To support and improve the cybersecurity training provided through FEMA/NTED, the National Cybersecurity Preparedness Consortium (NCPC) is developing multi-year curricula that strategically guides states, local governments, tribes and territories (SLTTs) on how to improve cybersecurity.
This cybersecurity certificate training program will align with current and future courses made available through the NCPC.
Through this program, individuals are provided a series of training courses designed to improve their overall cybersecurity knowledge, skills, abilities and behaviors contributing to individual, organizational and community cybersecurity preparedness. A certificate is awarded to individuals completing the series of training courses.
Audiences
Cybersecurity is a field with both technical and fundamental aspects. Leaders, technical staff and end users each require specific training, which is why our cybersecurity certificate training will focus on courses that target those audiences.
End User
Any individual in an organization or community. This category may include cybersecurity training for specific positions in an organization or community. Emergency Management is one example, there may be others identified as the training certificates are developed.
Technical
Any individual with technical responsibilities. These responsibilities may include but are not limited to managing voice and data systems, computer programs, hardware, software and networking.
Leadership
Any leader in an organization or community. Leaders may have a technical or non-technical background. A leader has some level of influence or decision-making authority within an organization or community.
The 3-D model is designed to assist individuals, organizations, communities and states in identifying what needs to be done when building a flexible, scalable and sustainable cybersecurity program that can assist in preparing to detect a cyber-attack, develop plans to respond during an attack, and determine what needs to be done after an attack has occurred. As a three-dimensional model, the CCSMM provides a visual representation of the improvement progression for everyone in the nation.
The CCSMM targets five key levels of improvement as a step-by-step process for improving your cybersecurity posture. To do this, the model provides mechanisms – such as training – to contribute to your overall progression. Each level takes you from a basic understanding of cybersecurity, to becoming a mentor for others to help achieve cyber excellence throughout your community. The certificates will be a roadmap to help audiences (as described above) throughout your community to improve their overall cybersecurity posture.
The Five Levels of Improvement
Initial
Some processes or programs may be in place, but a community at level 1 does not have all the program elements for a basic program.
Established
A basic program has been established with elements and processes in place for all four dimensions..
Self-Assessed
A minimal viable and sustainable program has been implemented.
Integrated
Cybersecurity is integrated across the community, including all citizens and organizations within the community, and is also working with the state and other communities within the state.
Vanguard
The community is maintaining a fully-vigilant cybersecurity posture.
It’s important to note that for a community to be prepared, individual organizations within the community need their own cybersecurity program. The CCSMM allows communities to handle more advanced early detection of possible cyber-attacks. To assist everyone within a community to create a base level of awareness and progress through the levels of improvement, individual characteristics are added to describe the various aspects of domains in a four-dimensional community cybersecurity program, which includes awareness; information sharing; policies; and plans.
Additionally, the CCSMM can integrate other frameworks, such as the National Institute of Standards and Technology’s (NIST) Cyber Security Framework (CSF) (NIST, 2018) and the DoD’s CMMC outlining the security controls necessary for an organization. It can also support the National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework (NICE Framework) (NIST, 2017), which is a resource that categorizes and describes cybersecurity work and the cybersecurity workforce.
The Four Dimensions
A community’s cybersecurity is measured according to its awareness, information sharing, policy, and plans.
Awareness
Most people understand that cyber threats exist; however, not as many understand the extent of the threat, the current attack trends, how a cyber incident can impact a community, what the vulnerabilities are that should be addressed, and what the cascading effects may be if a community was under a cyber-attack.
Information Sharing
This dimension addresses what to do with information on a cyber incident and where the information should be reported. In addition, it addresses how one sector can share information with another allowing the second sector to potentially prevent the incident from occurring.
Policy
This addresses the need to integrate cyber elements into the policies or guiding principles and includes all guiding regulations, laws, rules and documents that govern the daily operation of the community. Policies should be evaluated to ensure cybersecurity principles are reflected in everything we do and will establish expectations and limitations.
Plans
Communities have established plans to address many different hazards and this dimension ensures cybersecurity elements are included in those plans enabling the community to address cyber incidents that could impact the operations of the community.
History of the CCSMM
In 2002, the Center for Infrastructure Assurance and Security (CIAS) at The University of Texas at San Antonio (UTSA) conducted the first community cybersecurity exercise in San Antonio, Texas. Called Dark Screen, this tabletop exercise proved extremely successful at helping community leaders become aware of how an attack on the cyber infrastructures in the community could impact the community at large. After completion of this exercise and conducting a series of similar exercises for other communities, the CIAS discovered that while the community leaders still knew cyber was something that they needed to be concerned with, after a year they had almost universally not done anything to improve their cybersecurity posture.
To help communities (and by extension, states) get started on a coordinated plan to develop a viable and sustainable cybersecurity program, the CCSMM was established and efforts were immediately made to help communities implement it in their jurisdictions. It is now being used in communities nationwide to jumpstart community cybersecurity programs.