CMMC Practice CA.4.163: Create, maintain, and leverage a security roadmap for improvement.
CMMC CLARIFICATION (Ref CMMC – Appendix B)
An organization must explicitly identify its desired end-state for cybersecurity capabilities and document a roadmap describing the planned path forward. Increasing measures along the way reduces the likelihood of a cyber-attack being successful or minimizes the impact of an attack. The roadmap should have short, medium, and long term goals for the organization. Plan for what the organization wants to accomplish in the next 6-12 months (short term). Also plan for 12-36 months (medium term), and plan for 5-10 years. All of the plans can be adjusted over time, but having the plans will allow for budgeting, priorities, and knowledge as to where to organization is going to keep the environment safe from adversaries.