CMMC Practice CA.4.163
Create, maintain, and leverage a security roadmap for improvement.
Bold Coast Security Guidance
For maturity-modeling to be truly effective, an organization must have formal plans. Roadmaps are key documents to planning progressive maturity based on assessment results. Once an environment is assessed and a baseline program is defined, to be compliance at Level 4, the organization must have a clearly defined plan and set of measurements in place to chart progress toward the chosen maturity goals.
As organizations become more mature in their cyber security operations, it is expected that an organization will create, maintain, and leverage a security roadmap to show their planned path forward for improvements. This demonstrates a maturity level within an organization that is above the average company. The security roadmap will help a company move forward with increasing their overall security posture based on priority, cost, and implementation time. Such planning will help an organization line up vendors to discuss the planning and what solutions they may offer, receiving bids to help with the work, or get a bid on a cybersecurity appliance that will be installed on location or an “as a service” solution from a cloud provider that will be utilized remotely . This roadmap should be used to help plan based on areas of highest risk, latest TTPs, and or knowledge that a specific industry is being
targeted and pushing solutions forward that will thwart malicious activities. A roadmap will require updates from time to time based on intelligence or architecture needs . A roadmap will survive people changing positions, and it will provide continuity plan for improving the cybersecurity posture of an organization.