Capability Maturity Model

The Secure Controls Framework (SCF) published the Cybersecurity & Data Privacy Capability Maturity Model (C|P-CMM) that leverages an industry standard, the System Security Engineering Capability Maturity Model (SSE-CMM). There are six (6) levels of this cybersecurity maturity model:

  1. CMM Level 0 - Not Performed;
  2. CMM Level 1 - Performed Informally;
  3. CMM Level 2 - Planned & Tracked;
  4. CMM Level 3 - Well-Defined;
  5. CMM Level 4 - Quantitatively Controlled;
  6. CMM Level 5 - Continuously Improving.

SCF Cybersecurity Maturity Model

Cybersecurity Capability Maturity Model Example

How Do You Define Cybersecurity Maturity Model Criteria?

The SCF's C|P-RMM defines maturity model criteria as:

CMM Level 0 - Not Performed

This level of maturity is defined as “non-existent practices,” where the control is not being performed:

  • Practices are non-existent, where a reasonable person would conclude the control is not being performed.
  • Evidence of due care  and due diligence  do not exist to demonstrate compliance with applicable statutory, regulatory and/or contractual obligations.

CMM Level 1 - Performed Informally

This level of maturity is defined as “ad hoc practices,” where the control is being performed, but lacks completeness & consistency:

  • Practices are “ad hoc” where the intent of a control is not met due to a lack consistency and formality.
  • When the control is met, it lacks consistency and formality (e.g., rudimentary practices are performed informally).
  • A reasonable person would conclude the control is not consistently performed in a structured manner.
  • Performance depends on specific knowledge and effort of the individual performing the task(s), where the performance of these practices is not proactively governed. 
  • Limited evidence of due care and due diligence exists, where it would be difficult to legitimately disprove a claim of negligence for how cybersecurity/privacy controls are implemented and maintained. 

CMM Level 2 - Planned & Tracked

Practices are “requirements-driven” where the intent of control is met in some circumstances, but not standardized across the entire organization:

  • Practices are “requirements-driven” (e.g., specified by a law, regulation or contractual obligation) and are tailored to meet those specific compliance obligations (e.g., evidence of due diligence).
  • Performance of a control is planned and tracked according to specified procedures and work products conform to specified standards (e.g., evidence of due care).
  • Controls are implemented in some, but not all applicable circumstances/environments (e.g., specific enclaves, facilities or locations).
  • A reasonable person would conclude controls are “compliance-focused” to meet a specific obligation, since the practices are applied at a local/regional level and are not
  • standardized practices across the enterprise. 
  • Sufficient evidence of due care and due diligence exists to demonstrate compliance with specific statutory, regulatory and/or contractual obligations.

Note - CMM L2 practices are not considered to be “audit ready” due to a lack of sufficient evidence to demonstrate due diligence and due care in the execution of the control.

CMM Level 3 - Well-Defined

This level of maturity is defined as “enterprise-wide standardization,” where the practices are well-defined and standardized across the organization:

  • Practices are standardized “enterprise-wide” where the control is well-defined and standardized across the entire enterprise.
  • Controls are implemented in all applicable circumstances/environments (deviations are documented and justified).
  • Practices are performed according to a well-defined process using approved, tailored versions of standardized processes. 
  • Performance of a control is according to specified well-defined and standardized procedures.
  • Control execution is planned and managed using an enterprise-wide, standardized methodology.
  • A reasonable person would conclude controls are “security-focused” that address both mandatory and discretionary requirements. Compliance could reasonably be viewed as a “natural byproduct” of secure practices.
  • Sufficient evidence of due care and due diligence exists to demonstrate compliance with specific statutory, regulatory and/or contractual obligations.

Note - CMM L3 practices are considered to be “audit ready” with an acceptable level of evidence to demonstrate due diligence and due care in the execution of the control. Unlike L2 practices that are narrowly focused, CMM L3 practices are standardized across the organization.

CMM Level 4 - Quantitatively Controlled

This level of maturity is defined as “metrics-driven practices,” where in addition to being well-defined and standardized practices across the organization, there are detailed metrics to enable governance oversight:

  • Practices are “metrics-driven” and provide sufficient management insight (based on a quantitative understanding of process capabilities) to predict optimal performance, ensure continued operations, and identify areas for improvement. 
  • Practices build upon established CMM L3 maturity criteria and have detailed metrics to enable governance oversight.
  • Detailed measures of performance are collected and analyzed. This leads to a quantitative understanding of process capability and an improved ability to predict performance. 
  • Performance is objectively managed, and the quality of work products is quantitatively known.

CMM L4 practices are considered to be “audit ready” with an acceptable level of evidence to demonstrate due diligence and due care in the execution of the control, as well as detailed metrics enable an objective oversight function. Metrics may be daily, weekly, monthly, quarterly, etc.

CMM Level 5 - Continuously Improving

This level of maturity is defined as “world-class practices,” where the practices are not only well-defined and standardized across the organization, as well as having detailed metrics, but the process is continuously improving:

  • Practices are “world-class” capabilities that leverage predictive analysis.
  • Practices build upon established L4 maturity criteria and are time-sensitive to support operational efficiency, which likely includes automated actions through machine learning or Artificial Intelligence (AI).
  • Quantitative performance goals (targets) for process effectiveness and efficiency are established, based on the business goals of the organization. 
  • Process improvements are implemented according to “continuous improvement” practices to affect process changes. 

CMM L5 practices are considered to be “audit ready” with an acceptable level of evidence to demonstrate due diligence and due care in the execution of the control and incorporates a capability to continuously improve the process. Interestingly, this is where Artificial Intelligence (AI) and Machine Learning (ML) would exist, since AI/ML would focus on evaluating performance and making continuous adjustments to improve the process. However, AI/ML are not required to be CMM L5.