Development and Evolution of the CMM

In 2014, the GCSCC undertook a global collaborative exercise  to develop the first iteration of the Cybersecurity Capacity Maturity Model for Nations (CMM), working alongside over 200 experts from academia, international and regional organisations and the private sector. The goal was to extract and synthesise the community’s knowledge, identifying the most important factors for a nation’s cybersecurity capacity and the steps necessary for the nation to reach consequent levels of maturity. This process was seeded in an open vision that at least five Dimensions of maturity should be considered. These Dimensions and the factors that constitute them were subsequently refined using thematic-coding analysis, focus groups data and the results of a broad survey of literature.

In 2015 the structure of the CMM was complemented with a deployment methodology and the subsequent piloting of the CMM in six countries across the world. The results gathered from this initial phase of deployment served to revise the first iteration of the model, which also enjoyed support and input from the Capacity Centre’s Technical Board and Expert Advisory Panel. The discussions led to the refinement of existing factors, identified new factors and culminated with the publication of a revised version of the CMM in February 2017.

In late 2019, the GCSCC undertook a global collaborative exercise aimed at extracting and synthesising the community’s latest knowledge. It developed change proposals based on lessons learnt from CMM deployments, and undertook a series of online and offline consultations with experts, to validate the findings and discuss the changes. This revision process had over 150 expert contributions and more than 74 online calls. Those who were consulted included the GCSCC Expert Advisory Panel, strategic, regional and implementation partners of the GCSCC, and other experts from academia, international and regional organisations, governments, the private sector, and civil society. As a result of this thorough effort, the GCSCC was able to identify key areas where the CMM could be updated to meet the demands of a rapidly changing cybersecurity environment. A new version of the CMM was launched on 25th March 2021.


Follow this link to track changes from the 2016-2021 CMM editions.