Comparative Analysis of Cybersecurity Frameworks: MOSAICS, CMMC, and FedRAMP

In an era where critical infrastructure systems—such as power grids, water treatment facilities, and transportation networks—are increasingly interconnected, the vulnerability to cyber threats has escalated. Recognizing this pressing issue, the Naval Information Warfare Center (NIWC) Atlantic has developed the More Situational Awareness for Industrial Control Systems (MOSAICS) framework. This innovative cybersecurity solution aims to enhance the protection of industrial control systems (ICS) against cyberattacks, ensuring the resilience and security of essential services.

The Evolution of MOSAICS

The inception of MOSAICS dates back to 2018 when Dr. Aleksandra Scalco, then a cyber subject matter expert for Mission Critical Control Systems at NIWC Atlantic, initiated a research and development proposal under the Naval Innovative Science and Engineering (NISE) program. The project's objective was to address the growing cyber vulnerabilities in critical infrastructure by developing a comprehensive cybersecurity framework. As the project gained momentum, it evolved into a formal Joint Capability Technology Demonstration (JCTD), with collaborations extending to the U.S. Army, U.S. Air Force, and other Navy commands. 

Addressing Cyber Vulnerabilities in Critical Infrastructure

Critical infrastructure systems, once isolated, have transitioned into fully networked facilities employing both hardware and software to control industrial equipment. This integration has introduced vulnerabilities, making operational technologies (OT) susceptible to cyber actors aiming to compromise networks and remotely access physical devices. MOSAICS addresses these challenges by integrating a suite of vendor-agnostic, non-proprietary, commercial off-the-shelf hardware and software tools into a unified, automated system. This integration facilitates real-time visibility of adversarial threats, enabling asset owners and operators to detect and respond to cyberattacks promptly. 

Technical Architecture of MOSAICS

The MOSAICS framework is designed to provide comprehensive situational awareness and defense capabilities for ICS. Its architecture encompasses several key components:

• Passive and Active Monitoring: MOSAICS enables both passive and active monitoring of ICS networks, ensuring continuous surveillance without disrupting operations.
• Baseline Establishment: The framework establishes a baseline of normal operations, allowing for the detection of anomalies that may indicate cyber threats.
• Threat Detection and Response: By integrating various detection mechanisms, MOSAICS identifies potential threats and facilitates timely responses to mitigate risks.
• Data Analytics and Visualization: Advanced data analytics and visualization tools provide operators with actionable insights into the security posture of their ICS environments.

This comprehensive approach ensures that MOSAICS can effectively safeguard critical infrastructure against evolving cyber threats. 

Integration into Department of Defense Building Codes

A significant milestone for MOSAICS is its potential integration into the Department of Defense's (DoD) Unified Facilities Criteria (UFC) 1-200-01, the DoD Building Code for general building requirements. This integration would provide detailed systems-engineering requirements to safeguard ICS, guiding engineers in the design and development of cyber technologies. Incorporating cybersecurity specifications into building codes, traditionally focused on mechanical and electrical requirements, represents a paradigm shift in how infrastructure security is approached. This move underscores the critical importance of cybersecurity in the design, construction, and maintenance of military facilities, ensuring safety, security, durability, and functionality for critical ICS. 

Operational Validation and Success Stories

The efficacy of MOSAICS has been demonstrated through various assessments and real-world applications. Notably, during a Military Utility Assessment (MUA) at a Naval Facilities Engineering Systems Command (NAVFAC) operational site, MOSAICS successfully identified 20 out of 22 simulated cyberattacks, achieving a 90.5% success rate with less than 5% false positives. Additionally, the system detected unauthorized activities, such as a contractor installing new components without proper authorization, highlighting its real-world utility in identifying both malicious attacks and unauthorized actions. 

Collaboration and Future Prospects

The development and success of MOSAICS are attributed to extensive collaboration among federal agencies, research institutions, and industry partners. For instance, the Johns Hopkins University Applied Physics Laboratory (APL) played a pivotal role in advancing MOSAICS from a basic cyberattack detection system to a comprehensive ICS operational defense capability. APL leveraged its expertise in systems engineering and ongoing work in Integrated Adaptive Cyber Defense (IACD) to enhance MOSAICS, allowing ICS operators to detect and characterize cyberattacks in real-time and supporting automated response and recovery protocols. 

Looking ahead, the integration of MOSAICS into DoD building codes could set a precedent for adopting similar cybersecurity frameworks across various sectors, both public and private. This adoption would enhance the resilience of critical infrastructure against cyber threats, ensuring the continuous delivery of essential services. Furthermore, the MOSAICS framework's vendor-agnostic and non-proprietary nature facilitates widespread adoption and customization to meet specific organizational needs.

In the realm of cybersecurity, various frameworks have been developed to protect sensitive information and critical infrastructure. Three notable frameworks are More Situational Awareness for Industrial Control Systems (MOSAICS), the Cybersecurity Maturity Model Certification (CMMC), and the Federal Risk and Authorization Management Program (FedRAMP). Each serves distinct purposes, targets specific audiences, and addresses unique aspects of cybersecurity. This article provides an in-depth comparison of these frameworks, highlighting their objectives, scopes, and applications.

MOSAICS: Enhancing Cyber Defense for Industrial Control Systems

Objective and Scope

MOSAICS is a cybersecurity framework developed by the Naval Information Warfare Center (NIWC) Atlantic to enhance the defense of Industrial Control Systems (ICS) that manage critical infrastructure, such as power grids and water treatment facilities. The primary goal of MOSAICS is to provide real-time situational awareness and operational defense against cyber threats targeting these systems.

Key Features

• Integration of Technologies: MOSAICS integrates commercial off-the-shelf (COTS) and government off-the-shelf (GOTS) technologies to monitor and protect ICS environments. This integration enables continuous passive monitoring, active enumeration of network assets, and automated response mechanisms. 
• Vendor-Agnostic Architecture: The framework is designed to be vendor-neutral, allowing it to operate across various platforms and technologies without dependency on specific vendors. 
• Real-Time Threat Detection: MOSAICS provides real-time detection and characterization of cyberattacks, supporting automated and autonomous response and recovery protocols. 

Applications

MOSAICS is particularly relevant for organizations operating critical infrastructure facilities that rely on ICS. Its implementation enhances the resilience of these systems against cyber threats, ensuring the continuous and secure operation of essential services.

CMMC: Ensuring Cybersecurity in the Defense Industrial Base

Objective and Scope

The Cybersecurity Maturity Model Certification (CMMC) is a framework established by the U.S. Department of Defense (DoD) to assess and enhance the cybersecurity posture of contractors within the Defense Industrial Base (DIB). CMMC aims to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) handled by DoD contractors and subcontractors. 

Key Features

• Maturity Levels: CMMC is structured into three maturity levels, each representing a progressively advanced set of cybersecurity practices and processes. Organizations must achieve the appropriate level based on the sensitivity of the information they handle. 
• Third-Party Assessments: Certification requires assessments conducted by accredited Third-Party Assessment Organizations (C3PAOs) to verify compliance with the specified cybersecurity standards. 

Applications

CMMC is mandatory for all contractors and subcontractors seeking to do business with the DoD. Achieving the required CMMC level is essential for organizations aiming to participate in defense contracts, ensuring they have implemented adequate cybersecurity measures to protect sensitive information. 

FedRAMP: Standardizing Security for Cloud Services in Federal Agencies

Objective and Scope

The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services used by federal agencies. Its primary goal is to ensure that cloud services meet stringent security requirements to protect federal information. 

Key Features

• Impact Levels: FedRAMP categorizes cloud services into three impact levels—Low, Moderate, and High—based on the potential impact of a security breach. Each level has specific security control requirements.
• Authorization Process: Cloud Service Providers (CSPs) must undergo a rigorous assessment process, including evaluation by a Third-Party Assessment Organization (3PAO), to achieve FedRAMP authorization. 

Applications

FedRAMP compliance is required for CSPs that provide cloud services to federal agencies. Achieving FedRAMP authorization demonstrates that a CSP has implemented the necessary security controls to protect federal data, facilitating trust and enabling federal agencies to leverage cloud technologies securely.

Comparative Analysis

Target Audience

• MOSAICS: Designed for operators of critical infrastructure utilizing Industrial Control Systems, including both public and private sector entities. 
• CMMC: Targets defense contractors and subcontractors within the Defense Industrial Base handling FCI and CUI.
• FedRAMP: Applies to Cloud Service Providers offering services to federal agencies.

Framework Basis

• MOSAICS: Focuses on integrating existing technologies to enhance situational awareness and defense of ICS environments.
• CMMC: Based on NIST SP 800-171, outlining specific cybersecurity practices and processes across different maturity levels.
• FedRAMP: Built upon NIST SP 800-53, providing a comprehensive set of security controls tailored for cloud services. 

Compliance Requirements

• MOSAICS: Implementation is voluntary but highly recommended for organizations seeking to enhance the cybersecurity of their ICS.
• CMMC: Mandatory for all DoD contractors and subcontractors, with certification levels determining eligibility for specific contracts.

Conclusion

The development of the MOSAICS cybersecurity framework by NIWC Atlantic represents a significant advancement in protecting critical infrastructure from cyber threats. By providing real-time threat detection and response capabilities, MOSAICS enhances the operational resilience of industrial control systems. Its potential integration into DoD building codes highlights the increasing recognition of cybersecurity as a fundamental component of infrastructure design and maintenance. As cyber threats continue to evolve, frameworks like MOSAICS will play a crucial role in safeguarding the systems that underpin our society.

Resources for Further Reading:

• MOSAICS:
  • "Eye on the Grid: Navy Develops 'MOSAICS' to Cyber-Defend Critical Infrastructure" ​Navy Atlantic+2U.S. Navy+2Navy Atlantic+2
  • "Cyber Defense for Industrial Control Systems" ​Johns Hopkins APL
• CMMC:
  • "CMMC vs. FedRAMP: What's The Difference?" ​38northsecurity.com
  • "CMMC vs FedRAMP: Understanding the Differences" ​streamscan.ai+1aarc-360.com+1
• FedRAMP:
  • "FedRAMP vs CMMC Compliance: Decoding Federal Cybersecurity" ​brightdefense.com+1streamscan.ai+1
  • "What You Need To Know About CMMC vs FedRAMP" ​Databank

These resources provide detailed insights into each framework and their respective roles in enhancing cybersecurity across various sectors.