Cybersecurity & Data Privacy Capability Maturity Model (C|P-CMM)

The Cybersecurity & Data Privacy Capability Maturity Model (C|P-CMM) is built directly into the Secure Controls Framework (SCF). The C|P-CMM is meant to solve the problem of objectivity in both establishing and evaluating cybersecurity and privacy controls. There are four (4) main objectives for the C|P-CMM:

  1. Provide CISO/CPOs/CIOs with objective criteria that can be used to establish expectations for a cybersecurity & privacy program;  
  2. Provide objective criteria for project teams so that secure practices are appropriately planned and budgeted for;
  3. Provide minimum criteria that can be used to evaluate third-party service provider controls; and
  4. Provide a means to perform due diligence of cybersecurity and privacy practices as part of Mergers & Acquisitions (M&A).

There are likely many other use cases that the C|P-CMM can be used, but those objectives listed above drove the development of this project. The reason for this simply comes down to a need by businesses, regardless of size or industry, for a solution that can help fix those common frustrations that exist in most cybersecurity and privacy programs. 

Nested Approach To Cybersecurity Maturity

The term “nested” regarding maturity, refers to how the C|P-CMM’s control criteria were written to acknowledge that each succeeding level of maturity is built upon its predecessor. Essentially, you cannot run without first learning how to walk. Likewise, you cannot walk without first learning how to crawl. This approach to defining cybersecurity & privacy control maturity is how the C|P-CMM is structured. 

The C|P-CMM draws upon the high-level structure of the Systems Security Engineering Capability Maturity Model v2.0 (SSE-CMM), since we felt it was the best model to demonstrate varying levels of maturity for people, processes and technology at a control level. If you are unfamiliar with the SSE-CMM, it is well-worth your time to read through the SSE-CMM Model Description Document that is hosted by the US Defense Technical Information Center (DTIC).

C|P-CMM Levels

The C|P-CMM draws upon the high-level structure of the Systems Security Engineering Capability Maturity Model v2.0 (SSE-CMM), since we felt it was the best model to demonstrate varying levels of maturity for people, processes and technology at a control level. If you are unfamiliar with the SSE-CMM, it is well-worth your time to read through the SSE-CMM Overview Document that is hosted by the US Defense Technical Information Center (DTIC).

The six (6) C|P-CMM levels are:

  1. CMM 0 – Not Performed
  2. CMM 1 – Performed Informally
  3. CMM 2 – Planned & Tracked
  4. CMM 3 – Well-Defined
  5. CMM 4 – Quantitatively Controlled
  6. CMM 5 – Continuously Improving

SCF Capability Maturity Model

C|P-CMM Level 0 (L0) – Not Performed

This level of maturity is defined as “non-existence practices,” where the control is not being performed:

L0 practices, or a lack thereof, are generally considered to be negligent. The reason for this is if a control is reasonably-expected to exist, by not performing the control that is negligent behavior. The need for the control could be due to a law, regulation or contractual obligation (e.g., client contract or industry association requirement).

Note – The reality with a L0 level of maturity is often:

C|P-CMM Level 1 (L1) – Performed Informally

This level of maturity is defined as “ad hoc practices,” where the control is being performed, but lacks completeness & consistency:

L1 practices are generally considered to be negligent. The reason for this is if a control is reasonably-expected to exist, by only implementing ad-hoc practices in performing the control that could be considered negligent behavior. The need for the control could be due to a law, regulation or contractual obligation (e.g., client contract or industry association requirement).

Note – The reality with a L1 level of maturity is often:

C|P-CMM Level 2 (L2) – Planned & Tracked

Practices are “requirements-driven” where the intent of control is met in some circumstances, but not standardized across the entire organization:

L2 practices are generally considered to be “audit ready” with an acceptable level of evidence to demonstrate due diligence and due care in the execution of the control. L2 practices are generally targeted on specific systems, networks, applications or processes that require the control to be performed for a compliance need (e.g., PCI DSS, HIPAA, CMMC, NIST 800-171, etc.).

It can be argued that L2 practices focus more on compliance over security. The reason for this is the scoping of L2 practices are narrowly-focused and are not enterprise-wide.

Note – The reality with a L2 level of maturity is often:

C|P-CMM Level 3 (L3) – Well-Defined

This level of maturity is defined as “enterprise-wide standardization,” where the practices are well-defined and standardized across the organization:

L3 practices are generally considered to be “audit ready” with an acceptable level of evidence to demonstrate due diligence and due care in the execution of the control. Unlike L2 practices that are narrowly focused, L3 practices are standardized across the organization. It can be argued that L3 practices focus on security over compliance, where compliance is a natural byproduct of those secure practices. These are well-defined and properly-scoped practices that span the organization, regardless of the department or geographic considerations.

Note – The reality with a L3 level of maturity is often:

C|P-CMM Level 4 (L4) – Quantitatively Controlled

This level of maturity is defined as “metrics-driven practices,” where in addition to being well-defined and standardized practices across the organization, there are detailed metrics to enable governance oversight:

L4 practices are generally considered to be “audit ready” with an acceptable level of evidence to demonstrate due diligence and due care in the execution of the control, as well as detailed metrics enable an objective oversight function. Metrics may be daily, weekly, monthly, quarterly, etc.

Note – The reality with a L4 level of maturity is often:

C|P-CMM Level 5 (L5) – Continuously Improving

This level of maturity is defined as “world-class practices,” where the practices are not only well-defined and standardized across the organization, as well as having detailed metrics, but the process is continuously improving:

L5 practices are generally considered to be “audit ready” with an acceptable level of evidence to demonstrate due diligence and due care in the execution of the control and incorporates a capability to continuously improve the process. Interestingly, this is where Artificial Intelligence (AI) and Machine Learning (ML) would exist, since AI/ML would focus on evaluating performance and making continuous adjustments to improve the process. However, AI/ML are not required to be L5.

Note – The reality with a L5 level of maturity is often:

There are no products listed under this category.

Learn More About Cybersecurity & Data Privacy