Question 1

What is a cyber security maturity model?

Accepted Answer

A cyber security maturity model is a set of characteristics or indicators that represent capability and progression within an organization’s security program. A maturity model often has multiple levels to represent the efficiency of a security program’s processes.

Question 2

What is the purpose of a maturity model?

Accepted Answer

A maturity models shows what level your security program is currently operating at to highlight areas for continuous improvement and efficiency in cyber security-related processes. Maturity models establish a cycle and approach to continuously improve an organization’s cyber security program.

Question 3

Does everyone need to follow a maturity model?

Accepted Answer

No, but it is highly recommended since the maturity concept can help organizations rapidly identify gaps and improve their processes to comply with regulations and protect sensitive data.

Question 4

What’s the difference between CMM and CMMC and CMMI?

Accepted Answer

CMM stands for Capability Maturity Model, which was initially designed to describe five levels of best engineering and management practices based on data from different industries. The CMM KPA (key performance areas) didn’t reveal architecturally significant flaws within organizations. CMM has since been replaced by other maturity models.

CMMI stands for Capability Maturity Model Integration and was initially designed as an improvement to the CMM. The CMMI’s maturity levels are also slightly different and focused on identifying architectural flaws within procedures.

The CMMI’s maturity levels are:

Level 0 — Incomplete. Everything is done ad hoc, and processes are unknown; work may or may not get completed.
Level 1 — Initial. Unpredictable and reactive. Work is completed but is often delayed and over budget.
Level 2 — Managed. Managed on the project level. Projects are planned, performed, measured, and controlled.
Level 3 — Defined. Proactive, not reactive. Organization-wide standards provide guidance across projects, programs, and portfolios.
Level 4 — Quantitatively Managed. Measured and controlled. The organization is data driven, utilizing quantitative performance objectives that align to the needs of internal and external stakeholders.
Level 5 — Optimizing. Stable and flexible. Processes focus on continuous improvement and are built to pivot and respond to opportunity and change.

CMMC stands for Cybersecurity Maturity Model Certification, which combines controls such as different versions of NIST and ISO to measure the maturity of a company’s cyber security processes. This is a formal certification that’s required for any organization that works for the Department of Defense or does work for organizations related to or connected with the DoD.

Question 5

Who needs to adhere with CMMC?

Accepted Answer

It’s a program rolled out by the DoD (Department of Defense) for standards implementing cyber security across the Defense Industrial base. It’s meant to protect the information and data on DoD networks and improve overall cyber security.

CMMC is necessary for anyone in the defense contract supply chain, including those who work directly with the Department of Defense and subcontractors who work with others to fulfill and execute those contracts. CMMC is designed to ensure that contractors have appropriate cyber security controls and to measure their readiness, capabilities, and sophistication. Any contractor who wants a federal contract must meet minimum standards to improve information and data protection in the supply chain.

Question 6

Are there other maturity models?

Accepted Answer

Yes, other maturity models such as the NIST Cybersecurity Framework exist, but many are built into specific security frameworks.

Question 7

What are the 5 levels of maturity?

Accepted Answer

There are slight differences in every security maturity model, but most follow the general progression below.

Level 1 — Initial: Typically incomplete, ad hoc, or unknown. Processes may be known or verbally communicated and are typically reactive. Security processes are not repeatable, measurable, or scalable.
Level 2 — Repeatable: A formal program has been established to some degree. Some processes have been established, defined, and documented.
Level 3 — Defined: The entire program has been formally documented, standardized, and defined for consistency across the organization.
Level 4 — Managed: The organization’s security program is now being measured, refined, and adapted to make processes more effective and efficient.

Level 5 — Optimizing: All security program processes are automated, documented, and regularly analyzed for continuous optimization. Cyber security is part of the organization’s overall culture, and processes are regularly evolving according to the organization’s needs.

You can find out more about these levels on our blog about security maturity models.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

CMMC Assessment Preparation Consulting Services

Progress begins with mature capability. Adopt methodology that accelerates improvement, and receive the Cybersecurity Maturity Model Certification (CMMC).

Mature Methodology
Yields Results

A Proven Approach to CMMC Preparation

CMMC Maturity Process Progression

CMMC Practice Progression

Establish a path to maturity that meets your needs with our proven methodology.

Security Expertise

Implement Quickly

Support Scalability

Trusted By Customers

Frequently Asked Questions

Latest Insights

Effective Security Doesn’t Have to be Complicated