Using Ontological Methods to Compare Cybersecurity Maturity Model Certification 2.0 and COBIT 19

Author

Aaron Marshall Ramey, Nova Southeastern UniversityFollow

Date of Award

2024

Document Type

Dissertation

Degree Name

Doctor of Philosophy Cybersecurity Management

Department

College of Computing and Engineering

Advisor

Ling Wang

Committee Member

Mary Harward

Committee Member

Yair Levy

Keywords

CMMC 2.0, COBIT 19, compliance, cybersecurity frameworks, ontology, reciprocity

Abstract

Cybersecurity frameworks developed by a variety of organizations and implemented by a much larger collection of organizations differ in their focus and application. Whether designed by a private or government organization, the primary goal is to provide a framework to assess and reduce risk. The Department of Defense (DoD) has recently implemented the second version of the Cybersecurity Maturity Model Certification (CMMC 2.0). In some situations, compliance with CMMC 2.0 has already become mandatory for the Defense Industrial Base (DIB). Compliance will soon be required for all Large Businesses (LB) and Small Businesses (SB) within the DIB. While COBIT 19 provides mapping to the NIST Cybersecurity Framework (CSF), there is little mapping information to any version of the CMMC 2.0. Without resources and expertise comparable to LB, SB needs efficient and effective methods to implement CMMC 2.0 without creating undue costs.

The main goal of this research study was to add new information to the body of knowledge to support the development of machine-readable ontologies between Control Objectives for Information and Related Technologies (COBIT) 19 and CMMC 2.0 through the use of Semantic Web technologies. This research study utilized Resource Description Framework (RDF) triplets to break down COBIT 19 and CMMC 2.0. These RDF triplets were then used to populate ontologies using Protégé software developed by the Stanford Center for Biomedical Informatics Research. For the purpose of conducting quantitative comparisons, the Jaccard Index and Simple Matching Coefficient (SMC) equations were used to identify similarities between the two cybersecurity frameworks. This research study then provided the results of these comparisons to a collection of over 50 Subject Matter Experts (SME) within the DIB to measure their perception of the value of RDF Similarity Scores to DIB organizations.

SMEs participated in an anonymous online survey that measured their perceptions based on a modified Unified Methodology Adoption Model (UMAM). The online survey included an opportunity to provide open-ended comments on the overall process. The results of the survey showed that from a collection of 50 SMEs a majority held a positive perception of the possibility of using Semantic Web technologies to compare COBIT 19 and CMMC 2.0. A secondary result showed that SMEs with increased experience, higher-level certifications, and secondary education reported generally negative perceptions. The results of this research study may lead to an increase in reciprocity while reducing duplication and waste.

NSUWorks Citation

Aaron Marshall Ramey. 2024. Using Ontological Methods to Compare Cybersecurity Maturity Model Certification 2.0 and COBIT 19. Doctoral dissertation. Nova Southeastern University. Retrieved from NSUWorks, College of Computing and Engineering. (1197)
https://nsuworks.nova.edu/gscis_etd/1197.