & data privacy controls for each system, application and/ or service of which they have accountability. • The organization designates one or more qualified individuals to govern the cybersecurity and data privacy programs (e.g., Chief Information Security Officer or Chief Privacy Officer). • Risk management processes are defined, to include materiality considerations. Cybersecurity & Privacy Governance (GOV) efforts are metrics driven and provide sufficient management insight (based on a quantitative understanding of process capabilities) to predict optimal performance, ensure continued operations and identify areas for improvement. In addition to CMM Level 3 criteria, CMM Level 4 control maturity would reasonably expect all, or at least most, the following criteria to exist: ▪ Metrics are developed that provide management insight, per a quantitative understanding of process capabilities, to predict optimal performance, ensure continued operations and identify areas for improvement. ▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs). ▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs). ▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity & data privacy controls, including functions performed by third-parties. ▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review). ▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes. ▪ Both business and technical stakeholders are involved in reviewing and approving proposed changes. Cybersecurity & Privacy Governance (GOV) efforts are “world-class” capabilities that leverage predictive analysis (e.g., machine learning, AI, etc.). In addition to CMM Level 4 criteria, CMM Level 5 control maturity would reasonably expect all, or at least most, the following criteria to exist: ▪ Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions. ▪ Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes. CC1.2 CC1.5 CC2.2 CC4.1 APO02.02 MEA01.04 Principle 2 Principle 5 Principle 14 Principle 16 5.6 MEASURE 4.1 MEASURE 4.3 GV.RM-01 A.4 HRM:SG3.SP2 5.7 x AICPA TSC 2017 (SOC 2) NIST CSF 2.0 R-AC-1 R-GV-1 R-GV-2 R-GV-6 R-GV-7 R-SA-1 R-SA-2 R-AC-1 R-GV-1 R-GV-2 R-GV-6 R-GV-7 R-SA-1 R-SA-2 NT-7 MT-1 MT-2 MT-7 MT-8 MT-9 MT-10 MT-11 MT-12 MT-13 MT-14 MT-15 NT-7 MT-1 MT-2 MT-7 MT-8 MT-9 MT-10 MT-11 MT-12 MT-13 MT-14 MT-15
Cybersecurity & Data Protection Governance Contacts With Authorities FII-SCF-GOV-0006 Mechanisms exist to identify and document appropriate contacts with relevant law enforcement and regulatory bodies. #NAME? Does the organization identify and document appropriate contacts with relevant law enforcement and regulatory bodies? 5 x Govern x There is no evidence of a capability to identify and document appropriate contacts with relevant law enforcement and regulatory bodies. Cybersecurity & Privacy Governance (GOV) efforts are ad hoc and inconsistent. CMM Level 1 control maturity would reasonably expect all, or at least most, the following criteria to exist: • No formal cybersecurity and/ or data privacy principles are identified for the organization. • No formal Governance, Risk & Compliance (GRC) team exists. GRC roles are assigned to existing IT/cybersecurity personnel. • Governance efforts are narrowly-limited to certain compliance requirements. • Formal roles and responsibilities for cybersecurity and/ or data privacy may exist. • Cybersecurity and data privacy governance is informally assigned as an additional duty to existing IT/cybersecurity personnel. • Basic cybersecurity policies and standards are documented [not based on any industry framework] • Basic procedures are established for important tasks, but are ad hoc and not formally documented. • Documentation is made available to internal personnel. • Organizational leadership maintains an informal process to review and respond to observed trends. • Cybersecurity personnel identify and maintain contact information for local and national law enforcement (e.g., FBI field office) in case of cybersecurity incidents that require law enforcement involvement. Cybersecurity & Privacy Governance (GOV) efforts are requirements-driven and formally governed at a local/regional level, but are not consistent across the organization. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist: • Cybersecurity and data privacy governance activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure and compliant practices. • IT/cybersecurity personnel identify cybersecurity & data privacy controls that are appropriate to address applicable statutory, regulatory and contractual requirements for cybersecurity & data privacy governance activities. • The Chief Information Officer (CIO), or similar function, analyzes the organization’s business strategy and prioritizes the objectives of the security function, based on business requirements. • A qualified individual is assigned the role and responsibilities to centrally manage, coordinate, develop, implement and maintain a cybersecurity & data privacy program (e.g., cybersecurity director or Chief Information Security Officer (CISO)). • No formal Governance, Risk & Compliance (GRC) team exists. GRC roles are assigned to existing cybersecurity personnel. • Compliance requirements for cybersecurity & data privacy are identified and documented. • Cybersecurity policies and standards exist that are aligned with a leading cybersecurity framework (e.g., SCF, NIST 800-53, ISO 27002 or NIST Cybersecurity Framework). • Controls are assigned to sensitive/regulated assets to comply with specific compliance requirements. • Procedures are established for sensitive/regulated obligations, but are not standardized across the organization. • Documentation is made available to internal personnel. • Incident response personnel identify and maintain contact information for local and national law enforcement (e.g., FBI field office) in case of cybersecurity incidents that require law enforcement involvement. • Contact information is verified and updated on at least an annual basis. Cybersecurity & Privacy Governance (GOV) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist: • Statutory, regulatory and contractual compliance requirements for cybersecurity & data privacy are identified and documented. Recurring testing is utilized to assess adherence to internal standards and/or external compliance requirements. • A Governance, Risk & Compliance (GRC) function, or similar function, provides scoping guidance to determine control applicability. • Internal policies and standards address all statutory, regulatory and contractual obligations for cybersecurity & data privacy. • Controls are standardized across the organization to ensure uniformity and consistent execution. • Corporate governance (executive oversight) exists for the cybersecurity and data privacy, which includes regular briefings to ensure executives have sufficient situational awareness to properly govern the organization. • Procedures are established for sensitive/regulated compliance obligations that are standardized across the organization. • Defined roles & responsibilities require data/process owners to define, implement and maintain cybersecurity & data privacy controls for each system, application and/ or service of which they have accountability. • The organization designates one or more qualified individuals to govern the cybersecurity and data privacy programs (e.g., Chief Information Security Officer or Chief Privacy Officer). • Risk management processes are defined, to include materiality considerations. Cybersecurity & Privacy Governance (GOV) efforts are metrics driven and provide sufficient management insight (based on a quantitative understanding of process capabilities) to predict optimal performance, ensure continued operations and identify areas for improvement. In addition to CMM Level 3 criteria, CMM Level 4 control maturity would reasonably expect all, or at least most, the following criteria to exist: ▪ Metrics are developed that provide management insight, per a quantitative understanding of process capabilities, to predict optimal performance, ensure continued operations and identify areas for improvement. ▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs). ▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs). ▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity & data privacy controls, including functions performed by third-parties. ▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review). ▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes. ▪ Both business and technical stakeholders are involved in reviewing and approving proposed changes. Cybersecurity & Privacy Governance (GOV) efforts are “world-class” capabilities that leverage predictive analysis (e.g., machine learning, AI, etc.). In addition to CMM Level 4 criteria, CMM Level 5 control maturity would reasonably expect all, or at least most, the following criteria to exist: ▪ Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions. ▪ Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes. CC2.2-POF4 CC2.3 CC3.1-POF10 Principle 15 6.1.3 5.5 6.1.3 6.3.1.3 Sec 4(D)(4) IR-6 IR-6 IR-6 IR-6 IR-6 IR-6 IR-6 IR-6 IR-6 IR-6 IR-6 IR-6 IR-6 3.6.2.c C.6 IMC:SG2.SP1 IR-6 IR-6 252.204-7019(c)(1) 252.204-7019(c)(2) IR-6 IR-6 IR-6 IR-6 IR-6 IR-6 IR-6 IR-6 IR-6 IR-6 8.M.A 8.M.C 8.M.A 8.M.C 7.L.A 8.L.B 1.8.3 IR-6 1-303 4-218 Form 8-K Item 1.05(a) III.F.3 VI.A VI.B VI.B.1 VI.B.2 VI.C VI.D VI.E.1 VI.E.2 VI.F 38-99-20(D)(4) Sec. 521.053 Sec 5 Sec 11 IR-6 IR-6 IR-6 3.7.5(91) Article 31.4 Art 31 Art 36.1 Art 36.2 Art 36.3 Art 37.7 Art 40.1 Art 41.1 Art 42.2 Art 50 OIS-05 Article 32.1 Article 32.2 Article 32.3 Article 31 Article 36(1) Article 36(2) Article 36(3)(a) Article 36(3)(b) Article 36(3)(c) Article 36(3)(d) Article 36(3)(e) Article 36(3)(f) 33 42 51 59(a) 59(b) 35 35(a) 35(b) 36 6.1.3 x NAIC AICPA TSC 2017 (SOC 2) ISO 27002:2022 NAIC MDL-668 SEC Cyber Rule x R-BC-4 R-BC-5 R-EX-1 R-EX-2 R-EX-3 R-EX-4 R-EX-5 R-EX-6 R-EX-7 R-GV-1 R-GV-2 R-GV-3 R-GV-4 R-GV-5 R-GV-8 R-IR-1 R-IR-2 R-IR-3 R-IR-4 R-SA-1 R-BC-4 R-BC-5 R-EX-1 R-EX-2 R-EX-3 R-EX-4 R-EX-5 R-EX-6 R-EX-7 R-GV-1 R-GV-2 R-GV-3 R-GV-4 R-GV-5 R-GV-8 R-IR-1 R-IR-2 R-IR-3 R-IR-4 R-SA-1 NT-7 MT-1 MT-2 MT-7 MT-8 MT-9 MT-10 MT-11 MT-12 MT-13 MT-14 MT-15 NT-7 MT-1 MT-2 MT-7 MT-8 MT-9 MT-10 MT-11 MT-12 MT-13 MT-14 MT-15 - updated NIST 800-161 R1 mapping
Cybersecurity & Data Protection Governance Contacts With Groups & Associations FII-SCF-GOV-0007 Mechanisms exist to establish contact with selected groups and associations within the cybersecurity & data privacy communities to: ▪ Facilitate ongoing cybersecurity & data privacy education and training for organizational personnel; ▪ Maintain currency with recommended cybersecurity & data privacy practices, techniques and technologies; and ▪ Share current cybersecurity and/or data privacy-related information including threats, vulnerabilities and incidents. #NAME? E-THR-02 Does the organization establish contact with selected groups and associations within the cybersecurity & data privacy communities to: ▪ Facilitate ongoing cybersecurity & data privacy education and training for organizational personnel; ▪ Maintain currency with recommended cybersecurity & data privacy practices, techniques and technologies; and ▪ Share current cybersecurity and/or data privacy-related information including threats, vulnerabilities and incidents? 7 x Govern x x There is no evidence of a capability to establish contact with selected groups and associations within the cybersecurity & data privacy communities to: ▪ Facilitate ongoing cybersecurity & data privacy education and training for organizational personnel; ▪ Maintain currency with recommended cybersecurity & data privacy practices, techniques and technologies; and ▪ Share current security-related information including threats, vulnerabilities and incidents. Cybersecurity & Privacy Governance (GOV) efforts are ad hoc and inconsistent. CMM Level 1 control maturity would reasonably expect all, or at least most, the following criteria to exist: • No formal cybersecurity and/ or data privacy principles are identified for the organization. • No formal Governance, Risk & Compliance (GRC) team exists. GRC roles are assigned to existing IT/cybersecurity personnel. • Governance efforts are narrowly-limited to certain compliance requirements. • Formal roles and responsibilities for cybersecurity and/ or data privacy may exist. • Cybersecurity and data privacy governance is informally assigned as an additional duty to existing IT/cybersecurity personnel. • Basic cybersecurity policies and standards are documented [not based on any industry framework] • Basic procedures are established for important tasks, but are ad hoc and not formally documented. • Documentation is made available to internal personnel. • Organizational leadership maintains an informal process to review and respond to observed trends. • Cybersecurity and data privacy personnel identify and maintain contact information for local, regional and national cybersecurity / data privacy groups and associations. Cybersecurity & Privacy Governance (GOV) efforts are requirements-driven and formally governed at a local/regional level, but are not consistent across the organization. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist: • Cybersecurity and data privacy governance activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure and compliant practices. • IT/cybersecurity personnel identify cybersecurity & data privacy controls that are appropriate to address applicable statutory, regulatory and contractual requirements for cybersecurity & data privacy governance activities. • The Chief Information Officer (CIO), or similar function, analyzes the organization’s business strategy and prioritizes the objectives of the security function, based on business requirements. • A qualified individual is assigned the role and responsibilities to centrally manage, coordinate, develop, implement and maintain a cybersecurity & data privacy program (e.g., cybersecurity director or Chief Information Security Officer (CISO)). • No formal Governance, Risk & Compliance (GRC) team exists. GRC roles are assigned to existing cybersecurity personnel. • Compliance requirements for cybersecurity & data privacy are identified and documented. • Cybersecurity policies and standards exist that are aligned with a leading cybersecurity framework (e.g., SCF, NIST 800-53, ISO 27002 or NIST Cybersecurity Framework). • Controls are assigned to sensitive/regulated assets to comply with specific compliance requirements. • Procedures are established for sensitive/regulated obligations, but are not standardized across the organization. • Documentation is made available to internal personnel. • Cybersecurity and data privacy personnel identify and maintain contact information for local, regional and national cybersecurity / data privacy groups and associations. • Cybersecurity and data privacy personnel in supervisory positions subscribe to news feeds from groups and associations to facilitate ongoing education and training. Cybersecurity & Privacy Governance (GOV) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist: • Statutory, regulatory and contractual compliance requirements for cybersecurity & data privacy are identified and documented. Recurring testing is utilized to assess adherence to internal standards and/or external compliance requirements. • A Governance, Risk & Compliance (GRC) function, or similar function, provides scoping guidance to determine control applicability. • Internal policies and standards address all statutory, regulatory and contractual obligations for cybersecurity & data privacy. • Controls are standardized across the organization to ensure uniformity and consistent execution. • Corporate governance (executive oversight) exists for the cybersecurity and data privacy, which includes regular briefings to ensure executives have sufficient situational awareness to properly govern the organization. • Procedures are established for sensitive/regulated compliance obligations that are standardized across the organization. • Defined roles & responsibilities require data/process owners to define, implement and maintain cybersecurity & data privacy controls for each system, application and/ or service of which they have accountability. • The organization designates one or more qualified individuals to govern the cybersecurity and data privacy programs (e.g., Chief Information Security Officer or Chief Privacy Officer). • Risk management processes are defined, to include materiality considerations. Cybersecurity & Privacy Governance (GOV) efforts are metrics driven and provide sufficient management insight (based on a quantitative understanding of process capabilities) to predict optimal performance, ensure continued operations and identify areas for improvement. In addition to CMM Level 3 criteria, CMM Level 4 control maturity would reasonably expect all, or at least most, the following criteria to exist: ▪ Metrics are developed that provide management insight, per a quantitative understanding of process capabilities, to predict optimal performance, ensure continued operations and identify areas for improvement. ▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs). ▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs). ▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity & data privacy controls, including functions performed by third-parties. ▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review). ▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes. ▪ Both business and technical stakeholders are involved in reviewing and approving proposed changes. Cybersecurity & Privacy Governance (GOV) efforts are “world-class” capabilities that leverage predictive analysis (e.g., machine learning, AI, etc.). In addition to CMM Level 4 criteria, CMM Level 5 control maturity would reasonably expect all, or at least most, the following criteria to exist: ▪ Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions. ▪ Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes. CC2.2-POF4 CC2.3 GRC-08 6.1.4 5.6 6.1.4 6.3.1.4 Sec 4(D)(4) PM-15 PM-15 PM-15 PM-15 PM-15 PM-15 ID.RA-02 5.1.2 6.1 6.3.1 6.3.1 6.3.1 6.3.1 6.3.1 6.3.1 6.3.1 6.3.1 C.6 COMM:SG2.SP1 OTA:SG2.SP1 4.5 PM-15 8.M.A 8.M.C 8.M.A 8.M.C 9.L.D 8-101 38-99-20(D)(4) Sec 5 Sec 11 PM-15 Article 45.1 Article 45.1(a) Article 45.1(b) Article 45.1(c) Article 45.2 Art 40.2 Art 41.1 Art 42.2 Art 42.3 Art 43.2 6.1.4 3.7 x NAIC AICPA TSC 2017 (SOC 2) CSA CCM v4 ISO 27002:2022 NAIC MDL-668 NIST CSF 2.0 x R-BC-4 R-BC-5 R-EX-1 R-EX-2 R-EX-3 R-EX-4 R-EX-5 R-EX-6 R-EX-7 R-GV-1 R-GV-2 R-GV-3 R-GV-4 R-GV-5 R-GV-6 R-GV-7 R-GV-8 R-IR-1 R-IR-2 R-IR-3 R-IR-4 R-SA-1 R-SA-2 R-BC-4 R-BC-5 R-EX-1 R-EX-2 R-EX-3 R-EX-4 R-EX-5 R-EX-6 R-EX-7 R-GV-1 R-GV-2 R-GV-3 R-GV-4 R-GV-5 R-GV-6 R-GV-7 R-GV-8 R-IR-1 R-IR-2 R-IR-3 R-IR-4 R-SA-1 R-SA-2 NT-7 MT-1 MT-2 MT-3 MT-4 MT-5 MT-6 MT-7 MT-8 MT-9 MT-10 MT-11 MT-12 MT-13 MT-14 MT-15 NT-7 MT-1 MT-2 MT-3 MT-4 MT-5 MT-6 MT-7 MT-8 MT-9 MT-10 MT-11 MT-12 MT-13 MT-14 MT-15
Cybersecurity & Data Protection Governance Defining Business Context & Mission FII-SCF-GOV-0008 Mechanisms exist to define the context of its business model and document the mission of the organization. E-PRM-01 Does the organization define the context of its business model and document the mission of the organization? 5 x Govern x There is no evidence of a capability to define the context of its business model and document the mission of the organization. SP-CMM1 is N/A, since a structured process is required to define the context of its business model and document the mission of the organization. Cybersecurity & Privacy Governance (GOV) efforts are requirements-driven and formally governed at a local/regional level, but are not consistent across the organization. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist: • Cybersecurity and data privacy governance activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure and compliant practices. • IT/cybersecurity personnel identify cybersecurity & data privacy controls that are appropriate to address applicable statutory, regulatory and contractual requirements for cybersecurity & data privacy governance activities. • The Chief Information Officer (CIO), or similar function, analyzes the organization’s business strategy and prioritizes the objectives of the security function, based on business requirements. • A qualified individual is assigned the role and responsibilities to centrally manage, coordinate, develop, implement and maintain a cybersecurity & data privacy program (e.g., cybersecurity director or Chief Information Security Officer (CISO)). • No formal Governance, Risk & Compliance (GRC) team exists. GRC roles are assigned to existing cybersecurity personnel. • Compliance requirements for cybersecurity & data privacy are identified and documented. • Cybersecurity policies and standards exist that are aligned with a leading cybersecurity framework (e.g., SCF, NIST 800-53, ISO 27002 or NIST Cybersecurity Framework). • Controls are assigned to sensitive/regulated assets to comply with specific compliance requirements. • Procedures are established for sensitive/regulated obligations, but are not standardized across the organization. • Documentation is made available to internal personnel. Cybersecurity & Privacy Governance (GOV) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist: • Statutory, regulatory and contractual compliance requirements for cybersecurity & data privacy are identified and documented. Recurring testing is utilized to assess adherence to internal standards and/or external compliance requirements. • A Governance, Risk & Compliance (GRC) function, or similar function, provides scoping guidance to determine control applicability. • Internal policies and standards address all statutory, regulatory and contractual obligations for cybersecurity & data privacy. • Controls are standardized across the organization to ensure uniformity and consistent execution. • Corporate governance (executive oversight) exists for the cybersecurity and data privacy, which includes regular briefings to ensure executives have sufficient situational awareness to properly govern the organization. • Procedures are established for sensitive/regulated compliance obligations that are standardized across the organization. • Defined roles & responsibilities require data/process owners to define, implement and maintain cybersecurity & data privacy controls for each system, application and/ or service of which they have accountability. • The organization designates one or more qualified individuals to govern the cybersecurity and data privacy programs (e.g., Chief Information Security Officer or Chief Privacy Officer). • Risk management processes are defined, to include materiality considerations. See SP-CMM3. SP-CMM4 is N/A, since a quantitatively-controlled process is not necessary to define the context of its business model and document the mission of the organization. See SP-CMM4. SP-CMM5 is N/A, since a continuously-improving process is not necessary to define the context of its business model and document the mission of the organization. CC1.2-POF1 CC2.2-POF10 CC3.1-POF1 CC3.1-POF15 CC3.1-POF3 CC5.1-POF2 EDM05.01 EDM05.02 EDM05.03 APO01.01 APO01.02 APO01.03 APO01.04 APO01.06 APO02.01 APO02.05 APO08.01 APO08.02 APO08.03 APO08.04 APO08.05 4.1 4.2 4.2.1 4.2.2 4.1 4.2 4.1 4.2(a) 4.3 5.1 6.2 ID.IM-P5 ID.BE-P1 ID.BE-P2 GV.RM-P3 ID.BE-1 ID.BE-2 GV.OC GV.OC-01 GV.OC-04 GV.OV-01 GV.SC-03 B.1 120.13 120.17 3.2.1(4) 01-01-2001 A1.a 4.4.2 4.4.2.1 4.4.3 1.2 2.1.1 AICPA TSC 2017 (SOC 2) NIST CSF 2.0 NIST Privacy Framework 1.0 R-AC-1 R-AC-2 R-AC-3 R-AC-4 R-AM-1 R-AM-2 R-BC-1 R-BC-2 R-BC-3 R-BC-4 R-BC-5 R-EX-1 R-EX-2 R-EX-3 R-EX-4 R-EX-5 R-EX-6 R-EX-7 R-GV-1 R-GV-2 R-GV-3 R-GV-4 R-GV-5 R-GV-6 R-GV-7 R-GV-8 R-IR-1 R-IR-2 R-IR-3 R-IR-4 R-SA-1 R-AC-1 R-AC-2 R-AC-3 R-AC-4 R-AM-1 R-AM-2 R-BC-1 R-BC-2 R-BC-3 R-BC-4 R-BC-5 R-EX-1 R-EX-2 R-EX-3 R-EX-4 R-EX-5 R-EX-6 R-EX-7 R-GV-1 R-GV-2 R-GV-3 R-GV-4 R-GV-5 R-GV-6 R-GV-7 R-GV-8 R-IR-1 R-IR-2 R-IR-3 R-IR-4 R-SA-1 NT-7 MT-1 MT-2 MT-7 MT-8 MT-9 MT-10 MT-11 MT-12 MT-13 MT-14 MT-15 NT-7 MT-1 MT-2 MT-7 MT-8 MT-9 MT-10 MT-11 MT-12 MT-13 MT-14 MT-15 #NAME?
Cybersecurity & Data Protection Governance Define Control Objectives FII-SCF-GOV-0009 Mechanisms exist to establish control objectives as the basis for the selection, implementation and management of the organization’s internal control system. E-GOV-10 Does the organization establish control objectives as the basis for the selection, implementation and management of the organization’s internal control system? 5 x Govern x x There is no evidence of a capability to establish control objectives as the basis for the selection, implementation and management of the organization’s internal control system. SP-CMM1 is N/A, since a structured process is required to establish control objectives as the basis for the selection, implementation and management of the organization’s internal control system. Cybersecurity & Privacy Governance (GOV) efforts are requirements-driven and formally governed at a local/regional level, but are not consistent across the organization. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist: • Cybersecurity and data privacy governance activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure and compliant practices. • IT/cybersecurity personnel identify cybersecurity & data privacy controls that are appropriate to address applicable statutory, regulatory and contractual requirements for cybersecurity & data privacy governance activities. • The Chief Information Officer (CIO), or similar function, analyzes the organization’s business strategy and prioritizes the objectives of the security function, based on business requirements. • A qualified individual is assigned the role and responsibilities to centrally manage, coordinate, develop, implement and maintain a cybersecurity & data privacy program (e.g., cybersecurity director or Chief Information Security Officer (CISO)). • No formal Governance, Risk & Compliance (GRC) team exists. GRC roles are assigned to existing cybersecurity personnel. • Compliance requirements for cybersecurity & data privacy are identified and documented. • Cybersecurity policies and standards exist that are aligned with a leading cybersecurity framework (e.g., SCF, NIST 800-53, ISO 27002 or NIST Cybersecurity Framework). • Controls are assigned to sensitive/regulated assets to comply with specific compliance requirements. • Procedures are established for sensitive/regulated obligations, but are not standardized across the organization. • Documentation is made available to internal personnel. • IT and/ or cybersecurity personnel develop control objectives to implement and manage the organization’s internal control system. • IT and/ or cybersecurity personnel develop plans to implement security-related objectives. Cybersecurity & Privacy Governance (GOV) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist: • Statutory, regulatory and contractual compliance requirements for cybersecurity & data privacy are identified and documented. Recurring testing is utilized to assess adherence to internal standards and/or external compliance requirements. • A Governance, Risk & Compliance (GRC) function, or similar function, provides scoping guidance to determine control applicability. • Internal policies and standards address all statutory, regulatory and contractual obligations for cybersecurity & data privacy. • Controls are standardized across the organization to ensure uniformity and consistent execution. • Corporate governance (executive oversight) exists for the cybersecurity and data privacy, which includes regular briefings to ensure executives have sufficient situational awareness to properly govern the organization. • Procedures are established for sensitive/regulated compliance obligations that are standardized across the organization. • Defined roles & responsibilities require data/process owners to define, implement and maintain cybersecurity & data privacy controls for each system, application and/ or service of which they have accountability. • The organization designates one or more qualified individuals to govern the cybersecurity and data privacy programs (e.g., Chief Information Security Officer or Chief Privacy Officer). • Risk management processes are defined, to include materiality considerations. See SP-CMM3. SP-CMM4 is N/A, since a quantitatively-controlled process is not necessary to establish control objectives as the basis for the selection, implementation and management of the organization’s internal control system. See SP-CMM4. SP-CMM5 is N/A, since a continuously-improving process is not necessary to establish control objectives as the basis for the selection, implementation and management of the organization’s internal control system. CC2.1-POF1 CC2.2 CC2.2-POF1 CC2.2-POF7 CC3.1 CC3.1-POF1 CC3.1-POF15 CC3.1-POF8 CC3.1-POF9 7 7.1 APO01.04 DSS06.01 5.1 4.1 4.2 4.2(b) 4.2(c) 5.2(b) 6.2 6.2(a) 6.2(b) 6.2(c) 6.2(d) 6.2(e) 6.2(f) 6.2(g) 6.2(h) 6.2(i) 6.2(j) 6.2(k) 6.2(l) 4.2 5.1 5.1 6.2 8.1 GV.SC-03 T.9 CTRL:SG1.SP1 314.3(b)(1) 314.3(b)(2) 314.3(b)(3) 3.2.1(5)(c) OIS-01 OIS-02 01-Jan 4.1 4.2 4.3 4.4 4.4.2 4.4.2.1 4.4.5.2 1.2 2.1.1 AICPA TSC 2017 (SOC 2) ISO 27001:2022 ISO 27002:2022 NIST CSF 2.0 GLBA R-AC-1 R-AC-2 R-AC-3 R-AC-4 R-AM-1 R-AM-2 R-BC-1 R-BC-2 R-BC-3 R-BC-4 R-BC-5 R-EX-1 R-EX-2 R-EX-3 R-EX-4 R-EX-5 R-EX-6 R-EX-7 R-GV-1 R-GV-2 R-GV-3 R-GV-4 R-GV-5 R-GV-6 R-GV-7 R-GV-8 R-IR-1 R-IR-2 R-IR-3 R-IR-4 R-SA-1 R-AC-1 R-AC-2 R-AC-3 R-AC-4 R-AM-1 R-AM-2 R-BC-1 R-BC-2 R-BC-3 R-BC-4 R-BC-5 R-EX-1 R-EX-2 R-EX-3 R-EX-4 R-EX-5 R-EX-6 R-EX-7 R-GV-1 R-GV-2 R-GV-3 R-GV-4 R-GV-5 R-GV-6 R-GV-7 R-GV-8 R-IR-1 R-IR-2 R-IR-3 R-IR-4 R-SA-1 NT-7 MT-1 MT-2 MT-7 MT-8 MT-9 MT-10 MT-11 MT-12 MT-13 MT-14 MT-15 NT-7 MT-1 MT-2 MT-7 MT-8 MT-9 MT-10 MT-11 MT-12 MT-13 MT-14 MT-15
Cybersecurity & Data Protection Governance Data Governance FII-SCF-GOV-0010 Mechanisms exist to facilitate data governance to oversee the organization's policies, standards and procedures so that sensitive/regulated data is effectively managed and maintained in accordance with applicable statutory, regulatory and contractual obligations. Does the organization facilitate data governance to oversee the organization's policies, standards and procedures so that sensitive/regulated data is effectively managed and maintained in accordance with applicable statutory, regulatory and contractual obligations? 9 x Govern x There is no evidence of a capability to facilitate data governance to oversee the organization's policies, standards and procedures so that sensitive/regulated data is effectively managed and maintained in accordance with applicable statutory, regulatory and contractual obligations. Cybersecurity & Privacy Governance (GOV) efforts are ad hoc and inconsistent. CMM Level 1 control maturity would reasonably expect all, or at least most, the following criteria to exist: • No formal cybersecurity and/ or data privacy principles are identified for the organization. • No formal Governance, Risk & Compliance (GRC) team exists. GRC roles are assigned to existing IT/cybersecurity personnel. • Governance efforts are narrowly-limited to certain compliance requirements. • Formal roles and responsibilities for cybersecurity and/ or data privacy may exist. • Cybersecurity and data privacy governance is informally assigned as an additional duty to existing IT/cybersecurity personnel. • Basic cybersecurity policies and standards are documented [not based on any industry framework] • Basic procedures are established for important tasks, but are ad hoc and not formally documented. • Documentation is made available to internal personnel. • Organizational leadership maintains an informal process to review and respond to observed trends. Cybersecurity & Privacy Governance (GOV) efforts are requirements-driven and formally governed at a local/regional level, but are not consistent across the organization. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist: • Cybersecurity and data privacy governance activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure and compliant practices. • IT/cybersecurity personnel identify cybersecurity & data privacy controls that are appropriate to address applicable statutory, regulatory and contractual requirements for cybersecurity & data privacy governance activities. • The Chief Information Officer (CIO), or similar function, analyzes the organization’s business strategy and prioritizes the objectives of the security function, based on business requirements. • A qualified individual is assigned the role and responsibilities to centrally manage, coordinate, develop, implement and maintain a cybersecurity & data privacy program (e.g., cybersecurity director or Chief Information Security Officer (CISO)). • No formal Governance, Risk & Compliance (GRC) team exists. GRC roles are assigned to existing cybersecurity personnel. • Compliance requirements for cybersecurity & data privacy are identified and documented. • Cybersecurity policies and standards exist that are aligned with a leading cybersecurity framework (e.g., SCF, NIST 800-53, ISO 27002 or NIST Cybersecurity Framework). • Controls are assigned to sensitive/regulated assets to comply with specific compliance requirements. • Procedures are established for sensitive/regulated obligations, but are not standardized across the organization. • Documentation is made available to internal personnel. Cybersecurity & Privacy Governance (GOV) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist: • Statutory, regulatory and contractual compliance requirements for cybersecurity & data privacy are identified and documented. Recurring testing is utilized to assess adherence to internal standards and/or external compliance requirements. • A Governance, Risk & Compliance (GRC) function, or similar function, provides scoping guidance to determine control applicability. • Internal policies and standards address all statutory, regulatory and contractual obligations for cybersecurity & data privacy. • Controls are standardized across the organization to ensure uniformity and consistent execution. • Corporate governance (executive oversight) exists for the cybersecurity and data privacy, which includes regular briefings to ensure executives have sufficient situational awareness to properly govern the organization. • Procedures are established for sensitive/regulated compliance obligations that are standardized across the organization. • Defined roles & responsibilities require data/process owners to define, implement and maintain cybersecurity & data privacy controls for each system, application and/ or service of which they have accountability. • The organization designates one or more qualified individuals to govern the cybersecurity and data privacy programs (e.g., Chief Information Security Officer or Chief Privacy Officer). • Risk management processes are defined, to include materiality considerations. Cybersecurity & Privacy Governance (GOV) efforts are metrics driven and provide sufficient management insight (based on a quantitative understanding of process capabilities) to predict optimal performance, ensure continued operations and identify areas for improvement. In addition to CMM Level 3 criteria, CMM Level 4 control maturity would reasonably expect all, or at least most, the following criteria to exist: ▪ Metrics are developed that provide management insight, per a quantitative understanding of process capabilities, to predict optimal performance, ensure continued operations and identify areas for improvement. ▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs). ▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs). ▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity & data privacy controls, including functions performed by third-parties. ▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review). ▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes. ▪ Both business and technical stakeholders are involved in reviewing and approving proposed changes. See SP-CMM4. SP-CMM5 is N/A, since a continuously-improving process is not necessary to facilitate data governance to oversee the organization's policies, standards and procedures so that sensitive/regulated data is effectively managed and maintained in accordance with applicable statutory, regulatory and contractual obligations. CC1.2-POF1 5.12 PM-23 PM-24 PM-24 PM-23 PM-23 A3.2.5 P.8 9.1 9.3 9.4 8.5 2.C.5 2.C.5.1 Article 58 Article 58(1) Article 58(2) Article 58(3) Article 58(4) AICPA TSC 2017 (SOC 2) DoD 8.5 R-AC-1 R-AC-2 R-AC-3 R-AC-4 R-AM-1 R-AM-2 R-AM-3 R-BC-1 R-BC-2 R-BC-3 R-BC-4 R-BC-5 R-EX-1 R-EX-2 R-EX-3 R-EX-4 R-EX-5 R-EX-6 R-EX-7 R-GV-1 R-GV-2 R-GV-3 R-GV-4 R-GV-5 R-GV-6 R-GV-7 R-GV-8 R-IR-1 R-IR-2 R-IR-3 R-IR-4 R-SA-1 R-AC-1 R-AC-2 R-AC-3 R-AC-4 R-AM-1 R-AM-2 R-AM-3 R-BC-1 R-BC-2 R-BC-3 R-BC-4 R-BC-5 R-EX-1 R-EX-2 R-EX-3 R-EX-4 R-EX-5 R-EX-6 R-EX-7 R-GV-1 R-GV-2 R-GV-3 R-GV-4 R-GV-5 R-GV-6 R-GV-7 R-GV-8 R-IR-1 R-IR-2 R-IR-3 R-IR-4 R-SA-1 NT-7 MT-1 MT-2 MT-3 MT-4 MT-5 MT-6 MT-7 MT-8 MT-9 MT-10 MT-11 MT-12 MT-13 MT-14 MT-15 NT-7 MT-1 MT-2 MT-3 MT-4 MT-5 MT-6 MT-7 MT-8 MT-9 MT-10 MT-11 MT-12 MT-13 MT-14 MT-15 - updated NIST 800-161 R1 mapping - added ISO 27002:2022 mapping
Cybersecurity & Data Protection Governance Purpose Validation FII-SCF-GOV-0011 Mechanisms exist to monitor mission/business-critical services or functions to ensure those resources are being used consistent with their intended purpose. Does the organization monitor mission/business-critical services or functions to ensure those resources are being used consistent with their intended purpose? 5 x Govern x x There is no evidence of a capability to monitor mission/business-critical services or functions to ensure those resources are being used consistent with their intended purpose. Cybersecurity & Privacy Governance (GOV) efforts are ad hoc and inconsistent. CMM Level 1 control maturity would reasonably expect all, or at least most, the following criteria to exist: • No formal cybersecurity and/ or data privacy principles are identified for the organization. • No formal Governance, Risk & Compliance (GRC) team exists. GRC roles are assigned to existing IT/cybersecurity personnel. • Governance efforts are narrowly-limited to certain compliance requirements. • Formal roles and responsibilities for cybersecurity and/ or data privacy may exist. • Cybersecurity and data privacy governance is informally assigned as an additional duty to existing IT/cybersecurity personnel. • Basic cybersecurity policies and standards are documented [not based on any industry framework] • Basic procedures are established for important tasks, but are ad hoc and not formally documented. • Documentation is made available to internal personnel. • Organizational leadership maintains an informal process to review and respond to observed trends. Cybersecurity & Privacy Governance (GOV) efforts are requirements-driven and formally governed at a local/regional level, but are not consistent across the organization. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist: • Cybersecurity and data privacy governance activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure and compliant practices. • IT/cybersecurity personnel identify cybersecurity & data privacy controls that are appropriate to address applicable statutory, regulatory and contractual requirements for cybersecurity & data privacy governance activities. • The Chief Information Officer (CIO), or similar function, analyzes the organization’s business strategy and prioritizes the objectives of the security function, based on business requirements. • A qualified individual is assigned the role and responsibilities to centrally manage, coordinate, develop, implement and maintain a cybersecurity & data privacy program (e.g., cybersecurity director or Chief Information Security Officer (CISO)). • No formal Governance, Risk & Compliance (GRC) team exists. GRC roles are assigned to existing cybersecurity personnel. • Compliance requirements for cybersecurity & data privacy are identified and documented. • Cybersecurity policies and standards exist that are aligned with a leading cybersecurity framework (e.g., SCF, NIST 800-53, ISO 27002 or NIST Cybersecurity Framework). • Controls are assigned to sensitive/regulated assets to comply with specific compliance requirements. • Procedures are established for sensitive/regulated obligations, but are not standardized across the organization. • Documentation is made available to internal personnel. Cybersecurity & Privacy Governance (GOV) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist: • Statutory, regulatory and contractual compliance requirements for cybersecurity & data privacy are identified and documented. Recurring testing is utilized to assess adherence to internal standards and/or external compliance requirements. • A Governance, Risk & Compliance (GRC) function, or similar function, provides scoping guidance to determine control applicability. • Internal policies and standards address all statutory, regulatory and contractual obligations for cybersecurity & data privacy. • Controls are standardized across the organization to ensure uniformity and consistent execution. • Corporate governance (executive oversight) exists for the cybersecurity and data privacy, which includes regular briefings to ensure executives have sufficient situational awareness to properly govern the organization. • Procedures are established for sensitive/regulated compliance obligations that are standardized across the organization. • Defined roles & responsibilities require data/process owners to define, implement and maintain cybersecurity & data privacy controls for each system, application and/ or service of which they have accountability. • The organization designates one or more qualified individuals to govern the cybersecurity and data privacy programs (e.g., Chief Information Security Officer or Chief Privacy Officer). • Risk management processes are defined, to include materiality considerations. Cybersecurity & Privacy Governance (GOV) efforts are metrics driven and provide sufficient management insight (based on a quantitative understanding of process capabilities) to predict optimal performance, ensure continued operations and identify areas for improvement. In addition to CMM Level 3 criteria, CMM Level 4 control maturity would reasonably expect all, or at least most, the following criteria to exist: ▪ Metrics are developed that provide management insight, per a quantitative understanding of process capabilities, to predict optimal performance, ensure continued operations and identify areas for improvement. ▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs). ▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs). ▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity & data privacy controls, including functions performed by third-parties. ▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review). ▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes. ▪ Both business and technical stakeholders are involved in reviewing and approving proposed changes. See SP-CMM4. SP-CMM5 is N/A, since a continuously-improving process is not necessary to monitor mission/business-critical services or functions to ensure those resources are being used consistent with their intended purpose. 6.2 PM-32 PM-32 PM-32 PM-32 PM-32 C.7 R-AC-1 R-AC-2 R-AC-3 R-AC-4 R-AM-1 R-AM-2 R-BC-1 R-BC-2 R-BC-3 R-BC-4 R-BC-5 R-EX-1 R-EX-2 R-EX-3 R-EX-4 R-EX-5 R-EX-6 R-EX-7 R-GV-1 R-GV-2 R-GV-3 R-GV-4 R-GV-5 R-GV-6 R-GV-7 R-GV-8 R-IR-1 R-IR-2 R-IR-3 R-IR-4 R-SA-1 R-AC-1 R-AC-2 R-AC-3 R-AC-4 R-AM-1 R-AM-2 R-BC-1 R-BC-2 R-BC-3 R-BC-4 R-BC-5 R-EX-1 R-EX-2 R-EX-3 R-EX-4 R-EX-5 R-EX-6 R-EX-7 R-GV-1 R-GV-2 R-GV-3 R-GV-4 R-GV-5 R-GV-6 R-GV-7 R-GV-8 R-IR-1 R-IR-2 R-IR-3 R-IR-4 R-SA-1 NT-7 MT-1 MT-2 MT-7 MT-8 MT-9 MT-11 MT-12 MT-13 MT-14 MT-15 NT-7 MT-1 MT-2 MT-7 MT-8 MT-9 MT-11 MT-12 MT-13 MT-14 MT-15
Cybersecurity & Data Protection Governance Forced Technology Transfer (FTT) FII-SCF-GOV-0012 Mechanisms exist to avoid and/or constrain the forced exfiltration of sensitive / regulated information (e.g., Intellectual Property (IP)) to the host government for purposes of market access or market management practices. #NAME? Does the organization avoid and/or constrain the forced exfiltration of sensitive / regulated information (e.g., Intellectual Property (IP)) to the host government for purposes of market access or market management practices? 10 x Govern x x There is no evidence of a capability to avoid and/ or constrain the forced exfiltration of sensitive / regulated information (e.g., Intellectual Property (IP)) to the host government for purposes of market access or market management practices. SP-CMM1 is N/A, since a structured process is required to avoid and/ or constrain the forced exfiltration of sensitive / regulated information (e.g., Intellectual Property (IP)) to the host government for purposes of market access or market management practices. SP-CMM2 is N/A, since a well-defined process is required to avoid and/ or constrain the forced exfiltration of sensitive / regulated information (e.g., Intellectual Property (IP)) to the host government for purposes of market access or market management practices. Cybersecurity & Privacy Governance (GOV) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist: • Statutory, regulatory and contractual compliance requirements for cybersecurity & data privacy are identified and documented. Recurring testing is utilized to assess adherence to internal standards and/or external compliance requirements. • A Governance, Risk & Compliance (GRC) function, or similar function, provides scoping guidance to determine control applicability. • Internal policies and standards address all statutory, regulatory and contractual obligations for cybersecurity & data privacy. • Controls are standardized across the organization to ensure uniformity and consistent execution. • Corporate governance (executive oversight) exists for the cybersecurity and data privacy, which includes regular briefings to ensure executives have sufficient situational awareness to properly govern the organization. • Procedures are established for sensitive/regulated compliance obligations that are standardized across the organization. • Defined roles & responsibilities require data/process owners to define, implement and maintain cybersecurity & data privacy controls for each system, application and/ or service of which they have accountability. • The organization designates one or more qualified individuals to govern the cybersecurity and data privacy programs (e.g., Chief Information Security Officer or Chief Privacy Officer). • Risk management processes are defined, to include materiality considerations. See SP-CMM3. SP-CMM4 is N/A, since a quantitatively-controlled process is not necessary to avoid and/ or constrain the forced exfiltration of sensitive / regulated information (e.g., Intellectual Property (IP)) to the host government for purposes of market access or market management practices. See SP-CMM4. SP-CMM5 is N/A, since a continuously-improving process is not necessary to avoid and/ or constrain the forced exfiltration of sensitive / regulated information (e.g., Intellectual Property (IP)) to the host government for purposes of market access or market management practices. P.2.4.1 Article 28 Article 7 Article 8 Article 9 Article 11 Article 14 Article 15 Article 16 Article 18 Article 19 Article 20 Article 28 Article 31 Article 32 Article 33 Article 36 Article 37 Article 38 Article 48 Article 53 Article 38 Article 38(4) Article 40 R-AC-1 R-AC-2 R-AC-3 R-AC-4 R-AM-1 R-AM-2 R-BC-1 R-BC-2 R-BC-3 R-BC-4 R-BC-5 R-EX-1 R-EX-2 R-EX-3 R-EX-4 R-EX-5 R-EX-6 R-EX-7 R-GV-1 R-GV-2 R-GV-3 R-GV-4 R-GV-5 R-GV-6 R-GV-7 R-GV-8 R-IR-1 R-IR-2 R-IR-3 R-IR-4 R-SA-1 R-AC-1 R-AC-2 R-AC-3 R-AC-4 R-AM-1 R-AM-2 R-BC-1 R-BC-2 R-BC-3 R-BC-4 R-BC-5 R-EX-1 R-EX-2 R-EX-3 R-EX-4 R-EX-5 R-EX-6 R-EX-7 R-GV-1 R-GV-2 R-GV-3 R-GV-4 R-GV-5 R-GV-6 R-GV-7 R-GV-8 R-IR-1 R-IR-2 R-IR-3 R-IR-4 R-SA-1 MT-8 MT-9 MT-10 MT-11 MT-12 MT-13 MT-14 MT-15 MT-8 MT-9 MT-10 MT-11 MT-12 MT-13 MT-14 MT-15
Cybersecurity & Data Protection Governance State-Sponsored Espionage FII-SCF-GOV-0013 Mechanisms exist to constrain the host government's ability to leverage the organization's technology assets for economic or political espionage and/or cyberwarfare activities. #NAME? Does the organization constrain the host government's ability to leverage the organization's technology assets for economic or political espionage and/or cyberwarfare activities? 10 x Govern x x There is no evidence of a capability to constrain the host government's ability to leverage the organization's technology assets for economic or political espionage and/ or cyberwarfare activities. SP-CMM1 is N/A, since a structured process is required to constrain the host government's ability to leverage the organization's technology assets for economic or political espionage and/ or cyberwarfare activities. SP-CMM2 is N/A, since a well-defined process is required to constrain the host government's ability to leverage the organization's technology assets for economic or political espionage and/ or cyberwarfare activities. Cybersecurity & Privacy Governance (GOV) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist: • Statutory, regulatory and contractual compliance requirements for cybersecurity & data privacy are identified and documented. Recurring testing is utilized to assess adherence to internal standards and/or external compliance requirements. • A Governance, Risk & Compliance (GRC) function, or similar function, provides scoping guidance to determine control applicability. • Internal policies and standards address all statutory, regulatory and contractual obligations for cybersecurity & data privacy. • Controls are standardized across the organization to ensure uniformity and consistent execution. • Corporate governance (executive oversight) exists for the cybersecurity and data privacy, which includes regular briefings to ensure executives have sufficient situational awareness to properly govern the organization. • Procedures are established for sensitive/regulated compliance obligations that are standardized across the organization. • Defined roles & responsibilities require data/process owners to define, implement and maintain cybersecurity & data privacy controls for each system, application and/ or service of which they have accountability. • The organization designates one or more qualified individuals to govern the cybersecurity and data privacy programs (e.g., Chief Information Security Officer or Chief Privacy Officer). • Risk management processes are defined, to include materiality considerations. See SP-CMM3. SP-CMM4 is N/A, since a quantitatively-controlled process is not necessary to constrain the host government's ability to leverage the organization's technology assets for economic or political espionage and/ or cyberwarfare activities. See SP-CMM4. SP-CMM5 is N/A, since a continuously-improving process is not necessary to constrain the host government's ability to leverage the organization's technology assets for economic or political espionage and/ or cyberwarfare activities. L.9.4 Article 28 Article 7 Article 8 Article 9 Article 11 Article 14 Article 15 Article 16 Article 18 Article 19 Article 20 Article 28 Article 31 Article 32 Article 33 Article 36 Article 37 Article 38 Article 48 Article 53 Article 11 Article 12 Article 38(4) Article 40 Article 47(5) Article 60 Article 63(3) Article 63(4) Article 64 R-AC-1 R-AC-2 R-AC-3 R-AC-4 R-AM-1 R-AM-2 R-BC-1 R-BC-2 R-BC-3 R-BC-4 R-BC-5 R-EX-1 R-EX-2 R-EX-3 R-EX-4 R-EX-5 R-EX-6 R-EX-7 R-GV-1 R-GV-2 R-GV-3 R-GV-4 R-GV-5 R-GV-6 R-GV-7 R-GV-8 R-IR-1 R-IR-2 R-IR-3 R-IR-4 R-SA-1 R-AC-1 R-AC-2 R-AC-3 R-AC-4 R-AM-1 R-AM-2 R-BC-1 R-BC-2 R-BC-3 R-BC-4 R-BC-5 R-EX-1 R-EX-2 R-EX-3 R-EX-4 R-EX-5 R-EX-6 R-EX-7 R-GV-1 R-GV-2 R-GV-3 R-GV-4 R-GV-5 R-GV-6 R-GV-7 R-GV-8 R-IR-1 R-IR-2 R-IR-3 R-IR-4 R-SA-1 MT-8 MT-9 MT-10 MT-11 MT-12 MT-13 MT-14 MT-15 MT-8 MT-9 MT-10 MT-11 MT-12 MT-13 MT-14 MT-15
Cybersecurity & Data Protection Governance Business As Usual (BAU) Secure Practices FII-SCF-GOV-0014 Mechanisms exist to incorporate cybersecurity & data privacy principles into Business As Usual (BAU) practices through executive leadership involvement. Does the organization incorporate cybersecurity & data privacy principles into Business As Usual (BAU) practices through executive leadership involvement? 6 x Govern x x There is no evidence of a capability to incorporate cybersecurity & data privacy principles into Business As Usual (BAU) practices through executive leadership involvement. SP-CMM1 is N/A, since a structured process is required to incorporate cybersecurity & data privacy principles into Business As Usual (BAU) practices through executive leadership involvement. SP-CMM2 is N/A, since a well-defined process is required to incorporate cybersecurity & data privacy principles into Business As Usual (BAU) practices through executive leadership involvement. Cybersecurity & Privacy Governance (GOV) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist: • Statutory, regulatory and contractual compliance requirements for cybersecurity & data privacy are identified and documented. Recurring testing is utilized to assess adherence to internal standards and/or external compliance requirements. • A Governance, Risk & Compliance (GRC) function, or similar function, provides scoping guidance to determine control applicability. • Internal policies and standards address all statutory, regulatory and contractual obligations for cybersecurity & data privacy. • Controls are standardized across the organization to ensure uniformity and consistent execution. • Corporate governance (executive oversight) exists for the cybersecurity and data privacy, which includes regular briefings to ensure executives have sufficient situational awareness to properly govern the organization. • Procedures are established for sensitive/regulated compliance obligations that are standardized across the organization. • Defined roles & responsibilities require data/process owners to define, implement and maintain cybersecurity & data privacy controls for each system, application and/ or service of which they have accountability. • The organization designates one or more qualified individuals to govern the cybersecurity and data privacy programs (e.g., Chief Information Security Officer or Chief Privacy Officer). • Risk management processes are defined, to include materiality considerations. See SP-CMM3. SP-CMM4 is N/A, since a quantitatively-controlled process is not necessary to incorporate cybersecurity & data privacy principles into Business As Usual (BAU) practices through executive leadership involvement. See SP-CMM4. SP-CMM5 is N/A, since a continuously-improving process is not necessary to incorporate cybersecurity & data privacy principles into Business As Usual (BAU) practices through executive leadership involvement. CC1.1-POF1 CC5.3-POF1 RQ-05-06 RC-05-10 5.1 A3.3 A3.3.3 K.1 B1.b B6.a 24 1.1.1 3.2.1 AICPA TSC 2017 (SOC 2) R-AC-1 R-EX-1 R-EX-2 R-EX-3 R-EX-4 R-EX-6 R-EX-7 R-GV-1 R-GV-2 R-GV-3 R-GV-4 R-GV-5 R-GV-6 R-GV-7 R-IR-1 R-IR-2 R-IR-3 R-IR-4 R-SA-1 R-SA-2 R-AC-1 R-EX-1 R-EX-2 R-EX-3 R-EX-4 R-EX-6 R-EX-7 R-GV-1 R-GV-2 R-GV-3 R-GV-4 R-GV-5 R-GV-6 R-GV-7 R-IR-1 R-IR-2 R-IR-3 R-IR-4 R-SA-1 R-SA-2 NT-1 NT-2 NT-3 NT-4 NT-5 NT-6 NT-7 NT-8 NT-9 NT-10 NT-11 NT-12 NT-13 NT-14 MT-8 MT-9 MT-12 MT-13 MT-14 MT-15 NT-1 NT-2 NT-3 NT-4 NT-5 NT-6 NT-7 NT-8 NT-9 NT-10 NT-11 NT-12 NT-13 NT-14 MT-8 MT-9 MT-12 MT-13 MT-14 MT-15
Cybersecurity & Data Protection Governance Operationalizing Cybersecurity & Data Protection Practices FII-SCF-GOV-0015 Mechanisms exist to compel data and/or process owners to operationalize cybersecurity & data privacy practices for each system, application and/or service under their control. Does the organization compel data and/or process owners to operationalize cybersecurity & data privacy practices for each system, application and/or service under their control? 9 x Govern x x There is no evidence of a capability to compel data and/ or process owners to operationalize cybersecurity & data privacy practices for each system, application and/ or service under their control. SP-CMM1 is N/A, since a structured process is required to compel data and/ or process owners to operationalize cybersecurity & data privacy practices for each system, application and/ or service under their control. SP-CMM2 is N/A, since a well-defined process is required to compel data and/ or process owners to operationalize cybersecurity & data privacy practices for each system, application and/ or service under their control. Cybersecurity & Privacy Governance (GOV) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist: • Statutory, regulatory and contractual compliance requirements for cybersecurity & data privacy are identified and documented. Recurring testing is utilized to assess adherence to internal standards and/or external compliance requirements. • A Governance, Risk & Compliance (GRC) function, or similar function, provides scoping guidance to determine control applicability. • Internal policies and standards address all statutory, regulatory and contractual obligations for cybersecurity & data privacy. • Controls are standardized across the organization to ensure uniformity and consistent execution. • Corporate governance (executive oversight) exists for the cybersecurity and data privacy, which includes regular briefings to ensure executives have sufficient situational awareness to properly govern the organization. • Procedures are established for sensitive/regulated compliance obligations that are standardized across the organization. • Defined roles & responsibilities require data/process owners to define, implement and maintain cybersecurity & data privacy controls for each system, application and/ or service of which they have accountability. • The organization designates one or more qualified individuals to govern the cybersecurity and data privacy programs (e.g., Chief Information Security Officer or Chief Privacy Officer). • Risk management processes are defined, to include materiality considerations. See SP-CMM3. SP-CMM4 is N/A, since a quantitatively-controlled process is not necessary to compel data and/ or process owners to operationalize cybersecurity & data privacy practices for each system, application and/ or service under their control. See SP-CMM4. SP-CMM5 is N/A, since a continuously-improving process is not necessary to compel data and/ or process owners to operationalize cybersecurity & data privacy practices for each system, application and/ or service under their control. CC2.1-POF1 CC2.1-POF2 CC2.1-POF3 CC2.1-POF4 CC3.1-POF5 CC5.1 CC5.1-POF1 CC5.1-POF2 CC5.1-POF3 CC5.1-POF4 CC5.1-POF5 CC5.1-POF6 4.1 4.6.1 5.1 5.1 8.1 OR-1.0 3.15.1.a 3.17.1.a 03.15.01.a 03.17.01.a A.03.16.01 C.5.2 15.1 15.2 15.3 15.4 17 CFR 229.106(b)(1)(i) 3.3.4(22) 3.4.1(30)(a) 3.4.1(30)(b) 3.4.1(30)(c) 3.4.1(30)(d) 3.4.1(30)(e) 3.4.1(30)(f) 3.4.1(30)(g) Article 7 Article 7(a) Article 7(b) Article 7(c) Article 7(d) Article 9.3 Article 21.1 Article 21.2(a) Article 21.2(b) Article 21.2(c) Article 21.2(d) Article 21.2(e) Article 21.2(f) Article 21.2(g) Article 21.2(h) Article 21.2(i) Article 21.2(j) Principle 2.4.a 5.1 Article 8.3 2-3 2-3-2 Article 50 Article 51 Article 28.1 Article 37 Article 5 Article 5(a) Article 5(b) Article 5(c) Article 5(d) Article 5(e) Article 5(f) Article 5(g) Article 8.1 Article 8.2 Article 8.3 Article 8.4 Article 8.5 B1.a B1.b B6.a A5 1633 1634 1635 1636 29 3.2.10.C.04 3.4.11.C.01 1.1.1 2.1.1 3.2.1 AICPA TSC 2017 (SOC 2) NIST 800-171 R3 SEC Cyber Rule R-AC-1 R-AC-2 R-AC-3 R-AC-4 R-AM-1 R-AM-2 R-BC-1 R-BC-2 R-BC-3 R-BC-4 R-BC-5 R-EX-1 R-EX-2 R-EX-3 R-EX-4 R-EX-5 R-EX-6 R-EX-7 R-GV-1 R-GV-2 R-GV-3 R-GV-4 R-GV-5 R-GV-6 R-GV-7 R-GV-8 R-IR-1 R-IR-2 R-IR-3 R-IR-4 R-SA-1 R-SA-2 R-AC-1 R-AC-2 R-AC-3 R-AC-4 R-AM-1 R-AM-2 R-BC-1 R-BC-2 R-BC-3 R-BC-4 R-BC-5 R-EX-1 R-EX-2 R-EX-3 R-EX-4 R-EX-5 R-EX-6 R-EX-7 R-GV-1 R-GV-2 R-GV-3 R-GV-4 R-GV-5 R-GV-6 R-GV-7 R-GV-8 R-IR-1 R-IR-2 R-IR-3 R-IR-4 R-SA-1 R-SA-2 NT-1 NT-2 NT-3 NT-4 NT-5 NT-6 NT-7 NT-8 NT-9 NT-10 NT-11 NT-12 NT-13 NT-14 MT-1 MT-2 MT-3 MT-4 MT-5 MT-6 MT-7 MT-8 MT-9 MT-10 MT-11 MT-12 MT-13 MT-14 MT-15 NT-1 NT-2 NT-3 NT-4 NT-5 NT-6 NT-7 NT-8 NT-9 NT-10 NT-11 NT-12 NT-13 NT-14 MT-1 MT-2 MT-3 MT-4 MT-5 MT-6 MT-7 MT-8 MT-9 MT-10 MT-11 MT-12 MT-13 MT-14 MT-15
Cybersecurity & Data Protection Governance Select Controls FII-SCF-GOV-0015.1 Mechanisms exist to compel data and/or process owners to select required cybersecurity & data privacy controls for each system, application and/or service under their control. Does the organization compel data and/or process owners to select required cybersecurity & data privacy controls for each system, application and/or service under their control? 8 x Govern x x There is no evidence of a capability to compel data and/ or process owners to select required cybersecurity & data privacy controls for each system, application and/ or service under their control. SP-CMM1 is N/A, since a structured process is required to compel data and/ or process owners to select required cybersecurity & data privacy controls for each system, application and/ or service under their control. SP-CMM2 is N/A, since a well-defined process is required to compel data and/ or process owners to select required cybersecurity & data privacy controls for each system, application and/ or service under their control. Cybersecurity & Privacy Governance (GOV) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist: • Statutory, regulatory and contractual compliance requirements for cybersecurity & data privacy are identified and documented. Recurring testing is utilized to assess adherence to internal standards and/or external compliance requirements. • A Governance, Risk & Compliance (GRC) function, or similar function, provides scoping guidance to determine control applicability. • Internal policies and standards address all statutory, regulatory and contractual obligations for cybersecurity & data privacy. • Controls are standardized across the organization to ensure uniformity and consistent execution. • Corporate governance (executive oversight) exists for the cybersecurity and data privacy, which includes regular briefings to ensure executives have sufficient situational awareness to properly govern the organization. • Procedures are established for sensitive/regulated compliance obligations that are standardized across the organization. • Defined roles & responsibilities require data/process owners to define, implement and maintain cybersecurity & data privacy controls for each system, application and/ or service of which they have accountability. • The organization designates one or more qualified individuals to govern the cybersecurity and data privacy programs (e.g., Chief Information Security Officer or Chief Privacy Officer). • Risk management processes are defined, to include materiality considerations. See SP-CMM3. SP-CMM4 is N/A, since a quantitatively-controlled process is not necessary to compel data and/ or process owners to select required cybersecurity & data privacy controls for each system, application and/ or service under their control. See SP-CMM4. SP-CMM5 is N/A, since a continuously-improving process is not necessary to compel data and/ or process owners to select required cybersecurity & data privacy controls for each system, application and/ or service under their control. CC5.1 4.1 4.6.1 8.1 OR-1.0 3.15.1.a 3.17.1.a 03.15.01.a 03.17.01.a C.5.2 252.204-7008(c)(1) 252.204-7012(b) 15.1 15.2 15.3 15.4 III.B III.C.1 III.C.1.a III.C.1.b III.C.3 3.3.4(22) 3.3.4(23) 3.4.1(30)(a) 3.4.1(30)(b) 3.4.1(30)(c) 3.4.1(30)(d) 3.4.1(30)(e) 3.4.1(30)(f) 3.4.1(30)(g) Article 7(a) Article 7(b) Article 7(c) Article 7(d) Article 21.1 Article 21.2(a) Article 21.2(b) Article 21.2(c) Article 21.2(d) Article 21.2(e) Article 21.2(f) Article 21.2(g) Article 21.2(h) Article 21.2(i) Article 21.2(j) Principle 2.4.a 5.1 Article 8.3 Article 11.1 2-3 2-3-2 Article 50 Article 51 Article 28.1(a) Article 28.1(b) Article 28.1(c) Article 28.2 Article 28.3 Article 3.3 Article 37 B1.a B1.b A5 A6 1634 29 3.2.10.C.04 1.1.1 2.1.1 AICPA TSC 2017 (SOC 2) FAR 252.204-7008 NIST 800-171 R3 R-AC-1 R-AC-2 R-AC-3 R-AC-4 R-AM-1 R-AM-2 R-AM-3 R-BC-1 R-BC-2 R-BC-3 R-BC-4 R-BC-5 R-EX-1 R-EX-2 R-EX-3 R-EX-4 R-EX-5 R-EX-6 R-EX-7 R-GV-1 R-GV-2 R-GV-3 R-GV-4 R-GV-5 R-GV-6 R-GV-7 R-GV-8 R-IR-1 R-IR-2 R-IR-3 R-IR-4 R-SA-1 R-SA-2 R-AC-1 R-AC-2 R-AC-3 R-AC-4 R-AM-1 R-AM-2 R-AM-3 R-BC-1 R-BC-2 R-BC-3 R-BC-4 R-BC-5 R-EX-1 R-EX-2 R-EX-3 R-EX-4 R-EX-5 R-EX-6 R-EX-7 R-GV-1 R-GV-2 R-GV-3 R-GV-4 R-GV-5 R-GV-6 R-GV-7 R-GV-8 R-IR-1 R-IR-2 R-IR-3 R-IR-4 R-SA-1 R-SA-2 MT-1 MT-2 MT-3 MT-4 MT-5 MT-6 MT-7 MT-8 MT-9 MT-10 MT-11 MT-12 MT-13 MT-14 MT-15 MT-1 MT-2 MT-3 MT-4 MT-5 MT-6 MT-7 MT-8 MT-9 MT-10 MT-11 MT-12 MT-13 MT-14 MT-15
Cybersecurity & Data Protection Governance Implement Controls FII-SCF-GOV-0015.2 Mechanisms exist to compel data and/or process owners to implement required cybersecurity & data privacy controls for each system, application and/or service under their control. Does the organization compel data and/or process owners to implement required cybersecurity & data privacy controls for each system, application and/or service under their control? 9 x Govern x x There is no evidence of a capability to compel data and/ or process owners to implement required cybersecurity & data privacy controls for each system, application and/ or service under their control. SP-CMM1 is N/A, since a structured process is required to compel data and/ or process owners to implement required cybersecurity & data privacy controls for each system, application and/ or service under their control. SP-CMM2 is N/A, since a well-defined process is required to compel data and/ or process owners to implement required cybersecurity & data privacy controls for each system, application and/ or service under their control. Cybersecurity & Privacy Governance (GOV) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist: • Statutory, regulatory and contractual compliance requirements for cybersecurity & data privacy are identified and documented. Recurring testing is utilized to assess adherence to internal standards and/or external compliance requirements. • A Governance, Risk & Compliance (GRC) function, or similar function, provides scoping guidance to determine control applicability. • Internal policies and standards address all statutory, regulatory and contractual obligations for cybersecurity & data privacy. • Controls are standardized across the organization to ensure uniformity and consistent execution. • Corporate governance (executive oversight) exists for the cybersecurity and data privacy, which includes regular briefings to ensure executives have sufficient situational awareness to properly govern the organization. • Procedures are established for sensitive/regulated compliance obligations that are standardized across the organization. • Defined roles & responsibilities require data/process owners to define, implement and maintain cybersecurity & data privacy controls for each system, application and/ or service of which they have accountability. • The organization designates one or more qualified individuals to govern the cybersecurity and data privacy programs (e.g., Chief Information Security Officer or Chief Privacy Officer). • Risk management processes are defined, to include materiality considerations. See SP-CMM3. SP-CMM4 is N/A, since a quantitatively-controlled process is not necessary to compel data and/ or process owners to implement required cybersecurity & data privacy controls for each system, application and/ or service under their control. See SP-CMM4. SP-CMM5 is N/A, since a continuously-improving process is not necessary to compel data and/ or process owners to implement required cybersecurity & data privacy controls for each system, application and/ or service under their control. CC5.1 4.1 4.6.1 5.1 RQ-09-10 8.1 3.15.1.a 3.17.1.a 03.15.01.a 03.17.01.a C.5.2 252.204-7008(c)(1) 252.204-7012(b) 15.1 15.2 15.3 15.4 3.4.1(30)(a) 3.4.1(30)(b) 3.4.1(30)(c) 3.4.1(30)(d) 3.4.1(30)(e) 3.4.1(30)(f) 3.4.1(30)(g) Article 7(a) Article 7(b) Article 7(c) Article 7(d) Article 21.1 Article 21.2(a) Article 21.2(b) Article 21.2(c) Article 21.2(d) Article 21.2(e) Article 21.2(f) Article 21.2(g) Article 21.2(h) Article 21.2(i) Article 21.2(j) Principle 2.4.a 5.2 Article 8.3 Article 11.3 Article 11.5 Article 11.6 2-3 2-3-2 Article 50 Article 51 Article 3.3 Article 37 B1.b A5 A6 B4 1635 3.4.11.C.01 1.1.1 2.1.1 AICPA TSC 2017 (SOC 2) FAR 252.204-7008 FAR 252.204-7012 NIST 800-171 R3 R-AC-1 R-AC-2 R-AC-3 R-AC-4 R-AM-1 R-AM-2 R-AM-3 R-BC-1 R-BC-2 R-BC-3 R-BC-4 R-BC-5 R-EX-1 R-EX-2 R-EX-3 R-EX-4 R-EX-5 R-EX-6 R-EX-7 R-GV-1 R-GV-2 R-GV-3 R-GV-4 R-GV-5 R-GV-6 R-GV-7 R-GV-8 R-IR-1 R-IR-2 R-IR-3 R-IR-4 R-SA-1 R-SA-2 R-AC-1 R-AC-2 R-AC-3 R-AC-4 R-AM-1 R-AM-2 R-AM-3 R-BC-1 R-BC-2 R-BC-3 R-BC-4 R-BC-5 R-EX-1 R-EX-2 R-EX-3 R-EX-4 R-EX-5 R-EX-6 R-EX-7 R-GV-1 R-GV-2 R-GV-3 R-GV-4 R-GV-5 R-GV-6 R-GV-7 R-GV-8 R-IR-1 R-IR-2 R-IR-3 R-IR-4 R-SA-1 R-SA-2 NT-1 NT-2 NT-3 NT-4 NT-5 NT-6 NT-7 NT-8 NT-9 NT-10 NT-11 NT-12 NT-13 NT-14 MT-1 MT-2 MT-3 MT-4 MT-5 MT-6 MT-7 MT-8 MT-9 MT-10 MT-11 MT-12 MT-13 MT-14 MT-15 NT-1 NT-2 NT-3 NT-4 NT-5 NT-6 NT-7 NT-8 NT-9 NT-10 NT-11 NT-12 NT-13 NT-14 MT-1 MT-2 MT-3 MT-4 MT-5 MT-6 MT-7 MT-8 MT-9 MT-10 MT-11 MT-12 MT-13 MT-14 MT-15
Cybersecurity & Data Protection Governance Assess Controls FII-SCF-GOV-0015.3 Mechanisms exist to compel data and/or process owners to assess if required cybersecurity & data privacy controls for each system, application and/or service under their control are implemented correctly and are operating as intended. Does the organization compel data and/or process owners to assess if required cybersecurity & data privacy controls for each system, application and/or service under their control are implemented correctly and are operating as intended? 8 x Govern x x There is no evidence of a capability to compel data and/ or process owners to assess if required cybersecurity & data privacy controls for each system, application and/ or service under their control are implemented correctly and are operating as intended. SP-CMM1 is N/A, since a structured process is required to compel data and/ or process owners to assess if required cybersecurity & data privacy controls for each system, application and/ or service under their control are implemented correctly and are operating as intended. SP-CMM2 is N/A, since a well-defined process is required to compel data and/ or process owners to assess if required cybersecurity & data privacy controls for each system, application and/ or service under their control are implemented correctly and are operating as intended. Cybersecurity & Privacy Governance (GOV) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist: • Statutory, regulatory and contractual compliance requirements for cybersecurity & data privacy are identified and documented. Recurring testing is utilized to assess adherence to internal standards and/or external compliance requirements. • A Governance, Risk & Compliance (GRC) function, or similar function, provides scoping guidance to determine control applicability. • Internal policies and standards address all statutory, regulatory and contractual obligations for cybersecurity & data privacy. • Controls are standardized across the organization to ensure uniformity and consistent execution. • Corporate governance (executive oversight) exists for the cybersecurity and data privacy, which includes regular briefings to ensure executives have sufficient situational awareness to properly govern the organization. • Procedures are established for sensitive/regulated compliance obligations that are standardized across the organization. • Defined roles & responsibilities require data/process owners to define, implement and maintain cybersecurity & data privacy controls for each system, application and/ or service of which they have accountability. • The organization designates one or more qualified individuals to govern the cybersecurity and data privacy programs (e.g., Chief Information Security Officer or Chief Privacy Officer). • Risk management processes are defined, to include materiality considerations. See SP-CMM3. SP-CMM4 is N/A, since a quantitatively-controlled process is not necessary to compel data and/ or process owners to assess if required cybersecurity & data privacy controls for each system, application and/ or service under their control are implemented correctly and are operating as intended. See SP-CMM4. SP-CMM5 is N/A, since a continuously-improving process is not necessary to compel data and/ or process owners to assess if required cybersecurity & data privacy controls for each system, application and/ or service under their control are implemented correctly and are operating as intended. CC4.2-POF1 RQ-09-11.a RQ-09-11.b RQ-10-10.a RQ-10-10.b RQ-10-10.c RQ-10-10.d RQ-10-11 RQ-10-12 RQ-10-13 RQ-11-01.a RQ-11-01.b RQ-11-01.c RQ-11-01.d RQ-11-02 8.1 3.15.1.a 3.17.1.a 03.15.01.a 03.17.01.a C.5.4 14.1 3.4.6(41) 3.4.6(42) 3.4.6(43) 3.4.6(43)(a) 3.4.6(43)(b) 3.4.6(44) 3.4.6(45) 3.4.6(46) 3.4.6(47) 3.4.6(48) Article 7(a) Article 7(b) Article 7(c) Article 7(d) Principle 2.4.a Article 8.3 Article 11.1 Article 11.2 2-3 2-3-2 Article 50 Article 51 A2.b A5 A6 B4 1636 1.1.1 2.1.1 AICPA TSC 2017 (SOC 2) NIST 800-171 R3 R-AC-1 R-AC-2 R-AC-3 R-AC-4 R-AM-1 R-AM-2 R-AM-3 R-BC-1 R-BC-2 R-BC-3 R-BC-4 R-BC-5 R-EX-1 R-EX-2 R-EX-3 R-EX-4 R-EX-5 R-EX-6 R-EX-7 R-GV-1 R-GV-2 R-GV-3 R-GV-4 R-GV-5 R-GV-6 R-GV-7 R-GV-8 R-IR-1 R-IR-2 R-IR-3 R-IR-4 R-SA-1 R-SA-2 R-AC-1 R-AC-2 R-AC-3 R-AC-4 R-AM-1 R-AM-2 R-AM-3 R-BC-1 R-BC-2 R-BC-3 R-BC-4 R-BC-5 R-EX-1 R-EX-2 R-EX-3 R-EX-4 R-EX-5 R-EX-6 R-EX-7 R-GV-1 R-GV-2 R-GV-3 R-GV-4 R-GV-5 R-GV-6 R-GV-7 R-GV-8 R-IR-1 R-IR-2 R-IR-3 R-IR-4 R-SA-1 R-SA-2 NT-1 NT-2 NT-3 NT-4 NT-5 NT-6 NT-7 NT-8 NT-9 NT-10 NT-11 NT-12 NT-13 NT-14 MT-1 MT-2 MT-3 MT-4 MT-5 MT-6 MT-7 MT-8 MT-9 MT-10 MT-11 MT-12 MT-13 MT-14 MT-15 NT-1 NT-2 NT-3 NT-4 NT-5 NT-6 NT-7 NT-8 NT-9 NT-10 NT-11 NT-12 NT-13 NT-14 MT-1 MT-2 MT-3 MT-4 MT-5 MT-6 MT-7 MT-8 MT-9 MT-10 MT-11 MT-12 MT-13 MT-14 MT-15
Cybersecurity & Data Protection Governance Authorize Systems, Applications & Services FII-SCF-GOV-0015.4 Mechanisms exist to compel data and/or process owners to obtain authorization for the production use of each system, application and/or service under their control. Does the organization compel data and/or process owners to obtain authorization for the production use of each system, application and/or service under their control? 8 x Govern x x There is no evidence of a capability to compel data and/ or process owners to obtain authorization for the production use of each system, application and/ or service under their control. SP-CMM1 is N/A, since a structured process is required to compel data and/ or process owners to obtain authorization for the production use of each system, application and/ or service under their control. SP-CMM2 is N/A, since a well-defined process is required to compel data and/ or process owners to obtain authorization for the production use of each system, application and/ or service under their control. Cybersecurity & Privacy Governance (GOV) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist: • Statutory, regulatory and contractual compliance requirements for cybersecurity & data privacy are identified and documented. Recurring testing is utilized to assess adherence to internal standards and/or external compliance requirements. • A Governance, Risk & Compliance (GRC) function, or similar function, provides scoping guidance to determine control applicability. • Internal policies and standards address all statutory, regulatory and contractual obligations for cybersecurity & data privacy. • Controls are standardized across the organization to ensure uniformity and consistent execution. • Corporate governance (executive oversight) exists for the cybersecurity and data privacy, which includes regular briefings to ensure executives have sufficient situational awareness to properly govern the organization. • Procedures are established for sensitive/regulated compliance obligations that are standardized across the organization. • Defined roles & responsibilities require data/process owners to define, implement and maintain cybersecurity & data privacy controls for each system, application and/ or service of which they have accountability. • The organization designates one or more qualified individuals to govern the cybersecurity and data privacy programs (e.g., Chief Information Security Officer or Chief Privacy Officer). • Risk management processes are defined, to include materiality considerations. See SP-CMM3. SP-CMM4 is N/A, since a quantitatively-controlled process is not necessary to compel data and/ or process owners to obtain authorization for the production use of each system, application and/ or service under their control. See SP-CMM4. SP-CMM5 is N/A, since a continuously-improving process is not necessary to compel data and/ or process owners to obtain authorization for the production use of each system, application and/ or service under their control. RQ-06-34.c 3.15.1.a 3.17.1.a 03.15.01.a 03.17.01.a C.5.4.1 Article 7(a) Article 7(b) Article 7(c) Article 7(d) Principle 2.4.a Article 8.3 Article 11.1 2-3 2-3-2 A2.b A5 27 23.2.16.C.03 23.2.16.C.04 1.1.1 2.1.1 NIST 800-171 R3 R-AC-1 R-AC-2 R-AC-3 R-AC-4 R-AM-1 R-AM-2 R-AM-3 R-BC-1 R-BC-2 R-BC-3 R-BC-4 R-BC-5 R-EX-1 R-EX-2 R-EX-3 R-EX-4 R-EX-5 R-EX-6 R-EX-7 R-GV-1 R-GV-2 R-GV-3 R-GV-4 R-GV-5 R-GV-6 R-GV-7 R-GV-8 R-IR-1 R-IR-2 R-IR-3 R-IR-4 R-SA-1 R-SA-2 R-AC-1 R-AC-2 R-AC-3 R-AC-4 R-AM-1 R-AM-2 R-AM-3 R-BC-1 R-BC-2 R-BC-3 R-BC-4 R-BC-5 R-EX-1 R-EX-2 R-EX-3 R-EX-4 R-EX-5 R-EX-6 R-EX-7 R-GV-1 R-GV-2 R-GV-3 R-GV-4 R-GV-5 R-GV-6 R-GV-7 R-GV-8 R-IR-1 R-IR-2 R-IR-3 R-IR-4 R-SA-1 R-SA-2 NT-1 NT-2 NT-3 NT-4 NT-5 NT-6 NT-7 NT-8 NT-9 NT-10 NT-11 NT-12 NT-13 NT-14 MT-1 MT-2 MT-3 MT-4 MT-5 MT-6 MT-7 MT-8 MT-9 MT-10 MT-11 MT-12 MT-13 MT-14 MT-15 NT-1 NT-2 NT-3 NT-4 NT-5 NT-6 NT-7 NT-8 NT-9 NT-10 NT-11 NT-12 NT-13 NT-14 MT-1 MT-2 MT-3 MT-4 MT-5 MT-6 MT-7 MT-8 MT-9 MT-10 MT-11 MT-12 MT-13 MT-14 MT-15
Cybersecurity & Data Protection Governance Monitor Controls FII-SCF-GOV-0015.5 Mechanisms exist to compel data and/or process owners to monitor systems, applications and/or services under their control on an ongoing basis for applicable threats and risks, as well as to ensure cybersecurity & data privacy controls are operating as intended. Does the organization compel data and/or process owners to monitor systems, applications and/or services under their control on an ongoing basis for applicable threats and risks, as well as to ensure cybersecurity & data privacy controls are operating as intended? 8 x Govern x x There is no evidence of a capability to compel data and/ or process owners to monitor systems, applications and/ or services under their control on an ongoing basis for applicable threats and risks, as well as to ensure cybersecurity & data privacy controls are operating as intended. SP-CMM1 is N/A, since a structured process is required to compel data and/ or process owners to monitor systems, applications and/ or services under their control on an ongoing basis for applicable threats and risks, as well as to ensure cybersecurity & data privacy controls are operating as intended. SP-CMM2 is N/A, since a well-defined process is required to compel data and/ or process owners to monitor systems, applications and/ or services under their control on an ongoing basis for applicable threats and risks, as well as to ensure cybersecurity & data privacy controls are operating as intended. Cybersecurity & Privacy Governance (GOV) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist: • Statutory, regulatory and contractual compliance requirements for cybersecurity & data privacy are identified and documented. Recurring testing is utilized to assess adherence to internal standards and/or external compliance requirements. • A Governance, Risk & Compliance (GRC) function, or similar function, provides scoping guidance to determine control applicability. • Internal policies and standards address all statutory, regulatory and contractual obligations for cybersecurity & data privacy. • Controls are standardized across the organization to ensure uniformity and consistent execution. • Corporate governance (executive oversight) exists for the cybersecurity and data privacy, which includes regular briefings to ensure executives have sufficient situational awareness to properly govern the organization. • Procedures are established for sensitive/regulated compliance obligations that are standardized across the organization. • Defined roles & responsibilities require data/process owners to define, implement and maintain cybersecurity & data privacy controls for each system, application and/ or service of which they have accountability. • The organization designates one or more qualified individuals to govern the cybersecurity and data privacy programs (e.g., Chief Information Security Officer or Chief Privacy Officer). • Risk management processes are defined, to include materiality considerations. See SP-CMM3. SP-CMM4 is N/A, since a quantitatively-controlled process is not necessary to compel data and/ or process owners to monitor systems, applications and/ or services under their control on an ongoing basis for applicable threats and risks, as well as to ensure cybersecurity & data privacy controls are operating as intended. See SP-CMM4. SP-CMM5 is N/A, since a continuously-improving process is not necessary to compel data and/ or process owners to monitor systems, applications and/ or services under their control on an ongoing basis for applicable threats and risks, as well as to ensure cybersecurity & data privacy controls are operating as intended. RQ-10-03 9.2.2 8.1 3.15.1.a 3.17.1.a 03.15.01.a 03.17.01.a C.5.4.1 Article 7(a) Article 7(b) Article 7(c) Article 7(d) Principle 2.4.a Article 8.3 Article 11.7 Article 11.8 2-3 2-3-2 Article 50 Article 51 A5 1526 30 23.2.18.C.01 1.1.1 2.1.1 NIST 800-171 R3 R-AC-1 R-AC-2 R-AC-3 R-AC-4 R-AM-1 R-AM-2 R-AM-3 R-BC-1 R-BC-2 R-BC-3 R-BC-4 R-BC-5 R-EX-1 R-EX-2 R-EX-3 R-EX-4 R-EX-5 R-EX-6 R-EX-7 R-GV-1 R-GV-2 R-GV-3 R-GV-4 R-GV-5 R-GV-6 R-GV-7 R-GV-8 R-IR-1 R-IR-2 R-IR-3 R-IR-4 R-SA-1 R-SA-2 R-AC-1 R-AC-2 R-AC-3 R-AC-4 R-AM-1 R-AM-2 R-AM-3 R-BC-1 R-BC-2 R-BC-3 R-BC-4 R-BC-5 R-EX-1 R-EX-2 R-EX-3 R-EX-4 R-EX-5 R-EX-6 R-EX-7 R-GV-1 R-GV-2 R-GV-3 R-GV-4 R-GV-5 R-GV-6 R-GV-7 R-GV-8 R-IR-1 R-IR-2 R-IR-3 R-IR-4 R-SA-1 R-SA-2 NT-1 NT-2 NT-3 NT-4 NT-5 NT-6 NT-7 NT-8 NT-9 NT-10 NT-11 NT-12 NT-13 NT-14 MT-1 MT-2 MT-3 MT-4 MT-5 MT-6 MT-7 MT-8 MT-9 MT-10 MT-11 MT-12 MT-13 MT-14 MT-15 NT-1 NT-2 NT-3 NT-4 NT-5 NT-6 NT-7 NT-8 NT-9 NT-10 NT-11 NT-12 NT-13 NT-14 MT-1 MT-2 MT-3 MT-4 MT-5 MT-6 MT-7 MT-8 MT-9 MT-10 MT-11 MT-12 MT-13 MT-14 MT-15 #NAME?
Cybersecurity & Data Protection Governance Materiality Determination FII-SCF-GOV-0016 Mechanisms exist to define materiality threshold criteria capable of designating an incident as material to the organization. E-GOV-14 Does the organization define materiality threshold criteria capable of designating an incident as material to the organization? 7 x Govern x There is no evidence of a capability to define materiality threshold criteria capable of designating an incident as material to the organization. SP-CMM1 is N/A, since a structured process is required to define materiality threshold criteria capable of designating an incident as material to the organization. SP-CMM2 is N/A, since a well-defined process is required to define materiality threshold criteria capable of designating an incident as material to the organization. Cybersecurity & Privacy Governance (GOV) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist: • Statutory, regulatory and contractual compliance requirements for cybersecurity & data privacy are identified and documented. Recurring testing is utilized to assess adherence to internal standards and/or external compliance requirements. • A Governance, Risk & Compliance (GRC) function, or similar function, provides scoping guidance to determine control applicability. • Internal policies and standards address all statutory, regulatory and contractual obligations for cybersecurity & data privacy. • Controls are standardized across the organization to ensure uniformity and consistent execution. • Corporate governance (executive oversight) exists for the cybersecurity and data privacy, which includes regular briefings to ensure executives have sufficient situational awareness to properly govern the organization. • Procedures are established for sensitive/regulated compliance obligations that are standardized across the organization. • Defined roles & responsibilities require data/process owners to define, implement and maintain cybersecurity & data privacy controls for each system, application and/ or service of which they have accountability. • The organization designates one or more qualified individuals to govern the cybersecurity and data privacy programs (e.g., Chief Information Security Officer or Chief Privacy Officer). • Risk management processes are defined, to include materiality considerations. See SP-CMM3. SP-CMM4 is N/A, since a quantitatively-controlled process is not necessary to define materiality threshold criteria capable of designating an incident as material to the organization. See SP-CMM4. SP-CMM5 is N/A, since a continuously-improving process is not necessary to define materiality threshold criteria capable of designating an incident as material to the organization. CC3.1-POF6 DE.AE-04 17 CFR 229.105(a) 17 CFR 229.105(b) 17 CFR 229.106(a) 17 CFR 229.106(b)(2) 17 CFR 229.106(c)(2) Form 8-K Item 1.05(a) 500.4(b) 500.4(b)(3) 500.4(b)(5) 500.9(b)(1) 500.9(b)(2) AICPA TSC 2017 (SOC 2) NIST CSF 2.0 SEC Cyber Rule R-EX-5 R-GV-6 R-GV-7 R-IR-4 R-EX-5 R-GV-6 R-GV-7 R-IR-4 MT-8 MT-9 MT-14 MT-15 MT-8 MT-9 MT-14 MT-15
Cybersecurity & Data Protection Governance Material Risks FII-SCF-GOV-0016.1 Mechanisms exist to define criteria necessary to designate a risk as a material risk. E-GOV-15 Does the organization define criteria necessary to designate a risk as a material risk? 7 x Govern x x There is no evidence of a capability to define criteria necessary to designate a risk as a material risk. SP-CMM1 is N/A, since a structured process is required to designate a risk as a material risk. SP-CMM2 is N/A, since a well-defined process is required to designate a risk as a material risk. Cybersecurity & Privacy Governance (GOV) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist: • Statutory, regulatory and contractual compliance requirements for cybersecurity & data privacy are identified and documented. Recurring testing is utilized to assess adherence to internal standards and/or external compliance requirements. • A Governance, Risk & Compliance (GRC) function, or similar function, provides scoping guidance to determine control applicability. • Internal policies and standards address all statutory, regulatory and contractual obligations for cybersecurity & data privacy. • Controls are standardized across the organization to ensure uniformity and consistent execution. • Corporate governance (executive oversight) exists for the cybersecurity and data privacy, which includes regular briefings to ensure executives have sufficient situational awareness to properly govern the organization. • Procedures are established for sensitive/regulated compliance obligations that are standardized across the organization. • Defined roles & responsibilities require data/process owners to define, implement and maintain cybersecurity & data privacy controls for each system, application and/ or service of which they have accountability. • The organization designates one or more qualified individuals to govern the cybersecurity and data privacy programs (e.g., Chief Information Security Officer or Chief Privacy Officer). • Risk management processes are defined, to include materiality considerations. See SP-CMM3. SP-CMM4 is N/A, since a quantitatively-controlled process is not necessary to designate a risk as a material risk. See SP-CMM4. SP-CMM5 is N/A, since a continuously-improving process is not necessary to designate a risk as a material risk. 6.1.2(c) 6.1.2(d) 6.1.2(d)(1) 6.1.2(d)(2) 6.1.2(d)(3) 6.1.2(e) 6.1.2(e)(1) 6.1.2(e)(2) 17 CFR 229.105(a) 17 CFR 229.105(b) 17 CFR 229.106(b)(2) 500.4(b) 500.4(b)(3) 500.4(b)(5) 500.9(b)(1) 500.9(b)(2) SEC Cyber Rule R-EX-5 R-GV-6 R-GV-7 R-IR-4 R-EX-5 R-GV-6 R-GV-7 R-IR-4 MT-8 MT-9 MT-14 MT-15 MT-8 MT-9 MT-14 MT-15
Cybersecurity & Data Protection Governance Material Threats FII-SCF-GOV-0016.2 Mechanisms exist to define criteria necessary to designate a threat as a material threat. E-GOV-16 Does the organization define criteria necessary to designate a threat as a material threat? 7 x Govern x x There is no evidence of a capability to define criteria necessary to designate a threat as a material threat. SP-CMM1 is N/A, since a structured process is required to designate a threat as a material threat. SP-CMM2 is N/A, since a well-defined process is required to designate a threat as a material threat. Cybersecurity & Privacy Governance (GOV) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist: • Statutory, regulatory and contractual compliance requirements for cybersecurity & data privacy are identified and documented. Recurring testing is utilized to assess adherence to internal standards and/or external compliance requirements. • A Governance, Risk & Compliance (GRC) function, or similar function, provides scoping guidance to determine control applicability. • Internal policies and standards address all statutory, regulatory and contractual obligations for cybersecurity & data privacy. • Controls are standardized across the organization to ensure uniformity and consistent execution. • Corporate governance (executive oversight) exists for the cybersecurity and data privacy, which includes regular briefings to ensure executives have sufficient situational awareness to properly govern the organization. • Procedures are established for sensitive/regulated compliance obligations that are standardized across the organization. • Defined roles & responsibilities require data/process owners to define, implement and maintain cybersecurity & data privacy controls for each system, application and/ or service of which they have accountability. • The organization designates one or more qualified individuals to govern the cybersecurity and data privacy programs (e.g., Chief Information Security Officer or Chief Privacy Officer). • Risk management processes are defined, to include materiality considerations. See SP-CMM3. SP-CMM4 is N/A, since a quantitatively-controlled process is not necessary to designate a threat as a material threat. See SP-CMM4. SP-CMM5 is N/A, since a continuously-improving process is not necessary to designate a threat as a material threat. 17 CFR 229.105(a) 17 CFR 229.105(b) 17 CFR 229.106(a) 17 CFR 229.106(b)(2) 500.4(b) 500.4(b)(3) 500.4(b)(5) 500.9(b)(1) 500.9(b)(2) SEC Cyber Rule R-EX-5 R-GV-6 R-GV-7 R-IR-4 R-EX-5 R-GV-6 R-GV-7 R-IR-4 MT-8 MT-9 MT-14 MT-15 MT-8 MT-9 MT-14 MT-15
Cybersecurity & Data Protection Governance Cybersecurity & Data Privacy Status Reporting FII-SCF-GOV-0017 Mechanisms exist to submit status reporting of the organization's cybersecurity and/or data privacy program to applicable statutory and/or regulatory authorities, as required. E-GOV-17 Does the organization submit status reporting of the organization's cybersecurity and/or data privacy program to applicable statutory and/or regulatory authorities, as required? 8 x Govern x x There is no evidence of a capability to submit status reporting of the organization's cybersecurity and/or data privacy program to applicable statutory and/or regulatory authorities, as required. SP-CMM1 is N/A, since a structured process is required to submit status reporting of the organization's cybersecurity and/or data privacy program to applicable statutory and/or regulatory authorities, as required. SP-CMM2 is N/A, since a well-defined process is required to submit status reporting of the organization's cybersecurity and/or data privacy program to applicable statutory and/or regulatory authorities, as required. Cybersecurity & Privacy Governance (GOV) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist: • Statutory, regulatory and contractual compliance requirements for cybersecurity & data privacy are identified and documented. Recurring testing is utilized to assess adherence to internal standards and/or external compliance requirements. • A Governance, Risk & Compliance (GRC) function, or similar function, provides scoping guidance to determine control applicability. • Internal policies and standards address all statutory, regulatory and contractual obligations for cybersecurity & data privacy. • Controls are standardized across the organization to ensure uniformity and consistent execution. • Corporate governance (executive oversight) exists for the cybersecurity and data privacy, which includes regular briefings to ensure executives have sufficient situational awareness to properly govern the organization. • Procedures are established for sensitive/regulated compliance obligations that are standardized across the organization. • Defined roles & responsibilities require data/process owners to define, implement and maintain cybersecurity & data privacy controls for each system, application and/ or service of which they have accountability. • The organization designates one or more qualified individuals to govern the cybersecurity and data privacy programs (e.g., Chief Information Security Officer or Chief Privacy Officer). • Risk management processes are defined, to include materiality considerations. See SP-CMM3. SP-CMM4 is N/A, since a quantitatively-controlled process is not necessary to submit status reporting of the organization's cybersecurity and/or data privacy program to applicable statutory and/or regulatory authorities, as required. See SP-CMM4. SP-CMM5 is N/A, since a continuously-improving process is not necessary to submit status reporting of the organization's cybersecurity and/or data privacy program to applicable statutory and/or regulatory authorities, as required. CC3.1-POF10 CC3.2-POF3 17 CFR 229.105(b) 17 CFR 229.106(d) 500.17(a)(1) 500.17(a)(2) Article 38 AICPA TSC 2017 (SOC 2) SEC Cyber Rule R-EX-5 R-EX-5 NT-2 NT-3 NT-4 NT-5 NT-6 NT-7 NT-8 NT-9 NT-10 NT-11 NT-12 NT-13 NT-14 MT-1 MT-2 MT-3 MT-4 MT-5 MT-6 MT-7 MT-8 MT-9 MT-10 MT-12 MT-14 NT-2 NT-3 NT-4 NT-5 NT-6 NT-7 NT-8 NT-9 NT-10 NT-11 NT-12 NT-13 NT-14 MT-1 MT-2 MT-3 MT-4 MT-5 MT-6 MT-7 MT-8 MT-9 MT-10 MT-12 MT-14
Artificial & Autonomous Technologies Artificial Intelligence (AI) & Autonomous Technologies Governance FII-SCF-AAT-0001 Mechanisms exist to ensure policies, processes, procedures and practices related to the mapping, measuring and managing of Artificial Intelligence (AI) and Autonomous Technologies (AAT)-related risks are in place, transparent and implemented effectively. E-AAT-01 Does the organization ensure policies, processes, procedures and practices related to the mapping, measuring and managing of Artificial Intelligence (AI) and Autonomous Technologies (AAT)-related risks are in place, transparent and implemented effectively? 10 x Govern x x There is no evidence of a capability to ensure policies, processes, procedures and practices related to the mapping, measuring and managing of Artificial Intelligence (AI) and Autonomous Technologies (AAT)-related risks are in place, transparent and implemented effectively. SP-CMM1 is N/A, since a structured process is required to ensure policies, processes, procedures and practices related to the mapping, measuring and managing of Artificial Intelligence (AI) and Autonomous Technologies (AAT)-related risks are in place, transparent and implemented effectively. SP-CMM2 is N/A, since a well-defined process is required to ensure policies, processes, procedures and practices related to the mapping, measuring and managing of Artificial Intelligence (AI) and Autonomous Technologies (AAT)-related risks are in place, transparent and implemented effectively. Artificial Intelligence and Autonomous Technology (AAT) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist: • The Chief Information Security Officer (CISO), or similar function with technical competence to address cybersecurity concerns, analyzes the organization’s business strategy and prioritizes the objectives of the security function to determine prioritized and authoritative guidance for Artificial Intelligence and Autonomous Technologies (AAT), within the broader scope of cybersecurity and data protection operations. • The CISO, or similar function, develops a security-focused Concept of Operations (CONOPS) that documents management, operational and technical measures to apply defense-in-depth techniques across the organization. This CONOPS for AAT may be incorporated as part of a broader operational plan for the cybersecurity & data privacy program. • A Governance, Risk & Compliance (GRC) function, or similar function, provides governance oversight for the implementation of applicable statutory, regulatory and contractual cybersecurity & data privacy controls to facilitate the implementation of secure and compliant practices to protect the confidentiality, integrity, availability and safety of the organization’s applications, systems, services and data. Compliance requirements for AAT are identified and documented. • A steering committee is formally established to provide executive oversight of the cybersecurity & data privacy program, including AAT. The steering committee establishes a clear and authoritative accountability structure for AAT operations. • Legal reviews are conducted to minimize the inadvertent infringement of third-party Intellectual Property (IP) rights through the use of AAT products and/ or services. • AAT-specific compliance requirements for cybersecurity & data privacy are identified and documented. • Governance function for AAT is formally assigned with defined roles and associated responsibilities. • A Program Management Office (PMO), or similar function, tracks and reports on activities related to the mapping, measuring and managing of AAT. • Secure engineering principles are identified and implemented to ensure AAT are designed to be reliable, safe, fair, secure, resilient, transparent, explainable and data privacy-enhanced to minimize emergent properties or unintended consequences. • Robust development and pre-deployment functionality, security and data privacy testing is conducted on all internal and third-party AAT projects. • Production use of AAT is closely monitored to minimize emergent properties or unintended consequences. • Robust incident response and business continuity plans exist to respond to AAT-related emergent properties or unintended consequences. • Data sources utilized in the training and/or operation of AAT are identified and documented. • The Confidentiality, Integrity and Availability (CIA) of source data to prevent accidental contamination or malicious corruption (e.g., data poisoning) that could compromise the performance of AAT. See SP-CMM3. SP-CMM4 is N/A, since a quantitatively-controlled process is not necessary to ensure policies, processes, procedures and practices related to the mapping, measuring and managing of Artificial Intelligence (AI) and Autonomous Technologies (AAT)-related risks are in place, transparent and implemented effectively. See SP-CMM4. SP-CMM5 is N/A, since a continuously-improving process is not necessary to ensure policies, processes, procedures and practices related to the mapping, measuring and managing of Artificial Intelligence (AI) and Autonomous Technologies (AAT)-related risks are in place, transparent and implemented effectively. CC1.4-POF2 4.1 4.2 4.4 5.1 7.4 8.1 8.2 A.2.2 A.4 A.6.2.2 GOVERN 1.0 GOVERN 4.1 MAP 3.5 R.1 AICPA TSC 2017 (SOC 2) R-AC-1 R-AC-2 R-AC-3 R-AC-4 R-AM-1 R-AM-2 R-BC-1 R-BC-2 R-BC-3 R-BC-4 R-BC-5 R-EX-1 R-EX-2 R-EX-3 R-EX-4 R-EX-5 R-EX-6 R-EX-7 R-GV-1 R-GV-2 R-GV-3 R-GV-4 R-GV-5 R-GV-6 R-GV-7 R-GV-8 R-IR-1 R-IR-2 R-IR-3 R-IR-4 R-SA-1 R-SA-2 R-AC-1 R-AC-2 R-AC-3 R-AC-4 R-AM-1 R-AM-2 R-BC-1 R-BC-2 R-BC-3 R-BC-4 R-BC-5 R-EX-1 R-EX-2 R-EX-3 R-EX-4 R-EX-5 R-EX-6 R-EX-7 R-GV-1 R-GV-2 R-GV-3 R-GV-4 R-GV-5 R-GV-6 R-GV-7 R-GV-8 R-IR-1 R-IR-2 R-IR-3 R-IR-4 R-SA-1 R-SA-2 NT-2 NT-3 NT-4 NT-5 NT-6 NT-7 NT-9 NT-10 NT-11 NT-12 NT-13 MT-7 MT-8 MT-9 MT-10 MT-12 MT-13 MT-14 MT-15 MT-16 NT-2 NT-3 NT-4 NT-5 NT-6 NT-7 NT-9 NT-10 NT-11 NT-12 NT-13 MT-7 MT-8 MT-9 MT-10 MT-12 MT-13 MT-14 MT-15 MT-16
Artificial & Autonomous Technologies AI & Autonomous Technologies-Related Legal Requirements Definition FII-SCF-AAT-0001.1 Mechanisms exist to identify, understand, document and manage applicable statutory and regulatory requirements for Artificial Intelligence (AI) and Autonomous Technologies (AAT). E-AAT-02 Does the organization identify, understand, document and manage applicable statutory and regulatory requirements for Artificial Intelligence (AI) and Autonomous Technologies (AAT)? 8 x Govern x x There is no evidence of a capability to identify, understand, document and manage applicable statutory and regulatory requirements for Artificial Intelligence (AI) and Autonomous Technologies (AAT). SP-CMM1 is N/A, since a structured process is required to identify, understand, document and manage applicable statutory and regulatory requirements for Artificial Intelligence (AI) and Autonomous Technologies (AAT). SP-CMM2 is N/A, since a well-defined process is required to identify, understand, document and manage applicable statutory and regulatory requirements for Artificial Intelligence (AI) and Autonomous Technologies (AAT). Artificial Intelligence and Autonomous Technology (AAT) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist: • The Chief Information Security Officer (CISO), or similar function with technical competence to address cybersecurity concerns, analyzes the organization’s business strategy and prioritizes the objectives of the security function to determine prioritized and authoritative guidance for Artificial Intelligence and Autonomous Technologies (AAT), within the broader scope of cybersecurity and data protection operations. • The CISO, or similar function, develops a security-focused Concept of Operations (CONOPS) that documents management, operational and technical measures to apply defense-in-depth techniques across the organization. This CONOPS for AAT may be incorporated as part of a broader operational plan for the cybersecurity & data privacy program. • A Governance, Risk & Compliance (GRC) function, or similar function, provides governance oversight for the implementation of applicable statutory, regulatory and contractual cybersecurity & data privacy controls to facilitate the implementation of secure and compliant practices to protect the confidentiality, integrity, availability and safety of the organization’s applications, systems, services and data. Compliance requirements for AAT are identified and documented. • A steering committee is formally established to provide executive oversight of the cybersecurity & data privacy program, including AAT. The steering committee establishes a clear and authoritative accountability structure for AAT operations. • Legal reviews are conducted to minimize the inadvertent infringement of third-party Intellectual Property (IP) rights through the use of AAT products and/ or services. • AAT-specific compliance requirements for cybersecurity & data privacy are identified and documented. • Governance function for AAT is formally assigned with defined roles and associated responsibilities. • A Program Management Office (PMO), or similar function, tracks and reports on activities related to the mapping, measuring and managing of AAT. • Secure engineering principles are identified and implemented to ensure AAT are designed to be reliable, safe, fair, secure, resilient, transparent, explainable and data privacy-enhanced to minimize emergent properties or unintended consequences. • Robust development and pre-deployment functionality, security and data privacy testing is conducted on all internal and third-party AAT projects. • Production use of AAT is closely monitored to minimize emergent properties or unintended consequences. • Robust incident response and business continuity plans exist to respond to AAT-related emergent properties or unintended consequences. • Data sources utilized in the training and/or operation of AAT are identified and documented. • The Confidentiality, Integrity and Availability (CIA) of source data to prevent accidental contamination or malicious corruption (e.g., data poisoning) that could compromise the performance of AAT. See SP-CMM3. SP-CMM4 is N/A, since a quantitatively-controlled process is not necessary to identify, understand, document and manage applicable statutory and regulatory requirements for Artificial Intelligence (AI) and Autonomous Technologies (AAT). See SP-CMM4. SP-CMM5 is N/A, since a continuously-improving process is not necessary to identify, understand, document and manage applicable statutory and regulatory requirements for Artificial Intelligence (AI) and Autonomous Technologies (AAT). 4.1 4.2 8.1 A.5 A.5.3 A.5.4 A.5.5 A.10.4 GOVERN 1.1 R.1.1 R-EX-1 R-EX-2 R-EX-3 R-EX-4 R-EX-5 R-EX-6 R-EX-7 R-GV-1 R-GV-2 R-GV-3 R-GV-4 R-GV-5 R-GV-6 R-GV-7 R-GV-8 R-IR-4 R-SA-1 R-EX-1 R-EX-2 R-EX-3 R-EX-4 R-EX-5 R-EX-6 R-EX-7 R-GV-1 R-GV-2 R-GV-3 R-GV-4 R-GV-5 R-GV-6 R-GV-7 R-GV-8 R-IR-4 R-SA-1 NT-2 NT-3 NT-4 NT-5 NT-6 NT-7 NT-9 NT-10 NT-11 NT-12 NT-13 MT-7 MT-8 MT-9 MT-10 MT-12 MT-13 MT-14 MT-15 NT-2 NT-3 NT-4 NT-5 NT-6 NT-7 NT-9 NT-10 NT-11 NT-12 NT-13 MT-7 MT-8 MT-9 MT-10 MT-12 MT-13 MT-14 MT-15
Artificial & Autonomous Technologies Trustworthy AI & Autonomous Technologies FII-SCF-AAT-0001.2 Mechanisms exist to ensure Artificial Intelligence (AI) and Autonomous Technologies (AAT) are designed to be reliable, safe, fair, secure, resilient, transparent, explainable and data privacy-enhanced to minimize emergent properties or unintended consequences. E-AAT-03 Does the organization ensure Artificial Intelligence (AI) and Autonomous Technologies (AAT) are designed to be reliable, safe, fair, secure, resilient, transparent, explainable and data privacy-enhanced to minimize emergent properties or unintended consequences? 10 x Protect x x There is no evidence of a capability to ensure Artificial Intelligence (AI) and Autonomous Technologies (AAT) are designed to be reliable, safe, fair, secure, resilient, transparent, explainable and data privacy-enhanced to minimize emergent properties or unintended consequences. SP-CMM1 is N/A, since a structured process is required to ensure Artificial Intelligence (AI) and Autonomous Technologies (AAT) are designed to be reliable, safe, fair, secure, resilient, transparent, explainable and data privacy-enhanced to minimize emergent properties or unintended consequences. SP-CMM2 is N/A, since a well-defined process is required to ensure Artificial Intelligence (AI) and Autonomous Technologies (AAT) are designed to be reliable, safe, fair, secure, resilient, transparent, explainable and data privacy-enhanced to minimize emergent properties or unintended consequences. Artificial Intelligence and Autonomous Technology (AAT) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist: • The Chief Information Security Officer (CISO), or similar function with technical competence to address cybersecurity concerns, analyzes the organization’s business strategy and prioritizes the objectives of the security function to determine prioritized and authoritative guidance for Artificial Intelligence and Autonomous Technologies (AAT), within the broader scope of cybersecurity and data protection operations. • The CISO, or similar function, develops a security-focused Concept of Operations (CONOPS) that documents management, operational and technical measures to apply defense-in-depth techniques across the organization. This CONOPS for AAT may be incorporated as part of a broader operational plan for the cybersecurity & data privacy program. • A Governance, Risk & Compliance (GRC) function, or similar function, provides governance oversight for the implementation of applicable statutory, regulatory and contractual cybersecurity & data privacy controls to facilitate the implementation of secure and compliant practices to protect the confidentiality, integrity, availability and safety of the organization’s applications, systems, services and data. Compliance requirements for AAT are identified and documented. • A steering committee is formally established to provide executive oversight of the cybersecurity & data privacy program, including AAT. The steering committee establishes a clear and authoritative accountability structure for AAT operations. • Legal reviews are conducted to minimize the inadvertent infringement of third-party Intellectual Property (IP) rights through the use of AAT products and/ or services. • AAT-specific compliance requirements for cybersecurity & data privacy are identified and documented. • Governance function for AAT is formally assigned with defined roles and associated responsibilities. • A Program Management Office (PMO), or similar function, tracks and reports on activities related to the mapping, measuring and managing of AAT. • Secure engineering principles are identified and implemented to ensure AAT are designed to be reliable, safe, fair, secure, resilient, transparent, explainable and data privacy-enhanced to minimize emergent properties or unintended consequences. • Robust development and pre-deployment functionality, security and data privacy testing is conducted on all internal and third-party AAT projects. • Production use of AAT is closely monitored to minimize emergent properties or unintended consequences. • Robust incident response and business continuity plans exist to respond to AAT-related emergent properties or unintended consequences. • Data sources utilized in the training and/or operation of AAT are identified and documented. • The Confidentiality, Integrity and Availability (CIA) of source data to prevent accidental contamination or malicious corruption (e.g., data poisoning) that could compromise the performance of AAT. See SP-CMM3. SP-CMM4 is N/A, since a quantitatively-controlled process is not necessary to ensure Artificial Intelligence (AI) and Autonomous Technologies (AAT) are designed to be reliable, safe, fair, secure, resilient, transparent, explainable and data privacy-enhanced to minimize emergent properties or unintended consequences. See SP-CMM4. SP-CMM5 is N/A, since a continuously-improving process is not necessary to ensure Artificial Intelligence (AI) and Autonomous Technologies (AAT) are designed to be reliable, safe, fair, secure, resilient, transparent, explainable and data privacy-enhanced to minimize emergent properties or unintended consequences. 7.1 A.4 A.6.1.2 A.7 GOVERN 1.2 R.1.1.1 R-AC-1 R-AC-2 R-AC-3 R-AC-4 R-AM-1 R-AM-2 R-BC-1 R-BC-2 R-BC-3 R-BC-4 R-BC-5 R-EX-1 R-EX-2 R-EX-3 R-EX-4 R-EX-5 R-EX-6 R-EX-7 R-GV-1 R-GV-2 R-GV-3 R-GV-4 R-GV-5 R-GV-6 R-GV-7 R-GV-8 R-IR-1 R-IR-2 R-IR-3 R-IR-4 R-AC-1 R-AC-2 R-AC-3 R-AC-4 R-AM-1 R-AM-2 R-BC-1 R-BC-2 R-BC-3 R-BC-4 R-BC-5 R-EX-1 R-EX-2 R-EX-3 R-EX-4 R-EX-5 R-EX-6 R-EX-7 R-GV-1 R-GV-2 R-GV-3 R-GV-4 R-GV-5 R-GV-6 R-GV-7 R-GV-8 R-IR-1 R-IR-2 R-IR-3 R-IR-4 NT-2 NT-3 NT-4 NT-5 NT-6 NT-7 NT-9 NT-10 NT-11 NT-12 NT-13 MT-7 MT-8 MT-9 MT-10 MT-12 MT-13 MT-14 MT-15 NT-2 NT-3 NT-4 NT-5 NT-6 NT-7 NT-9 NT-10 NT-11 NT-12 NT-13 MT-7 MT-8 MT-9 MT-10 MT-12 MT-13 MT-14 MT-15
Artificial & Autonomous Technologies AI & Autonomous Technologies Value Sustainment FII-SCF-AAT-0001.3 Mechanisms exist to sustain the value of deployed Artificial Intelligence (AI) and Autonomous Technologies (AAT). Does the organization sustain the value of deployed Artificial Intelligence (AI) and Autonomous Technologies (AAT)? 1 x Identify x x There is no evidence of a capability to sustain the value of deployed Artificial Intelligence (AI) and Autonomous Technologies (AAT). SP-CMM1 is N/A, since a structured process is required to sustain the value of deployed Artificial Intelligence (AI) and Autonomous Technologies (AAT). SP-CMM2 is N/A, since a well-defined process is required to sustain the value of deployed Artificial Intelligence (AI) and Autonomous Technologies (AAT). Artificial Intelligence and Autonomous Technology (AAT) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist: • The Chief Information Security Officer (CISO), or similar function with technical competence to address cybersecurity concerns, analyzes the organization’s business strategy and prioritizes the objectives of the security function to determine prioritized and authoritative guidance for Artificial Intelligence and Autonomous Technologies (AAT), within the broader scope of cybersecurity and data protection operations. • The CISO, or similar function, develops a security-focused Concept of Operations (CONOPS) that documents management, operational and technical measures to apply defense-in-depth techniques across the organization. This CONOPS for AAT may be incorporated as part of a broader operational plan for the cybersecurity & data privacy program. • A Governance, Risk & Compliance (GRC) function, or similar function, provides governance oversight for the implementation of applicable statutory, regulatory and contractual cybersecurity & data privacy controls to facilitate the implementation of secure and compliant practices to protect the confidentiality, integrity, availability and safety of the organization’s applications, systems, services and data. Compliance requirements for AAT are identified and documented. • A steering committee is formally established to provide executive oversight of the cybersecurity & data privacy program, including AAT. The steering committee establishes a clear and authoritative accountability structure for AAT operations. • Legal reviews are conducted to minimize the inadvertent infringement of third-party Intellectual Property (IP) rights through the use of AAT products and/ or services. • AAT-specific compliance requirements for cybersecurity & data privacy are identified and documented. • Governance function for AAT is formally assigned with defined roles and associated responsibilities. • A Program Management Office (PMO), or similar function, tracks and reports on activities related to the mapping, measuring and managing of AAT. • Secure engineering principles are identified and implemented to ensure AAT are designed to be reliable, safe, fair, secure, resilient, transparent, explainable and data privacy-enhanced to minimize emergent properties or unintended consequences. • Robust development and pre-deployment functionality, security and data privacy testing is conducted on all internal and third-party AAT projects. • Production use of AAT is closely monitored to minimize emergent properties or unintended consequences. • Robust incident response and business continuity plans exist to respond to AAT-related emergent properties or unintended consequences. • Data sources utilized in the training and/or operation of AAT are identified and documented. • The Confidentiality, Integrity and Availability (CIA) of source data to prevent accidental contamination or malicious corruption (e.g., data poisoning) that could compromise the performance of AAT. See SP-CMM3. SP-CMM4 is N/A, since a quantitatively-controlled process is not necessary to sustain the value of deployed Artificial Intelligence (AI) and Autonomous Technologies (AAT). See SP-CMM4. SP-CMM5 is N/A, since a continuously-improving process is not necessary to sustain the value of deployed Artificial Intelligence (AI) and Autonomous Technologies (AAT). 4.1 MANAGE 2.2 R.2 R-AC-1 R-AC-2 R-AC-3 R-AC-4 R-AM-1 R-AM-2 R-BC-1 R-BC-2 R-BC-3 R-BC-4 R-BC-5 R-EX-1 R-EX-2 R-EX-3 R-EX-4 R-EX-5 R-EX-6 R-EX-7 R-GV-1 R-GV-2 R-GV-3 R-GV-4 R-GV-5 R-GV-6 R-GV-7 R-GV-8 R-IR-1 R-IR-2 R-IR-3 R-IR-4 R-SA-1 R-SA-2 R-AC-1 R-AC-2 R-AC-3 R-AC-4 R-AM-1 R-AM-2 R-BC-1 R-BC-2 R-BC-3 R-BC-4 R-BC-5 R-EX-1 R-EX-2 R-EX-3 R-EX-4 R-EX-5 R-EX-6 R-EX-7 R-GV-1 R-GV-2 R-GV-3 R-GV-4 R-GV-5 R-GV-6 R-GV-7 R-GV-8 R-IR-1 R-IR-2 R-IR-3 R-IR-4 R-SA-1 R-SA-2 NT-2 NT-3 NT-4 NT-5 NT-6 NT-7 NT-9 NT-10 NT-11 NT-12 NT-13 MT-7 MT-8 MT-9 MT-10 MT-12 MT-13 MT-14 MT-15 NT-2 NT-3 NT-4 NT-5 NT-6 NT-7 NT-9 NT-10 NT-11 NT-12 NT-13 MT-7 MT-8 MT-9 MT-10 MT-12 MT-13 MT-14 MT-15
Artificial & Autonomous Technologies Situational Awareness of AI & Autonomous Technologies FII-SCF-AAT-0002 Mechanisms exist to develop and maintain an inventory of Artificial Intelligence (AI) and Autonomous Technologies (AAT) (internal and third-party). Does the organization develop and maintain an inventory of Artificial Intelligence (AI) and Autonomous Technologies (AAT) (internal and third-party)? 9 x Identify x x x There is no evidence of a capability to develop and maintain an inventory of Artificial Intelligence (AI) and Autonomous Technologies (AAT) (internal and third-party). SP-CMM1 is N/A, since a structured process is required to develop and maintain an inventory of Artificial Intelligence (AI) and Autonomous Technologies (AAT) (internal and third-party). SP-CMM2 is N/A, since a well-defined process is required to develop and maintain an inventory of Artificial Intelligence (AI) and Autonomous Technologies (AAT) (internal and third-party). Artificial Intelligence and Autonomous Technology (AAT) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist: • The Chief Information Security Officer (CISO), or similar function with technical competence to address cybersecurity concerns, analyzes the organization’s business strategy and prioritizes the objectives of the security function to determine prioritized and authoritative guidance for Artificial Intelligence and Autonomous Technologies (AAT), within the broader scope of cybersecurity and data protection operations. • The CISO, or similar function, develops a security-focused Concept of Operations (CONOPS) that documents management, operational and technical measures to apply defense-in-depth techniques across the organization. This CONOPS for AAT may be incorporated as part of a broader operational plan for the cybersecurity & data privacy program. • A Governance, Risk & Compliance (GRC) function, or similar function, provides governance oversight for the implementation of applicable statutory, regulatory and contractual cybersecurity & data privacy controls to facilitate the implementation of secure and compliant practices to protect the confidentiality, integrity, availability and safety of the organization’s applications, systems, services and data. Compliance requirements for AAT are identified and documented. • A steering committee is formally established to provide executive oversight of the cybersecurity & data privacy program, including AAT. The steering committee establishes a clear and authoritative accountability structure for AAT operations. • Legal reviews are conducted to minimize the inadvertent infringement of third-party Intellectual Property (IP) rights through the use of AAT products and/ or services. • AAT-specific compliance requirements for cybersecurity & data privacy are identified and documented. • Governance function for AAT is formally assigned with defined roles and associated responsibilities. • A Program Management Office (PMO), or similar function, tracks and reports on activities related to the mapping, measuring and managing of AAT. • Secure engineering principles are identified and implemented to ensure AAT are designed to be reliable, safe, fair, secure, resilient, transparent, explainable and data privacy-enhanced to minimize emergent properties or unintended consequences. • Robust development and pre-deployment functionality, security and data privacy testing is conducted on all internal and third-party AAT projects. • Production use of AAT is closely monitored to minimize emergent properties or unintended consequences. • Robust incident response and business continuity plans exist to respond to AAT-related emergent properties or unintended consequences. • Data sources utilized in the training and/or operation of AAT are identified and documented. • The Confidentiality, Integrity and Availability (CIA) of source data to prevent accidental contamination or malicious corruption (e.g., data poisoning) that could compromise the performance of AAT. See SP-CMM3. SP-CMM4 is N/A, since a quantitatively-controlled process is not necessary to develop and maintain an inventory of Artificial Intelligence (AI) and Autonomous Technologies (AAT) (internal and third-party). See SP-CMM4. SP-CMM5 is N/A, since a continuously-improving process is not necessary to develop and maintain an inventory of Artificial Intelligence (AI) and Autonomous Technologies (AAT) (internal and third-party). 8.2 A.4.4 A.4.5 GOVERN 1.6 R.5 R-AC-1 R-AC-2 R-AC-3 R-AC-4 R-AM-1 R-AM-2 R-BC-1 R-BC-2 R-BC-3 R-BC-4 R-BC-5 R-EX-1 R-EX-2 R-EX-3 R-EX-4 R-EX-5 R-EX-6 R-EX-7 R-GV-1 R-GV-2 R-GV-3 R-GV-4 R-GV-5 R-GV-6 R-GV-7 R-GV-8 R-IR-1 R-IR-2 R-IR-3 R-IR-4 R-AC-1 R-AC-2 R-AC-3 R-AC-4 R-AM-1 R-AM-2 R-BC-1 R-BC-2 R-BC-3 R-BC-4 R-BC-5 R-EX-1 R-EX-2 R-EX-3 R-EX-4 R-EX-5 R-EX-6 R-EX-7 R-GV-1 R-GV-2 R-GV-3 R-GV-4 R-GV-5 R-GV-6 R-GV-7 R-GV-8 R-IR-1 R-IR-2 R-IR-3 R-IR-4 NT-2 NT-3 NT-4 NT-5 NT-6 NT-7 NT-9 NT-10 NT-11 NT-12 NT-13 MT-7 MT-8 MT-9 MT-10 MT-12 MT-13 MT-14 MT-15 NT-2 NT-3 NT-4 NT-5 NT-6 NT-7 NT-9 NT-10 NT-11 NT-12 NT-13 MT-7 MT-8 MT-9 MT-10 MT-12 MT-13 MT-14 MT-15
Artificial & Autonomous Technologies AI & Autonomous Technologies Risk Mapping FII-SCF-AAT-0002.1 Mechanisms exist to identify Artificial Intelligence (AI) and Autonomous Technologies (AAT) in use and map those components to potential legal risks, including statutory and regulatory compliance requirements. Does the organization identify Artificial Intelligence (AI) and Autonomous Technologies (AAT) in use and map those components to potential legal risks, including statutory and regulatory compliance requirements? 9 x Identify x x x There is no evidence of a capability to identify Artificial Intelligence (AI) and Autonomous Technologies (AAT) in use and map those components to potential legal risks, including statutory and regulatory compliance requirements. SP-CMM1 is N/A, since a structured process is required to identify Artificial Intelligence (AI) and Autonomous Technologies (AAT) in use and map those components to potential legal risks, including statutory and regulatory compliance requirements. SP-CMM2 is N/A, since a well-defined process is required to identify Artificial Intelligence (AI) and Autonomous Technologies (AAT) in use and map those components to potential legal risks, including statutory and regulatory compliance requirements. Artificial Intelligence and Autonomous Technology (AAT) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist: • The Chief Information Security Officer (CISO), or similar function with technical competence to address cybersecurity concerns, analyzes the organization’s business strategy and prioritizes the objectives of the security function to determine prioritized and authoritative guidance for Artificial Intelligence and Autonomous Technologies (AAT), within the broader scope of cybersecurity and data protection operations. • The CISO, or similar function, develops a security-focused Concept of Operations (CONOPS) that documents management, operational and technical measures to apply defense-in-depth techniques across the organization. This CONOPS for AAT may be incorporated as part of a broader operational plan for the cybersecurity & data privacy program. • A Governance, Risk & Compliance (GRC) function, or similar function, provides governance oversight for the implementation of applicable statutory, regulatory and contractual cybersecurity & data privacy controls to facilitate the implementation of secure and compliant practices to protect the confidentiality, integrity, availability and safety of the organization’s applications, systems, services and data. Compliance requirements for AAT are identified and documented. • A steering committee is formally established to provide executive oversight of the cybersecurity & data privacy program, including AAT. The steering committee establishes a clear and authoritative accountability structure for AAT operations. • Legal reviews are conducted to minimize the inadvertent infringement of third-party Intellectual Property (IP) rights through the use of AAT products and/ or services. • AAT-specific compliance requirements for cybersecurity & data privacy are identified and documented. • Governance function for AAT is formally assigned with defined roles and associated responsibilities. • A Program Management Office (PMO), or similar function, tracks and reports on activities related to the mapping, measuring and managing of AAT. • Secure engineering principles are identified and implemented to ensure AAT are designed to be reliable, safe, fair, secure, resilient, transparent, explainable and data privacy-enhanced to minimize emergent properties or unintended consequences. • Robust development and pre-deployment functionality, security and data privacy testing is conducted on all internal and third-party AAT projects. • Production use of AAT is closely monitored to minimize emergent properties or unintended consequences. • Robust incident response and business continuity plans exist to respond to AAT-related emergent properties or unintended consequences. • Data sources utilized in the training and/or operation of AAT are identified and documented. • The Confidentiality, Integrity and Availability (CIA) of source data to prevent accidental contamination or malicious corruption (e.g., data poisoning) that could compromise the performance of AAT. See SP-CMM3. SP-CMM4 is N/A, since a quantitatively-controlled process is not necessary to identify Artificial Intelligence (AI) and Autonomous Technologies (AAT) in use and map those components to potential legal risks, including statutory and regulatory compliance requirements. See SP-CMM4. SP-CMM5 is N/A, since a continuously-improving process is not necessary to identify Artificial Intelligence (AI) and Autonomous Technologies (AAT) in use and map those components to potential legal risks, including statutory and regulatory compliance requirements. 6.1 6.1.1 8.2 A.5.3 A.5.4 A.5.5 MAP 4.1 R.3 R-AC-1 R-AC-2 R-AC-3 R-AC-4 R-AM-1 R-AM-2 R-BC-1 R-BC-2 R-BC-3 R-BC-4 R-BC-5 R-EX-1 R-EX-2 R-EX-3 R-EX-4 R-EX-5 R-EX-6 R-EX-7 R-GV-1 R-GV-2 R-GV-3 R-GV-4 R-GV-5 R-GV-6 R-GV-7 R-GV-8 R-IR-1 R-IR-2 R-IR-3 R-IR-4 R-AC-1 R-AC-2 R-AC-3 R-AC-4 R-AM-1 R-AM-2 R-BC-1 R-BC-2 R-BC-3 R-BC-4 R-BC-5 R-EX-1 R-EX-2 R-EX-3 R-EX-4 R-EX-5 R-EX-6 R-EX-7 R-GV-1 R-GV-2 R-GV-3 R-GV-4 R-GV-5 R-GV-6 R-GV-7 R-GV-8 R-IR-1 R-IR-2 R-IR-3 R-IR-4 NT-2 NT-3 NT-4 NT-5 NT-6 NT-7 NT-9 NT-10 NT-11 NT-12 NT-13 MT-7 MT-8 MT-9 MT-10 MT-12 MT-13 MT-14 MT-15 NT-2 NT-3 NT-4 NT-5 NT-6 NT-7 NT-9 NT-10 NT-11 NT-12 NT-13 MT-7 MT-8 MT-9 MT-10 MT-12 MT-13 MT-14 MT-15
Artificial & Autonomous Technologies AI & Autonomous Technologies Internal Controls FII-SCF-AAT-0002.2 Mechanisms exist to identify and document internal cybersecurity & data privacy controls for Artificial Intelligence (AI) and Autonomous Technologies (AAT). Does the organization identify and document internal cybersecurity & data privacy controls for Artificial Intelligence (AI) and Autonomous Technologies (AAT)? 9 x Identify x x x There is no evidence of a capability to identify and document internal cybersecurity & data privacy controls for Artificial Intelligence (AI) and Autonomous Technologies (AAT). SP-CMM1 is N/A, since a structured process is required to identify and document internal cybersecurity & data privacy controls for Artificial Intelligence (AI) and Autonomous Technologies (AAT). SP-CMM2 is N/A, since a well-defined process is required to identify and document internal cybersecurity & data privacy controls for Artificial Intelligence (AI) and Autonomous Technologies (AAT). Artificial Intelligence and Autonomous Technology (AAT) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist: • The Chief Information Security Officer (CISO), or similar function with technical competence to address cybersecurity concerns, analyzes the organization’s business strategy and prioritizes the objectives of the security function to determine prioritized and authoritative guidance for Artificial Intelligence and Autonomous Technologies (AAT), within the broader scope of cybersecurity and data protection operations. • The CISO, or similar function, develops a security-focused Concept of Operations (CONOPS) that documents management, operational and technical measures to apply defense-in-depth techniques across the organization. This CONOPS for AAT may be incorporated as part of a broader operational plan for the cybersecurity & data privacy program. • A Governance, Risk & Compliance (GRC) function, or similar function, provides governance oversight for the implementation of applicable statutory, regulatory and contractual cybersecurity & data privacy controls to facilitate the implementation of secure and compliant practices to protect the confidentiality, integrity, availability and safety of the organization’s applications, systems, services and data. Compliance requirements for AAT are identified and documented. • A steering committee is formally established to provide executive oversight of the cybersecurity & data privacy program, including AAT. The steering committee establishes a clear and authoritative accountability structure for AAT operations. • Legal reviews are conducted to minimize the inadvertent infringement of third-party Intellectual Property (IP) rights through the use of AAT products and/ or services. • AAT-specific compliance requirements for cybersecurity & data privacy are identified and documented. • Governance function for AAT is formally assigned with defined roles and associated responsibilities. • A Program Management Office (PMO), or similar function, tracks and reports on activities related to the mapping, measuring and managing of AAT. • Secure engineering principles are identified and implemented to ensure AAT are designed to be reliable, safe, fair, secure, resilient, transparent, explainable and data privacy-enhanced to minimize emergent properties or unintended consequences. • Robust development and pre-deployment functionality, security and data privacy testing is conducted on all internal and third-party AAT projects. • Production use of AAT is closely monitored to minimize emergent properties or unintended consequences. • Robust incident response and business continuity plans exist to respond to AAT-related emergent properties or unintended consequences. • Data sources utilized in the training and/or operation of AAT are identified and documented. • The Confidentiality, Integrity and Availability (CIA) of source data to prevent accidental contamination or malicious corruption (e.g., data poisoning) that could compromise the performance of AAT. See SP-CMM3. SP-CMM4 is N/A, since a quantitatively-controlled process is not necessary to identify and document internal cybersecurity & data privacy controls for Artificial Intelligence (AI) and Autonomous Technologies (AAT). See SP-CMM4. SP-CMM5 is N/A, since a continuously-improving process is not necessary to identify and document internal cybersecurity & data privacy controls for Artificial Intelligence (AI) and Autonomous Technologies (AAT). 5.1 8.1 A.6.2.2 MAP 4.2 R.2.1.1.2 R-AC-1 R-AC-2 R-AC-3 R-AC-4 R-AM-1 R-AM-2 R-BC-1 R-BC-2 R-BC-3 R-BC-4 R-BC-5 R-EX-1 R-EX-2 R-EX-3 R-EX-4 R-EX-5 R-EX-6 R-EX-7 R-GV-1 R-GV-2 R-GV-3 R-GV-4 R-GV-5 R-GV-6 R-GV-7 R-GV-8 R-IR-1 R-IR-2 R-IR-3 R-IR-4 R-AC-1 R-AC-2 R-AC-3 R-AC-4 R-AM-1 R-AM-2 R-BC-1 R-BC-2 R-BC-3 R-BC-4 R-BC-5 R-EX-1 R-EX-2 R-EX-3 R-EX-4 R-EX-5 R-EX-6 R-EX-7 R-GV-1 R-GV-2 R-GV-3 R-GV-4 R-GV-5 R-GV-6 R-GV-7 R-GV-8 R-IR-1 R-IR-2 R-IR-3 R-IR-4 NT-2 NT-3 NT-4 NT-5 NT-6 NT-7 NT-9 NT-10 NT-11 NT-12 NT-13 MT-7 MT-8 MT-9 MT-10 MT-12 MT-13 MT-14 MT-15 NT-2 NT-3 NT-4 NT-5 NT-6 NT-7 NT-9 NT-10 NT-11 NT-12 NT-13 MT-7 MT-8 MT-9 MT-10 MT-12 MT-13 MT-14 MT-15
Artificial & Autonomous Technologies AI & Autonomous Technologies Context Definition FII-SCF-AAT-0003 Mechanisms exist to establish and document the context surrounding Artificial Intelligence (AI) and Autonomous Technologies (AAT), including: ▪ Intended purposes; ▪ Potentially beneficial uses; ▪ Context-specific laws and regulations; ▪ Norms and expectations; and ▪ Prospective settings in which the system(s) will be deployed. Does the organization establish and document the context surrounding Artificial Intelligence (AI) and Autonomous Technologies (AAT), including: ▪ Intended purposes; ▪ Potentially beneficial uses; ▪ Context-specific laws and regulations; ▪ Norms and expectations; and ▪ Prospective settings in which the system(s) will be deployed? 8 x Identify x x There is no evidence of a capability to establish and document the context surrounding Artificial Intelligence (AI) and Autonomous Technologies (AAT), including: ▪ Intended purposes; ▪ Potentially beneficial uses; ▪ Context-specific laws and regulations; ▪ Norms and expectations; and ▪ Prospective settings in which the system(s) will be deployed. SP-CMM1 is N/A, since a structured process is required to establish and document the context surrounding Artificial Intelligence (AI) and Autonomous Technologies (AAT), including: ▪ Intended purposes; ▪ Potentially beneficial uses; ▪ Context-specific laws and regulations; ▪ Norms and expectations; and ▪ Prospective settings in which the system(s) will be deployed. SP-CMM2 is N/A, since a well-defined process is required to establish and document the context surrounding Artificial Intelligence (AI) and Autonomous Technologies (AAT), including: ▪ Intended purposes; ▪ Potentially beneficial uses; ▪ Context-specific laws and regulations; ▪ Norms and expectations; and ▪ Prospective settings in which the system(s) will be deployed. Artificial Intelligence and Autonomous Technology (AAT) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist: • The Chief Information Security Officer (CISO), or similar function with technical competence to address cybersecurity concerns, analyzes the organization’s business strategy and prioritizes the objectives of the security function to determine prioritized and authoritative guidance for Artificial Intelligence and Autonomous Technologies (AAT), within the broader scope of cybersecurity and data protection operations. • The CISO, or similar function, develops a security-focused Concept of Operations (CONOPS) that documents management, operational and technical measures to apply defense-in-depth techniques across the organization. This CONOPS for AAT may be incorporated as part of a broader operational plan for the cybersecurity & data privacy program. • A Governance, Risk & Compliance (GRC) function, or similar function, provides governance oversight for the implementation of applicable statutory, regulatory and contractual cybersecurity & data privacy controls to facilitate the implementation of secure and compliant practices to protect the confidentiality, integrity, availability and safety of the organization’s applications, systems, services and data. Compliance requirements for AAT are identified and documented. • A steering committee is formally established to provide executive oversight of the cybersecurity & data privacy program, including AAT. The steering committee establishes a clear and authoritative accountability structure for AAT operations. • Legal reviews are conducted to minimize the inadvertent infringement of third-party Intellectual Property (IP) rights through the use of AAT products and/ or services. • AAT-specific compliance requirements for cybersecurity & data privacy are identified and documented. • Governance function for AAT is formally assigned with defined roles and associated responsibilities. • A Program Management Office (PMO), or similar function, tracks and reports on activities related to the mapping, measuring and managing of AAT. • Secure engineering principles are identified and implemented to ensure AAT are designed to be reliable, safe, fair, secure, resilient, transparent, explainable and data privacy-enhanced to minimize emergent properties or unintended consequences. • Robust development and pre-deployment functionality, security and data privacy testing is conducted on all internal and third-party AAT projects. • Production use of AAT is closely monitored to minimize emergent properties or unintended consequences. • Robust incident response and business continuity plans exist to respond to AAT-related emergent properties or unintended consequences. • Data sources utilized in the training and/or operation of AAT are identified and documented. • The Confidentiality, Integrity and Availability (CIA) of source data to prevent accidental contamination or malicious corruption (e.g., data poisoning) that could compromise the performance of AAT. See SP-CMM3. SP-CMM4 is N/A, since a quantitatively-controlled process is not necessary to establish and document the context surrounding Artificial Intelligence (AI) and Autonomous Technologies (AAT), including: ▪ Intended purposes; ▪ Potentially beneficial uses; ▪ Context-specific laws and regulations; ▪ Norms and expectations; and ▪ Prospective settings in which the system(s) will be deployed. See SP-CMM4. SP-CMM5 is N/A, since a continuously-improving process is not necessary to establish and document the context surrounding Artificial Intelligence (AI) and Autonomous Technologies (AAT), including: ▪ Intended purposes; ▪ Potentially beneficial uses; ▪ Context-specific laws and regulations; ▪ Norms and expectations; and ▪ Prospective settings in which the system(s) will be deployed. 4.1 A.10.4 MAP 1.0 MAP 1.1 R.1 R-AC-1 R-AC-2 R-AC-3 R-AC-4 R-AM-1 R-AM-2 R-BC-1 R-BC-2 R-BC-3 R-BC-4 R-BC-5 R-EX-1 R-EX-2 R-EX-3 R-EX-4 R-EX-5 R-EX-6 R-EX-7 R-GV-1 R-GV-2 R-GV-3 R-GV-4 R-GV-5 R-GV-6 R-GV-7 R-GV-8 R-IR-1 R-IR-2 R-IR-3 R-IR-4 R-AC-1 R-AC-2 R-AC-3 R-AC-4 R-AM-1 R-AM-2 R-BC-1 R-BC-2 R-BC-3 R-BC-4 R-BC-5 R-EX-1 R-EX-2 R-EX-3 R-EX-4 R-EX-5 R-EX-6 R-EX-7 R-GV-1 R-GV-2 R-GV-3 R-GV-4 R-GV-5 R-GV-6 R-GV-7 R-GV-8 R-IR-1 R-IR-2 R-IR-3 R-IR-4 NT-2 NT-3 NT-4 NT-5 NT-6 NT-7 NT-9 NT-10 NT-11 NT-12 NT-13 MT-7 MT-8 MT-9 MT-10 MT-12 MT-13 MT-14 MT-15 NT-2 NT-3 NT-4 NT-5 NT-6 NT-7 NT-9 NT-10 NT-11 NT-12 NT-13 MT-7 MT-8 MT-9 MT-10 MT-12 MT-13 MT-14 MT-15
Artificial & Autonomous Technologies AI & Autonomous Technologies Mission and Goals Definition FII-SCF-AAT-0003.1 Mechanisms exist to define and document the organization’s mission and defined goals for Artificial Intelligence (AI) and Autonomous Technologies (AAT). Does the organization define and document the organization’s mission and defined goals for Artificial Intelligence (AI) and Autonomous Technologies (AAT)? 8 x Identify x x x There is no evidence of a capability to define and document the organization’s mission and defined goals for Artificial Intelligence (AI) and Autonomous Technologies (AAT). SP-CMM1 is N/A, since a structured process is required to define and document the organization’s mission and defined goals for Artificial Intelligence (AI) and Autonomous Technologies (AAT). SP-CMM2 is N/A, since a well-defined process is required to define and document the organization’s mission and defined goals for Artificial Intelligence (AI) and Autonomous Technologies (AAT). Artificial Intelligence and Autonomous Technology (AAT) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist: • The Chief Information Security Officer (CISO), or similar function with technical competence to address cybersecurity concerns, analyzes the organization’s business strategy and prioritizes the objectives of the security function to determine prioritized and authoritative guidance for Artificial Intelligence and Autonomous Technologies (AAT), within the broader scope of cybersecurity and data protection operations. • The CISO, or similar function, develops a security-focused Concept of Operations (CONOPS) that documents management, operational and technical measures to apply defense-in-depth techniques across the organization. This CONOPS for AAT may be incorporated as part of a broader operational plan for the cybersecurity & data privacy program. • A Governance, Risk & Compliance (GRC) function, or similar function, provides governance oversight for the implementation of applicable statutory, regulatory and contractual cybersecurity & data privacy controls to facilitate the implementation of secure and compliant practices to protect the confidentiality, integrity, availability and safety of the organization’s applications, systems, services and data. Compliance requirements for AAT are identified and documented. • A steering committee is formally established to provide executive oversight of the cybersecurity & data privacy program, including AAT. The steering committee establishes a clear and authoritative accountability structure for AAT operations. • Legal reviews are conducted to minimize the inadvertent infringement of third-party Intellectual Property (IP) rights through the use of AAT products and/ or services. • AAT-specific compliance requirements for cybersecurity & data privacy are identified and documented. • Governance function for AAT is formally assigned with defined roles and associated responsibilities. • A Program Management Office (PMO), or similar function, tracks and reports on activities related to the mapping, measuring and managing of AAT. • Secure engineering principles are identified and implemented to ensure AAT are designed to be reliable, safe, fair, secure, resilient, transparent, explainable and data privacy-enhanced to minimize emergent properties or unintended consequences. • Robust development and pre-deployment functionality, security and data privacy testing is conducted on all internal and third-party AAT projects. • Production use of AAT is closely monitored to minimize emergent properties or unintended consequences. • Robust incident response and business continuity plans exist to respond to AAT-related emergent properties or unintended consequences. • Data sources utilized in the training and/or operation of AAT are identified and documented. • The Confidentiality, Integrity and Availability (CIA) of source data to prevent accidental contamination or malicious corruption (e.g., data poisoning) that could compromise the performance of AAT. See SP-CMM3. SP-CMM4 is N/A, since a quantitatively-controlled process is not necessary to define and document the organization’s mission and defined goals for Artificial Intelligence (AI) and Autonomous Technologies (AAT). See SP-CMM4. SP-CMM5 is N/A, since a continuously-improving process is not necessary to define and document the organization’s mission and defined goals for Artificial Intelligence (AI) and Autonomous Technologies (AAT). 4.1 4.2 A.6.2.3 MAP 1.3 MAP 1.4 R.2.1 R-AC-1 R-AC-2 R-AC-3 R-AC-4 R-AM-1 R-AM-2 R-BC-1 R-BC-2 R-BC-3 R-BC-4 R-BC-5 R-EX-1 R-EX-2 R-EX-3 R-EX-4 R-EX-5 R-EX-6 R-EX-7 R-GV-1 R-GV-2 R-GV-3 R-GV-4 R-GV-5 R-GV-6 R-GV-7 R-GV-8 R-IR-1 R-IR-2 R-IR-3 R-IR-4 R-AC-1 R-AC-2 R-AC-3 R-AC-4 R-AM-1 R-AM-2 R-BC-1 R-BC-2 R-BC-3 R-BC-4 R-BC-5 R-EX-1 R-EX-2 R-EX-3 R-EX-4 R-EX-5 R-EX-6 R-EX-7 R-GV-1 R-GV-2 R-GV-3 R-GV-4 R-GV-5 R-GV-6 R-GV-7 R-GV-8 R-IR-1 R-IR-2 R-IR-3 R-IR-4 NT-2 NT-3 NT-4 NT-5 NT-6 NT-7 NT-9 NT-10 NT-11 NT-12 NT-13 MT-7 MT-8 MT-9 MT-10 MT-12 MT-13 MT-14 MT-15 NT-2 NT-3 NT-4 NT-5 NT-6 NT-7 NT-9 NT-10 NT-11 NT-12 NT-13 MT-7 MT-8 MT-9 MT-10 MT-12 MT-13 MT-14 MT-15
Artificial & Autonomous Technologies AI & Autonomous Technologies Business Case FII-SCF-AAT-0004 Mechanisms exist to benchmark capabilities, targeted usage, goals and expected benefits and costs of Artificial Intelligence (AI) and Autonomous Technologies (AAT). E-AAT-04 Does the organization benchmark capabilities, targeted usage, goals and expected benefits and costs of Artificial Intelligence (AI) and Autonomous Technologies (AAT)? 8 x Identify x x x There is no evidence of a capability to benchmark capabilities, targeted usage, goals and expected benefits and costs of Artificial Intelligence (AI) and Autonomous Technologies (AAT). SP-CMM1 is N/A, since a structured process is required to benchmark capabilities, targeted usage, goals and expected benefits and costs of Artificial Intelligence (AI) and Autonomous Technologies (AAT). SP-CMM2 is N/A, since a well-defined process is required to benchmark capabilities, targeted usage, goals and expected benefits and costs of Artificial Intelligence (AI) and Autonomous Technologies (AAT). Artificial Intelligence and Autonomous Technology (AAT) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist: • The Chief Information Security Officer (CISO), or similar function with technical competence to address cybersecurity concerns, analyzes the organization’s business strategy and prioritizes the objectives of the security function to determine prioritized and authoritative guidance for Artificial Intelligence and Autonomous Technologies (AAT), within the broader scope of cybersecurity and data protection operations. • The CISO, or similar function, develops a security-focused Concept of Operations (CONOPS) that documents management, operational and technical measures to apply defense-in-depth techniques across the organization. This CONOPS for AAT may be incorporated as part of a broader operational plan for the cybersecurity & data privacy program. • A Governance, Risk & Compliance (GRC) function, or similar function, provides governance oversight for the implementation of applicable statutory, regulatory and contractual cybersecurity & data privacy controls to facilitate the implementation of secure and compliant practices to protect the confidentiality, integrity, availability and safety of the organization’s applications, systems, services and data. Compliance requirements for AAT are identified and documented. • A steering committee is formally established to provide executive oversight of the cybersecurity & data privacy program, including AAT. The steering committee establishes a clear and authoritative accountability structure for AAT operations. • Legal reviews are conducted to minimize the inadvertent infringement of third-party Intellectual Property (IP) rights through the use of AAT products and/ or services. • AAT-specific compliance requirements for cybersecurity & data privacy are identified and documented. • Governance function for AAT is formally assigned with defined roles and associated responsibilities. • A Program Management Office (PMO), or similar function, tracks and reports on activities related to the mapping, measuring and managing of AAT. • Secure engineering principles are identified and implemented to ensure AAT are designed to be reliable, safe, fair, secure, resilient, transparent, explainable and data privacy-enhanced to minimize emergent properties or unintended consequences. • Robust development and pre-deployment functionality, security and data privacy testing is conducted on all internal and third-party AAT projects. • Production use of AAT is closely monitored to minimize emergent properties or unintended consequences. • Robust incident response and business continuity plans exist to respond to AAT-related emergent properties or unintended consequences. • Data sources utilized in the training and/or operation of AAT are identified and documented. • The Confidentiality, Integrity and Availability (CIA) of source data to prevent accidental contamination or malicious corruption (e.g., data poisoning) that could compromise the performance of AAT. See SP-CMM3. SP-CMM4 is N/A, since a quantitatively-controlled process is not necessary to benchmark capabilities, targeted usage, goals and expected benefits and costs of Artificial Intelligence (AI) and Autonomous Technologies (AAT). See SP-CMM4. SP-CMM5 is N/A, since a continuously-improving process is not necessary to benchmark capabilities, targeted usage, goals and expected benefits and costs of Artificial Intelligence (AI) and Autonomous Technologies (AAT). 5.1 6.2 6.2(a) 6.2(b) 6.2(c) 6.2(d) 6.2(e) 6.2(f) 6.2(g) A.6.2.3 A.9 A.9.2 A.9.3 A.9.4 A.10.4 MAP 3.0 R.3.1 R-EX-1 R-EX-2 R-EX-3 R-EX-4 R-EX-5 R-EX-6 R-EX-7 R-GV-1 R-GV-2 R-GV-3 R-GV-4 R-GV-5 R-GV-6 R-GV-7 R-GV-8 R-IR-4 R-SA-1 R-EX-1 R-EX-2 R-EX-3 R-EX-4 R-EX-5 R-EX-6 R-EX-7 R-GV-1 R-GV-2 R-GV-3 R-GV-4 R-GV-5 R-GV-6 R-GV-7 R-GV-8 R-IR-4 R-SA-1 NT-2 NT-3 NT-4 NT-5 NT-6 NT-7 NT-9 NT-10 NT-11 NT-12 NT-13 MT-7 MT-8 MT-9 MT-10 MT-12 MT-13 MT-14 MT-15 NT-2 NT-3 NT-4 NT-5 NT-6 NT-7 NT-9 NT-10 NT-11 NT-12 NT-13 MT-7 MT-8 MT-9 MT-10 MT-12 MT-13 MT-14 MT-15
Artificial & Autonomous Technologies AI & Autonomous Technologies Potential Benefits Analysis FII-SCF-AAT-0004.1 Mechanisms exist to assess the potential benefits of proposed Artificial Intelligence (AI) and Autonomous Technologies (AAT). Does the organization assess the potential benefits of proposed Artificial Intelligence (AI) and Autonomous Technologies (AAT)? 2 x Identify x x There is no evidence of a capability to assess the potential benefits of proposed Artificial Intelligence (AI) and Autonomous Technologies (AAT). SP-CMM1 is N/A, since a structured process is required to assess the potential benefits of proposed Artificial Intelligence (AI) and Autonomous Technologies (AAT). SP-CMM2 is N/A, since a well-defined process is required to assess the potential benefits of proposed Artificial Intelligence (AI) and Autonomous Technologies (AAT). Artificial Intelligence and Autonomous Technology (AAT) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist: • The Chief Information Security Officer (CISO), or similar function with technical competence to address cybersecurity concerns, analyzes the organization’s business strategy and prioritizes the objectives of the security function to determine prioritized and authoritative guidance for Artificial Intelligence and Autonomous Technologies (AAT), within the broader scope of cybersecurity and data protection operations. • The CISO, or similar function, develops a security-focused Concept of Operations (CONOPS) that documents management, operational and technical measures to apply defense-in-depth techniques across the organization. This CONOPS for AAT may be incorporated as part of a broader operational plan for the cybersecurity & data privacy program. • A Governance, Risk & Compliance (GRC) function, or similar function, provides governance oversight for the implementation of applicable statutory, regulatory and contractual cybersecurity & data privacy controls to facilitate the implementation of secure and compliant practices to protect the confidentiality, integrity, availability and safety of the organization’s applications, systems, services and data. Compliance requirements for AAT are identified and documented. • A steering committee is formally established to provide executive oversight of the cybersecurity & data privacy program, including AAT. The steering committee establishes a clear and authoritative accountability structure for AAT operations. • Legal reviews are conducted to minimize the inadvertent infringement of third-party Intellectual Property (IP) rights through the use of AAT products and/ or services. • AAT-specific compliance requirements for cybersecurity & data privacy are identified and documented. • Governance function for AAT is formally assigned with defined roles and associated responsibilities. • A Program Management Office (PMO), or similar function, tracks and reports on activities related to the mapping, measuring and managing of AAT. • Secure engineering principles are identified and implemented to ensure AAT are designed to be reliable, safe, fair, secure, resilient, transparent, explainable and data privacy-enhanced to minimize emergent properties or unintended consequences. • Robust development and pre-deployment functionality, security and data privacy testing is conducted on all internal and third-party AAT projects. • Production use of AAT is closely monitored to minimize emergent properties or unintended consequences. • Robust incident response and business continuity plans exist to respond to AAT-related emergent properties or unintended consequences. • Data sources utilized in the training and/or operation of AAT are identified and documented. • The Confidentiality, Integrity and Availability (CIA) of source data to prevent accidental contamination or malicious corruption (e.g., data poisoning) that could compromise the performance of AAT. See SP-CMM3. SP-CMM4 is N/A, since a quantitatively-controlled process is not necessary to assess the potential benefits of proposed Artificial Intelligence (AI) and Autonomous Technologies (AAT). See SP-CMM4. SP-CMM5 is N/A, since a continuously-improving process is not necessary to assess the potential benefits of proposed Artificial Intelligence (AI) and Autonomous Technologies (AAT). MAP 3.1 R.15.4 R-AC-1 R-AC-2 R-AC-3 R-AC-4 R-AM-1 R-AM-2 R-BC-1 R-BC-2 R-BC-3 R-BC-4 R-BC-5 R-EX-1 R-EX-2 R-EX-3 R-EX-4 R-EX-5 R-EX-6 R-EX-7 R-GV-1 R-GV-2 R-GV-3 R-GV-4 R-GV-5 R-GV-6 R-GV-7 R-GV-8 R-IR-1 R-IR-2 R-IR-3 R-IR-4 R-AC-1 R-AC-2 R-AC-3 R-AC-4 R-AM-1 R-AM-2 R-BC-1 R-BC-2 R-BC-3 R-BC-4 R-BC-5 R-EX-1 R-EX-2 R-EX-3 R-EX-4 R-EX-5 R-EX-6 R-EX-7 R-GV-1 R-GV-2 R-GV-3 R-GV-4 R-GV-5 R-GV-6 R-GV-7 R-GV-8 R-IR-1 R-IR-2 R-IR-3 R-IR-4 NT-2 NT-3 NT-4 NT-5 NT-6 NT-7 NT-9 NT-10 NT-11 NT-12 NT-13 MT-7 MT-8 MT-9 MT-10 MT-12 MT-13 MT-14 MT-15 NT-2 NT-3 NT-4 NT-5 NT-6 NT-7 NT-9 NT-10 NT-11 NT-12 NT-13 MT-7 MT-8 MT-9 MT-10 MT-12 MT-13 MT-14 MT-15
Artificial & Autonomous Technologies AI & Autonomous Technologies Potential Costs Analysis FII-SCF-AAT-0004.2 Mechanisms exist to assess potential costs, including non-monetary costs, resulting from expected or realized Artificial Intelligence (AI) and Autonomous Technologies (AAT)-related errors or system functionality and trustworthiness. Does the organization assess potential costs, including non-monetary costs, resulting from expected or realized Artificial Intelligence (AI) and Autonomous Technologies (AAT)-related errors or system functionality and trustworthiness? 2 x Identify x x There is no evidence of a capability to assess potential costs, including non-monetary costs, resulting from expected or realized Artificial Intelligence (AI) and Autonomous Technologies (AAT)-related errors or system functionality and trustworthiness. SP-CMM1 is N/A, since a structured process is required to assess potential costs, including non-monetary costs, resulting from expected or realized Artificial Intelligence (AI) and Autonomous Technologies (AAT)-related errors or system functionality and trustworthiness. SP-CMM2 is N/A, since a well-defined process is required to assess potential costs, including non-monetary costs, resulting from expected or realized Artificial Intelligence (AI) and Autonomous Technologies (AAT)-related errors or system functionality and trustworthiness. Artificial Intelligence and Autonomous Technology (AAT) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist: • The Chief Information Security Officer (CISO), or similar function with technical competence to address cybersecurity concerns, analyzes the organization’s business strategy and prioritizes the objectives of the security function to determine prioritized and authoritative guidance for Artificial Intelligence and Autonomous Technologies (AAT), within the broader scope of cybersecurity and data protection operations. • The CISO, or similar function, develops a security-focused Concept of Operations (CONOPS) that documents management, operational and technical measures to apply defense-in-depth techniques across the organization. This CONOPS for AAT may be incorporated as part of a broader operational plan for the cybersecurity & data privacy program. • A Governance, Risk & Compliance (GRC) function, or similar function, provides governance oversight for the implementation of applicable statutory, regulatory and contractual cybersecurity & data privacy controls to facilitate the implementation of secure and compliant practices to protect the confidentiality, integrity, availability and safety of the organization’s applications, systems, services and data. Compliance requirements for AAT are identified and documented. • A steering committee is formally established to provide executive oversight of the cybersecurity & data privacy program, including AAT. The steering committee establishes a clear and authoritative accountability structure for AAT operations. • Legal reviews are conducted to minimize the inadvertent infringement of third-party Intellectual Property (IP) rights through the use of AAT products and/ or services. • AAT-specific compliance requirements for cybersecurity & data privacy are identified and documented. • Governance function for AAT is formally assigned with defined roles and associated responsibilities. • A Program Management Office (PMO), or similar function, tracks and reports on activities related to the mapping, measuring and managing of AAT. • Secure engineering principles are identified and implemented to ensure AAT are designed to be reliable, safe, fair, secure, resilient, transparent, explainable and data privacy-enhanced to minimize emergent properties or unintended consequences. • Robust development and pre-deployment functionality, security and data privacy testing is conducted on all internal and third-party AAT projects. • Production use of AAT is closely monitored to minimize emergent properties or unintended consequences. • Robust incident response and business continuity plans exist to respond to AAT-related emergent properties or unintended consequences. • Data sources utilized in the training and/or operation of AAT are identified and documented. • The Confidentiality, Integrity and Availability (CIA) of source data to prevent accidental contamination or malicious corruption (e.g., data poisoning) that could compromise the performance of AAT. See SP-CMM3. SP-CMM4 is N/A, since a quantitatively-controlled process is not necessary to assess potential costs, including non-monetary costs, resulting from expected or realized Artificial Intelligence (AI) and Autonomous Technologies (AAT)-related errors or system functionality and trustworthiness. See SP-CMM4. SP-CMM5 is N/A, since a continuously-improving process is not necessary to assess potential costs, including non-monetary costs, resulting from expected or realized Artificial Intelligence (AI) and Autonomous Technologies (AAT)-related errors or system functionality and trustworthiness. A.5.3 A.5.4 A.5.5 MAP 3.2 R.4.1 R-AC-1 R-AC-2 R-AC-3 R-AC-4 R-AM-1 R-AM-2 R-BC-1 R-BC-2 R-BC-3 R-BC-4 R-BC-5 R-EX-1 R-EX-2 R-EX-3 R-EX-4 R-EX-5 R-EX-6 R-EX-7 R-GV-1 R-GV-2 R-GV-3 R-GV-4 R-GV-5 R-GV-6 R-GV-7 R-GV-8 R-IR-1 R-IR-2 R-IR-3 R-IR-4 R-AC-1 R-AC-2 R-AC-3 R-AC-4 R-AM-1 R-AM-2 R-BC-1 R-BC-2 R-BC-3 R-BC-4 R-BC-5 R-EX-1 R-EX-2 R-EX-3 R-EX-4 R-EX-5 R-EX-6 R-EX-7 R-GV-1 R-GV-2 R-GV-3 R-GV-4 R-GV-5 R-GV-6 R-GV-7 R-GV-8 R-IR-1 R-IR-2 R-IR-3 R-IR-4 NT-2 NT-3 NT-4 NT-5 NT-6 NT-7 NT-9 NT-10 NT-11 NT-12 NT-13 MT-7 MT-8 MT-9 MT-10 MT-12 MT-13 MT-14 MT-15 NT-2 NT-3 NT-4 NT-5 NT-6 NT-7 NT-9 NT-10 NT-11 NT-12 NT-13 MT-7 MT-8 MT-9 MT-10 MT-12 MT-13 MT-14 MT-15
Artificial & Autonomous Technologies AI & Autonomous Technologies Targeted Application Scope FII-SCF-AAT-0004.3 Mechanisms exist to specify and document the targeted application scope of the proposed use and operation of Artificial Intelligence (AI) and Autonomous Technologies (AAT). Does the organization specify and document the targeted application scope of the proposed use and operation of Artificial Intelligence (AI) and Autonomous Technologies (AAT)? 8 x Identify x x x There is no evidence of a capability to specify and document the targeted application scope of the proposed use and operation of Artificial Intelligence (AI) and Autonomous Technologies (AAT). SP-CMM1 is N/A, since a structured process is required to specify and document the targeted application scope of the proposed use and operation of Artificial Intelligence (AI) and Autonomous Technologies (AAT). SP-CMM2 is N/A, since a well-defined process is required to specify and document the targeted application scope of the proposed use and operation of Artificial Intelligence (AI) and Autonomous Technologies (AAT). Artificial Intelligence and Autonomous Technology (AAT) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist: • The Chief Information Security Officer (CISO), or similar function with technical competence to address cybersecurity concerns, analyzes the organization’s business strategy and prioritizes the objectives of the security function to determine prioritized and authoritative guidance for Artificial Intelligence and Autonomous Technologies (AAT), within the broader scope of cybersecurity and data protection operations. • The CISO, or similar function, develops a security-focused Concept of Operations (CONOPS) that documents management, operational and technical measures to apply defense-in-depth techniques across the organization. This CONOPS for AAT may be incorporated as part of a broader operational plan for the cybersecurity & data privacy program. • A Governance, Risk & Compliance (GRC) function, or similar function, provides governance oversight for the implementation of applicable statutory, regulatory and contractual cybersecurity & data privacy controls to facilitate the implementation of secure and compliant practices to protect the confidentiality, integrity, availability and safety of the organization’s applications, systems, services and data. Compliance requirements for AAT are identified and documented. • A steering committee is formally established to provide executive oversight of the cybersecurity & data privacy program, including AAT. The steering committee establishes a clear and authoritative accountability structure for AAT operations. • Legal reviews are conducted to minimize the inadvertent infringement of third-party Intellectual Property (IP) rights through the use of AAT products and/ or services. • AAT-specific compliance requirements for cybersecurity & data privacy are identified and documented. • Governance function for AAT is formally assigned with defined roles and associated responsibilities. • A Program Management Office (PMO), or similar function, tracks and reports on activities related to the mapping, measuring and managing of AAT. • Secure engineering principles are identified and implemented to ensure AAT are designed to be reliable, safe, fair, secure, resilient, transparent, explainable and data privacy-enhanced to minimize emergent properties or unintended consequences. • Robust development and pre-deployment functionality, security and data privacy testing is conducted on all internal and third-party AAT projects. • Production use of AAT is closely monitored to minimize emergent properties or unintended consequences. • Robust incident response and business continuity plans exist to respond to AAT-related emergent properties or unintended consequences. • Data sources utilized in the training and/or operation of AAT are identified and documented. • The Confidentiality, Integrity and Availability (CIA) of source data to prevent accidental contamination or malicious corruption (e.g., data poisoning) that could compromise the performance of AAT. See SP-CMM3. SP-CMM4 is N/A, since a quantitatively-controlled process is not necessary to specify and document the targeted application scope of the proposed use and operation of Artificial Intelligence (AI) and Autonomous Technologies (AAT). See SP-CMM4. SP-CMM5 is N/A, since a continuously-improving process is not necessary to specify and document the targeted application scope of the proposed use and operation of Artificial Intelligence (AI) and Autonomous Technologies (AAT). 4.3 9.2.2(a) A.4.4 A.4.5 MAP 3.3 R.16.3 R-AC-1 R-AC-2 R-AC-3 R-AC-4 R-AM-1 R-AM-2 R-BC-1 R-BC-2 R-BC-3 R-BC-4 R-BC-5 R-EX-1 R-EX-2 R-EX-3 R-EX-4 R-EX-5 R-EX-6 R-EX-7 R-GV-1 R-GV-2 R-GV-3 R-GV-4 R-GV-5 R-GV-6 R-GV-7 R-GV-8 R-IR-1 R-IR-2 R-IR-3 R-IR-4 R-AC-1 R-AC-2 R-AC-3 R-AC-4 R-AM-1 R-AM-2 R-BC-1 R-BC-2 R-BC-3 R-BC-4 R-BC-5 R-EX-1 R-EX-2 R-EX-3 R-EX-4 R-EX-5 R-EX-6 R-EX-7 R-GV-1 R-GV-2 R-GV-3 R-GV-4 R-GV-5 R-GV-6 R-GV-7 R-GV-8 R-IR-1 R-IR-2 R-IR-3 R-IR-4 NT-2 NT-3 NT-4 NT-5 NT-6 NT-7 NT-9 NT-10 NT-11 NT-12 NT-13 MT-7 MT-8 MT-9 MT-10 MT-12 MT-13 MT-14 MT-15 NT-2 NT-3 NT-4 NT-5 NT-6 NT-7 NT-9 NT-10 NT-11 NT-12 NT-13 MT-7 MT-8 MT-9 MT-10 MT-12 MT-13 MT-14 MT-15
Artificial & Autonomous Technologies AI & Autonomous Technologies Cost / Benefit Mapping FII-SCF-AAT-0004.4 Mechanisms exist to map risks and benefits for all components of Artificial Intelligence (AI) and Autonomous Technologies (AAT), including third-party software and data. Does the organization map risks and benefits for all components of Artificial Intelligence (AI) and Autonomous Technologies (AAT), including third-party software and data? 2 x Identify x x There is no evidence of a capability to map risks and benefits for all components of Artificial Intelligence (AI) and Autonomous Technologies (AAT), including third-party software and data. SP-CMM1 is N/A, since a structured process is required to map risks and benefits for all components of Artificial Intelligence (AI) and Autonomous Technologies (AAT), including third-party software and data. SP-CMM2 is N/A, since a well-defined process is required to map risks and benefits for all components of Artificial Intelligence (AI) and Autonomous Technologies (AAT), including third-party software and data. Artificial Intelligence and Autonomous Technology (AAT) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist: • The Chief Information Security Officer (CISO), or similar function with technical competence to address cybersecurity concerns, analyzes the organization’s business strategy and prioritizes the objectives of the security function to determine prioritized and authoritative guidance for Artificial Intelligence and Autonomous Technologies (AAT), within the broader scope of cybersecurity and data protection operations. • The CISO, or similar function, develops a security-focused Concept of Operations (CONOPS) that documents management, operational and technical measures to apply defense-in-depth techniques across the organization. This CONOPS for AAT may be incorporated as part of a broader operational plan for the cybersecurity & data privacy program. • A Governance, Risk & Compliance (GRC) function, or similar function, provides governance oversight for the implementation of applicable statutory, regulatory and contractual cybersecurity & data privacy controls to facilitate the implementation of secure and compliant practices to protect the confidentiality, integrity, availability and safety of the organization’s applications, systems, services and data. Compliance requirements for AAT are identified and documented. • A steering committee is formally established to provide executive oversight of the cybersecurity & data privacy program, including AAT. The steering committee establishes a clear and authoritative accountability structure for AAT operations. • Legal reviews are conducted to minimize the inadvertent infringement of third-party Intellectual Property (IP) rights through the use of AAT products and/ or services. • AAT-specific compliance requirements for cybersecurity & data privacy are identified and documented. • Governance function for AAT is formally assigned with defined roles and associated responsibilities. • A Program Management Office (PMO), or similar function, tracks and reports on activities related to the mapping, measuring and managing of AAT. • Secure engineering principles are identified and implemented to ensure AAT are designed to be reliable, safe, fair, secure, resilient, transparent, explainable and data privacy-enhanced to minimize emergent properties or unintended consequences. • Robust development and pre-deployment functionality, security and data privacy testing is conducted on all internal and third-party AAT projects. • Production use of AAT is closely monitored to minimize emergent properties or unintended consequences. • Robust incident response and business continuity plans exist to respond to AAT-related emergent properties or unintended consequences. • Data sources utilized in the training and/or operation of AAT are identified and documented. • The Confidentiality, Integrity and Availability (CIA) of source data to prevent accidental contamination or malicious corruption (e.g., data poisoning) that could compromise the performance of AAT. See SP-CMM3. SP-CMM4 is N/A, since a quantitatively-controlled process is not necessary to map risks and benefits for all components of Artificial Intelligence (AI) and Autonomous Technologies (AAT), including third-party software and data. See SP-CMM4. SP-CMM5 is N/A, since a continuously-improving process is not necessary to map risks and benefits for all components of Artificial Intelligence (AI) and Autonomous Technologies (AAT), including third-party software and data. MAP 4.0 R.15.4 R-EX-1 R-EX-2 R-EX-3 R-EX-4 R-EX-5 R-EX-6 R-EX-7 R-GV-1 R-GV-2 R-GV-3 R-GV-4 R-GV-5 R-GV-6 R-GV-7 R-GV-8 R-IR-4 R-SA-1 R-EX-1 R-EX-2 R-EX-3 R-EX-4 R-EX-5 R-EX-6 R-EX-7 R-GV-1 R-GV-2 R-GV-3 R-GV-4 R-GV-5 R-GV-6 R-GV-7 R-GV-8 R-IR-4 R-SA-1 NT-2 NT-3 NT-4 NT-5 NT-6 NT-7 NT-9 NT-10 NT-11 NT-12 NT-13 MT-7 MT-8 MT-9 MT-10 MT-12 MT-13 MT-14 MT-15 NT-2 NT-3 NT-4 NT-5 NT-6 NT-7 NT-9 NT-10 NT-11 NT-12 NT-13 MT-7 MT-8 MT-9 MT-10 MT-12 MT-13 MT-14 MT-15
Artificial & Autonomous Technologies AI & Autonomous Technologies Training FII-SCF-AAT-0005 Mechanisms exist to ensure personnel and external stakeholders are provided with position-specific risk management training for Artificial Intelligence (AI) and Autonomous Technologies (AAT). Does the organization ensure personnel and external stakeholders are provided with position-specific risk management training for Artificial Intelligence (AI) and Autonomous Technologies (AAT)? 5 x Identify x x There is no evidence of a capability to ensure personnel and external stakeholders are provided with position-specific risk management training for Artificial Intelligence (AI) and Autonomous Technologies (AAT). SP-CMM1 is N/A, since a structured process is required to ensure personnel and external stakeholders are provided with position-specific risk management training for Artificial Intelligence (AI) and Autonomous Technologies (AAT). SP-CMM2 is N/A, since a well-defined process is required to ensure personnel and external stakeholders are provided with position-specific risk management training for Artificial Intelligence (AI) and Autonomous Technologies (AAT). Artificial Intelligence and Autonomous Technology (AAT) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist: • The Chief Information Security Officer (CISO), or similar function with technical competence to address cybersecurity concerns, analyzes the organization’s business strategy and prioritizes the objectives of the security function to determine prioritized and authoritative guidance for Artificial Intelligence and Autonomous Technologies (AAT), within the broader scope of cybersecurity and data protection operations. • The CISO, or similar function, develops a security-focused Concept of Operations (CONOPS) that documents management, operational and technical measures to apply defense-in-depth techniques across the organization. This CONOPS for AAT may be incorporated as part of a broader operational plan for the cybersecurity & data privacy program. • A Governance, Risk & Compliance (GRC) function, or similar function, provides governance oversight for the implementation of applicable statutory, regulatory and contractual cybersecurity & data privacy controls to facilitate the implementation of secure and compliant practices to protect the confidentiality, integrity, availability and safety of the organization’s applications, systems, services and data. Compliance requirements for AAT are identified and documented. • A steering committee is formally established to provide executive oversight of the cybersecurity & data privacy program, including AAT. The steering committee establishes a clear and authoritative accountability structure for AAT operations. • Legal reviews are conducted to minimize the inadvertent infringement of third-party Intellectual Property (IP) rights through the use of AAT products and/ or services. • AAT-specific compliance requirements for cybersecurity & data privacy are identified and documented. • Governance function for AAT is formally assigned with defined roles and associated responsibilities. • A Program Management Office (PMO), or similar function, tracks and reports on activities related to the mapping, measuring and managing of AAT. • Secure engineering principles are identified and implemented to ensure AAT are designed to be reliable, safe, fair, secure, resilient, transparent, explainable and data privacy-enhanced to minimize emergent properties or unintended consequences. • Robust development and pre-deployment functionality, security and data privacy testing is conducted on all internal and third-party AAT projects. • Production use of AAT is closely monitored to minimize emergent properties or unintended consequences. • Robust incident response and business continuity plans exist to respond to AAT-related emergent properties or unintended consequences. • Data sources utilized in the training and/or operation of AAT are identified and documented. • The Confidentiality, Integrity and Availability (CIA) of source data to prevent accidental contamination or malicious corruption (e.g., data poisoning) that could compromise the performance of AAT. See SP-CMM3. SP-CMM4 is N/A, since a quantitatively-controlled process is not necessary to ensure personnel and external stakeholders are provided with position-specific risk management training for Artificial Intelligence (AI) and Autonomous Technologies (AAT). See SP-CMM4. SP-CMM5 is N/A, since a continuously-improving process is not necessary to ensure personnel and external stakeholders are provided with position-specific risk management training for Artificial Intelligence (AI) and Autonomous Technologies (AAT). 7.2 GOVERN 2.2 R.1.1.1 R-AC-1 R-AC-2 R-AC-3 R-AC-4 R-AM-1 R-AM-2 R-BC-1 R-BC-2 R-BC-3 R-BC-4 R-BC-5 R-EX-1 R-EX-2 R-EX-3 R-EX-4 R-EX-5 R-EX-6 R-EX-7 R-GV-1 R-GV-2 R-GV-3 R-GV-4 R-GV-5 R-GV-6 R-GV-7 R-GV-8 R-IR-1 R-IR-2 R-IR-3 R-IR-4 R-SA-1 R-SA-2 R-AC-1 R-AC-2 R-AC-3 R-AC-4 R-AM-1 R-AM-2 R-BC-1 R-BC-2 R-BC-3 R-BC-4 R-BC-5 R-EX-1 R-EX-2 R-EX-3 R-EX-4 R-EX-5 R-EX-6 R-EX-7 R-GV-1 R-GV-2 R-GV-3 R-GV-4 R-GV-5 R-GV-6 R-GV-7 R-GV-8 R-IR-1 R-IR-2 R-IR-3 R-IR-4 R-SA-1 R-SA-2 NT-2 NT-3 NT-4 NT-5 NT-6 NT-7 NT-9 NT-10 NT-11 NT-12 NT-13 MT-7 MT-8 MT-9 MT-10 MT-12 MT-13 MT-14 MT-15 NT-2 NT-3 NT-4 NT-5 NT-6 NT-7 NT-9 NT-10 NT-11 NT-12 NT-13 MT-7 MT-8 MT-9 MT-10 MT-12 MT-13 MT-14 MT-15
Artificial & Autonomous Technologies AI & Autonomous Technologies Fairness & Bias FII-SCF-AAT-0006 Mechanisms exist to prevent Artificial Intelligence (AI) and Autonomous Technologies (AAT) from unfairly identifying, profiling and/or statistically singling out a segmented population defined by race, religion, gender identity, national origin, religion, disability or any other politically-charged identifier. Does the organization prevent Artificial Intelligence (AI) and Autonomous Technologies (AAT) from unfairly identifying, profiling and/or statistically singling out a segmented population defined by race, religion, gender identity, national origin, religion, disability or any other politically-charged identifier? 9 x Identify x There is no evidence of a capability to prevent Artificial Intelligence (AI) and Autonomous Technologies (AAT) from unfairly identifying, profiling and/ or statistically singling out a segmented population defined by race, religion, gender identity, national origin, religion, disability or any other politically-charged identifier. SP-CMM1 is N/A, since a structured process is required to prevent Artificial Intelligence (AI) and Autonomous Technologies (AAT) from unfairly identifying, profiling and/ or statistically singling out a segmented population defined by race, religion, gender identity, national origin, religion, disability or any other politically-charged identifier. SP-CMM2 is N/A, since a well-defined process is required to prevent Artificial Intelligence (AI) and Autonomous Technologies (AAT) from unfairly identifying, profiling and/ or statistically singling out a segmented population defined by race, religion, gender identity, national origin, religion, disability or any other politically-charged identifier. Artificial Intelligence and Autonomous Technology (AAT) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist: • The Chief Information Security Officer (CISO), or similar function with technical competence to address cybersecurity concerns, analyzes the organization’s business strategy and prioritizes the objectives of the security function to determine prioritized and authoritative guidance for Artificial Intelligence and Autonomous Technologies (AAT), within the broader scope of cybersecurity and data protection operations. • The CISO, or similar function, develops a security-focused Concept of Operations (CONOPS) that documents management, operational and technical measures to apply defense-in-depth techniques across the organization. This CONOPS for AAT may be incorporated as part of a broader operational plan for the cybersecurity & data privacy program. • A Governance, Risk & Compliance (GRC) function, or similar function, provides governance oversight for the implementation of applicable statutory, regulatory and contractual cybersecurity & data privacy controls to facilitate the implementation of secure and compliant practices to protect the confidentiality, integrity, availability and safety of the organization’s applications, systems, services and data. Compliance requirements for AAT are identified and documented. • A steering committee is formally established to provide executive oversight of the cybersecurity & data privacy program, including AAT. The steering committee establishes a clear and authoritative accountability structure for AAT operations. • Legal reviews are conducted to minimize the inadvertent infringement of third-party Intellectual Property (IP) rights through the use of AAT products and/ or services. • AAT-specific compliance requirements for cybersecurity & data privacy are identified and documented. • Governance function for AAT is formally assigned with defined roles and associated responsibilities. • A Program Management Office (PMO), or similar function, tracks and reports on activities related to the mapping, measuring and managing of AAT. • Secure engineering principles are identified and implemented to ensure AAT are designed to be reliable, safe, fair, secure, resilient, transparent, explainable and data privacy-enhanced to minimize emergent properties or unintended consequences. • Robust development and pre-deployment functionality, security and data privacy testing is conducted on all internal and third-party AAT projects. • Production use of AAT is closely monitored to minimize emergent properties or unintended consequences. • Robust incident response and business continuity plans exist to respond to AAT-related emergent properties or unintended consequences. • Data sources utilized in the training and/or operation of AAT are identified and documented. • The Confidentiality, Integrity and Availability (CIA) of source data to prevent accidental contamination or malicious corruption (e.g., data poisoning) that could compromise the performance of AAT. See SP-CMM3. SP-CMM4 is N/A, since a quantitatively-controlled process is not necessary to prevent Artificial Intelligence (AI) and Autonomous Technologies (AAT) from unfairly identifying, profiling and/ or statistically singling out a segmented population defined by race, religion, gender identity, national origin, religion, disability or any other politically-charged identifier. See SP-CMM4. SP-CMM5 is N/A, since a continuously-improving process is not necessary to prevent Artificial Intelligence (AI) and Autonomous Technologies (AAT) from unfairly identifying, profiling and/ or statistically singling out a segmented population defined by race, religion, gender identity, national origin, religion, disability or any other politically-charged identifier. GOVERN 3.0 R.4.1 R-AC-1 R-AC-2 R-AC-3 R-AC-4 R-AM-1 R-AM-2 R-BC-1 R-BC-2 R-BC-3 R-BC-4 R-BC-5 R-EX-1 R-EX-2 R-EX-3 R-EX-4 R-EX-5 R-EX-6 R-EX-7 R-GV-1 R-GV-2 R-GV-3 R-GV-4 R-GV-5 R-GV-6 R-GV-7 R-GV-8 R-IR-1 R-IR-2 R-IR-3 R-IR-4 R-SA-1 R-AC-1 R-AC-2 R-AC-3 R-AC-4 R-AM-1 R-AM-2 R-BC-1 R-BC-2 R-BC-3 R-BC-4 R-BC-5 R-EX-1 R-EX-2 R-EX-3 R-EX-4 R-EX-5 R-EX-6 R-EX-7 R-GV-1 R-GV-2 R-GV-3 R-GV-4 R-GV-5 R-GV-6 R-GV-7 R-GV-8 R-IR-1 R-IR-2 R-IR-3 R-IR-4 R-SA-1 NT-2 NT-3 NT-4 NT-5 NT-6 NT-7 NT-9 NT-10 NT-11 NT-12 NT-13 MT-7 MT-8 MT-9 MT-10 MT-12 MT-13 MT-14 MT-15 NT-2 NT-3 NT-4 NT-5 NT-6 NT-7 NT-9 NT-10 NT-11 NT-12 NT-13 MT-7 MT-8 MT-9 MT-10 MT-12 MT-13 MT-14 MT-15
Artificial & Autonomous Technologies AI & Autonomous Technologies Risk Management Decisions FII-SCF-AAT-0007 Mechanisms exist to leverage decision makers from a diversity of demographics, disciplines, experience, expertise and backgrounds for mapping, measuring and managing Artificial Intelligence (AI) and Autonomous Technologies (AAT)-related risks. E-AAT-05 Does the organization leverage decision makers from a diversity of demographics, disciplines, experience, expertise and backgrounds for mapping, measuring and managing Artificial Intelligence (AI) and Autonomous Technologies (AAT)-related risks? 10 x Identify x x x There is no evidence of a capability to leverage decision makers from a diversity of demographics, disciplines, experience, expertise and backgrounds for mapping, measuring and managing Artificial Intelligence (AI) and Autonomous Technologies (AAT)-related risks. SP-CMM1 is N/A, since a structured process is required to leverage decision makers from a diversity of demographics, disciplines, experience, expertise and backgrounds for mapping, measuring and managing Artificial Intelligence (AI) and Autonomous Technologies (AAT)-related risks. SP-CMM2 is N/A, since a well-defined process is required to leverage decision makers from a diversity of demographics, disciplines, experience, expertise and backgrounds for mapping, measuring and managing Artificial Intelligence (AI) and Autonomous Technologies (AAT)-related risks. Artificial Intelligence and Autonomous Technology (AAT) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist: • The Chief Information Security Officer (CISO), or similar function with technical competence to address cybersecurity concerns, analyzes the organization’s business strategy and prioritizes the objectives of the security function to determine prioritized and authoritative guidance for Artificial Intelligence and Autonomous Technologies (AAT), within the broader scope of cybersecurity and data protection operations. • The CISO, or similar function, develops a security-focused Concept of Operations (CONOPS) that documents management, operational and technical measures to apply defense-in-depth techniques across the organization. This CONOPS for AAT may be incorporated as part of a broader operational plan for the cybersecurity & data privacy program. • A Governance, Risk & Compliance (GRC) function, or similar function, provides governance oversight for the implementation of applicable statutory, regulatory and contractual cybersecurity & data privacy controls to facilitate the implementation of secure and compliant practices to protect the confidentiality, integrity, availability and safety of the organization’s applications, systems, services and data. Compliance requirements for AAT are identified and documented. • A steering committee is formally established to provide executive oversight of the cybersecurity & data privacy program, including AAT. The steering committee establishes a clear and authoritative accountability structure for AAT operations. • Legal reviews are conducted to minimize the inadvertent infringement of third-party Intellectual Property (IP) rights through the use of AAT products and/ or services. • AAT-specific compliance requirements for cybersecurity & data privacy are identified and documented. • Governance function for AAT is formally assigned with defined roles and associated responsibilities. • A Program Management Office (PMO), or similar function, tracks and reports on activities related to the mapping, measuring and managing of AAT. • Secure engineering principles are identified and implemented to ensure AAT are designed to be reliable, safe, fair, secure, resilient, transparent, explainable and data privacy-enhanced to minimize emergent properties or unintended consequences. • Robust development and pre-deployment functionality, security and data privacy testing is conducted on all internal and third-party AAT projects. • Production use of AAT is closely monitored to minimize emergent properties or unintended consequences. • Robust incident response and business continuity plans exist to respond to AAT-related emergent properties or unintended consequences. • Data sources utilized in the training and/or operation of AAT are identified and documented. • The Confidentiality, Integrity and Availability (CIA) of source data to prevent accidental contamination or malicious corruption (e.g., data poisoning) that could compromise the performance of AAT. See SP-CMM3. SP-CMM4 is N/A, since a quantitatively-controlled process is not necessary to leverage decision makers from a diversity of demographics, disciplines, experience, expertise and backgrounds for mapping, measuring and managing Artificial Intelligence (AI) and Autonomous Technologies (AAT)-related risks. See SP-CMM4. SP-CMM5 is N/A, since a continuously-improving process is not necessary to leverage decision makers from a diversity of demographics, disciplines, experience, expertise and backgrounds for mapping, measuring and managing Artificial Intelligence (AI) and Autonomous Technologies (AAT)-related risks. 6.1 6.1.1 6.1.2 6.1.2(a) 6.1.2(b) 6.1.2(c) 6.1.2(d) 6.1.2(d)(1) 6.1.2(d)(2) 6.1.2(d)(3) 6.1.2(e) 6.1.2(e)(1) 6.1.2(e)(2) 6.1.3 6.1.3(a) 6.1.3(b) 6.1.3(c) 6.1.3(d) 6.1.3(e) 6.1.3(f) 6.1.3(g) 6.1.4 8.2 GOVERN 3.1 R.29.1.1 R-AC-1 R-AC-2 R-AC-3 R-AC-4 R-AM-1 R-AM-2 R-BC-1 R-BC-2 R-BC-3 R-BC-4 R-BC-5 R-EX-1 R-EX-2 R-EX-3 R-EX-4 R-EX-5 R-EX-6 R-EX-7 R-GV-1 R-GV-2 R-GV-3 R-GV-4 R-GV-5 R-GV-6 R-GV-7 R-GV-8 R-IR-1 R-IR-2 R-IR-3 R-IR-4 R-SA-1 R-AC-1 R-AC-2 R-AC-3 R-AC-4 R-AM-1 R-AM-2 R-BC-1 R-BC-2 R-BC-3 R-BC-4 R-BC-5 R-EX-1 R-EX-2 R-EX-3 R-EX-4 R-EX-5 R-EX-6 R-EX-7 R-GV-1 R-GV-2 R-GV-3 R-GV-4 R-GV-5 R-GV-6 R-GV-7 R-GV-8 R-IR-1 R-IR-2 R-IR-3 R-IR-4 R-SA-1 NT-2 NT-3 NT-4 NT-5 NT-6 NT-7 NT-9 NT-10 NT-11 NT-12 NT-13 MT-7 MT-8 MT-9 MT-10 MT-12 MT-13 MT-14 MT-15 NT-2 NT-3 NT-4 NT-5 NT-6 NT-7 NT-9 NT-10 NT-11 NT-12 NT-13 MT-7 MT-8 MT-9 MT-10 MT-12 MT-13 MT-14 MT-15
Artificial & Autonomous Technologies AI & Autonomous Technologies Impact Characterization FII-SCF-AAT-0007.1 Mechanisms exist to characterize the impacts of proposed Artificial Intelligence (AI) and Autonomous Technologies (AAT) on individuals, groups, communities, organizations and society. E-AAT-06 Does the organization characterize the impacts of proposed Artificial Intelligence (AI) and Autonomous Technologies (AAT) on individuals, groups, communities, organizations and society? 8 x Identify x x There is no evidence of a capability to characterize the impacts of proposed Artificial Intelligence (AI) and Autonomous Technologies (AAT) on individuals, groups, communities, organizations and society. SP-CMM1 is N/A, since a structured process is required to characterize the impacts of proposed Artificial Intelligence (AI) and Autonomous Technologies (AAT) on individuals, groups, communities, organizations and society. SP-CMM2 is N/A, since a well-defined process is required to characterize the impacts of proposed Artificial Intelligence (AI) and Autonomous Technologies (AAT) on individuals, groups, communities, organizations and society. Artificial Intelligence and Autonomous Technology (AAT) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist: • The Chief Information Security Officer (CISO), or similar function with technical competence to address cybersecurity concerns, analyzes the organization’s business strategy and prioritizes the objectives of the security function to determine prioritized and authoritative guidance for Artificial Intelligence and Autonomous Technologies (AAT), within the broader scope of cybersecurity and data protection operations. • The CISO, or similar function, develops a security-focused Concept of Operations (CONOPS) that documents management, operational and technical measures to apply defense-in-depth techniques across the organization. This CONOPS for AAT may be incorporated as part of a broader operational plan for the cybersecurity & data privacy program. • A Governance, Risk & Compliance (GRC) function, or similar function, provides governance oversight for the implementation of applicable statutory, regulatory and contractual cybersecurity & data privacy controls to facilitate the implementation of secure and compliant practices to protect the confidentiality, integrity, availability and safety of the organization’s applications, systems, services and data. Compliance requirements for AAT are identified and documented. • A steering committee is formally established to provide executive oversight of the cybersecurity & data privacy program, including AAT. The steering committee establishes a clear and authoritative accountability structure for AAT operations. • Legal reviews are conducted to minimize the inadvertent infringement of third-party Intellectual Property (IP) rights through the use of AAT products and/ or services. • AAT-specific compliance requirements for cybersecurity & data privacy are identified and documented. • Governance function for AAT is formally assigned with defined roles and associated responsibilities. • A Program Management Office (PMO), or similar function, tracks and reports on activities related to the mapping, measuring and managing of AAT. • Secure engineering principles are identified and implemented to ensure AAT are designed to be reliable, safe, fair, secure, resilient, transparent, explainable and data privacy-enhanced to minimize emergent properties or unintended consequences. • Robust development and pre-deployment functionality, security and data privacy testing is conducted on all internal and third-party AAT projects. • Production use of AAT is closely monitored to minimize emergent properties or unintended consequences. • Robust incident response and business continuity plans exist to respond to AAT-related emergent properties or unintended consequences. • Data sources utilized in the training and/or operation of AAT are identified and documented. • The Confidentiality, Integrity and Availability (CIA) of source data to prevent accidental contamination or malicious corruption (e.g., data poisoning) that could compromise the performance of AAT. See SP-CMM3. SP-CMM4 is N/A, since a quantitatively-controlled process is not necessary to characterize the impacts of proposed Artificial Intelligence (AI) and Autonomous Technologies (AAT) on individuals, groups, communities, organizations and society. See SP-CMM4. SP-CMM5 is N/A, since a continuously-improving process is not necessary to characterize the impacts of proposed Artificial Intelligence (AI) and Autonomous Technologies (AAT) on individuals, groups, communities, organizations and society. 8.4 A.5.3 A.5.4 A.5.5 MAP 5.0 R.7.2.9 R-AC-1 R-AC-2 R-AC-3 R-AC-4 R-AM-1 R-AM-2 R-BC-1 R-BC-2 R-BC-3 R-BC-4 R-BC-5 R-EX-1 R-EX-2 R-EX-3 R-EX-4 R-EX-5 R-EX-6 R-EX-7 R-GV-1 R-GV-2 R-GV-3 R-GV-4 R-GV-5 R-GV-6 R-GV-7 R-GV-8 R-IR-1 R-IR-2 R-IR-3 R-IR-4 R-SA-1 R-AC-1 R-AC-2 R-AC-3 R-AC-4 R-AM-1 R-AM-2 R-BC-1 R-BC-2 R-BC-3 R-BC-4 R-BC-5 R-EX-1 R-EX-2 R-EX-3 R-EX-4 R-EX-5 R-EX-6 R-EX-7 R-GV-1 R-GV-2 R-GV-3 R-GV-4 R-GV-5 R-GV-6 R-GV-7 R-GV-8 R-IR-1 R-IR-2 R-IR-3 R-IR-4 R-SA-1 NT-2 NT-3 NT-4 NT-5 NT-6 NT-7 NT-9 NT-10 NT-11 NT-12 NT-13 MT-7 MT-8 MT-9 MT-10 MT-12 MT-13 MT-14 MT-15 NT-2 NT-3 NT-4 NT-5 NT-6 NT-7 NT-9 NT-10 NT-11 NT-12 NT-13 MT-7 MT-8 MT-9 MT-10 MT-12 MT-13 MT-14 MT-15
Artificial & Autonomous Technologies AI & Autonomous Technologies Likelihood & Impact Risk Analysis FII-SCF-AAT-0007.2 Mechanisms exist to define the potential likelihood and impact of each identified risk based on expected use and past uses of Artificial Intelligence (AI) and Autonomous Technologies (AAT) in similar contexts. E-AAT-06 Does the organization define the potential likelihood and impact of each identified risk based on expected use and past uses of Artificial Intelligence (AI) and Autonomous Technologies (AAT) in similar contexts? 10 x Identify x x x There is no evidence of a capability to define the potential likelihood and impact of each identified risk based on expected use and past uses of Artificial Intelligence (AI) and Autonomous Technologies (AAT) in similar contexts. SP-CMM1 is N/A, since a structured process is required to define the potential likelihood and impact of each identified risk based on expected use and past uses of Artificial Intelligence (AI) and Autonomous Technologies (AAT) in similar contexts. SP-CMM2 is N/A, since a well-defined process is required to define the potential likelihood and impact of each identified risk based on expected use and past uses of Artificial Intelligence (AI) and Autonomous Technologies (AAT) in similar contexts. Artificial Intelligence and Autonomous Technology (AAT) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist: • The Chief Information Security Officer (CISO), or similar function with technical competence to address cybersecurity concerns, analyzes the organization’s business strategy and prioritizes the objectives of the security function to determine prioritized and authoritative guidance for Artificial Intelligence and Autonomous Technologies (AAT), within the broader scope of cybersecurity and data protection operations. • The CISO, or similar function, develops a security-focused Concept of Operations (CONOPS) that documents management, operational and technical measures to apply defense-in-depth techniques across the organization. This CONOPS for AAT may be incorporated as part of a broader operational plan for the cybersecurity & data privacy program. • A Governance, Risk & Compliance (GRC) function, or similar function, provides governance oversight for the implementation of applicable statutory, regulatory and contractual cybersecurity & data privacy controls to facilitate the implementation of secure and compliant practices to protect the confidentiality, integrity, availability and safety of the organization’s applications, systems, services and data. Compliance requirements for AAT are identified and documented. • A steering committee is formally established to provide executive oversight of the cybersecurity & data privacy program, including AAT. The steering committee establishes a clear and authoritative accountability structure for AAT operations. • Legal reviews are conducted to minimize the inadvertent infringement of third-party Intellectual Property (IP) rights through the use of AAT products and/ or services. • AAT-specific compliance requirements for cybersecurity & data privacy are identified and documented. • Governance function for AAT is formally assigned with defined roles and associated responsibilities. • A Program Management Office (PMO), or similar function, tracks and reports on activities related to the mapping, measuring and managing of AAT. • Secure engineering principles are identified and implemented to ensure AAT are designed to be reliable, safe, fair, secure, resilient, transparent, explainable and data privacy-enhanced to minimize emergent properties or unintended consequences. • Robust development and pre-deployment functionality, security and data privacy testing is conducted on all internal and third-party AAT projects. • Production use of AAT is closely monitored to minimize emergent properties or unintended consequences. • Robust incident response and business continuity plans exist to respond to AAT-related emergent properties or unintended consequences. • Data sources utilized in the training and/or operation of AAT are identified and documented. • The Confidentiality, Integrity and Availability (CIA) of source data to prevent accidental contamination or malicious corruption (e.g., data poisoning) that could compromise the performance of AAT. See SP-CMM3. SP-CMM4 is N/A, since a quantitatively-controlled process is not necessary to define the potential likelihood and impact of each identified risk based on expected use and past uses of Artificial Intelligence (AI) and Autonomous Technologies (AAT) in similar contexts. See SP-CMM4. SP-CMM5 is N/A, since a continuously-improving process is not necessary to define the potential likelihood and impact of each identified risk based on expected use and past uses of Artificial Intelligence (AI) and Autonomous Technologies (AAT) in similar contexts. 6.1.2 6.1.2(a) 6.1.2(b) 6.1.2(c) 6.1.2(d) 6.1.2(d)(1) 6.1.2(d)(2) 6.1.2(d)(3) 6.1.2(e) 6.1.2(e)(1) 6.1.2(e)(2) 8.2 MAP 5.1 R.7.2.9 R-AC-1 R-AC-2 R-AC-3 R-AC-4 R-AM-1 R-AM-2 R-BC-1 R-BC-2 R-BC-3 R-BC-4 R-BC-5 R-EX-1 R-EX-2 R-EX-3 R-EX-4 R-EX-5 R-EX-6 R-EX-7 R-GV-1 R-GV-2 R-GV-3 R-GV-4 R-GV-5 R-GV-6 R-GV-7 R-GV-8 R-IR-1 R-IR-2 R-IR-3 R-IR-4 R-SA-1 R-AC-1 R-AC-2 R-AC-3 R-AC-4 R-AM-1 R-AM-2 R-BC-1 R-BC-2 R-BC-3 R-BC-4 R-BC-5 R-EX-1 R-EX-2 R-EX-3 R-EX-4 R-EX-5 R-EX-6 R-EX-7 R-GV-1 R-GV-2 R-GV-3 R-GV-4 R-GV-5 R-GV-6 R-GV-7 R-GV-8 R-IR-1 R-IR-2 R-IR-3 R-IR-4 R-SA-1 NT-2 NT-3 NT-4 NT-5 NT-6 NT-7 NT-9 NT-10 NT-11 NT-12 NT-13 MT-7 MT-8 MT-9 MT-10 MT-12 MT-13 MT-14 MT-15 NT-2 NT-3 NT-4 NT-5 NT-6 NT-7 NT-9 NT-10 NT-11 NT-12 NT-13 MT-7 MT-8 MT-9 MT-10 MT-12 MT-13 MT-14 MT-15

(Page 1 of 25) Next