The CMM

5 dimensions

This revised Cybersecurity Capacity Maturity Model for Nations (CMM) builds upon the success of the first, which has been deployed since 2015 through cooperation with our strategic partners: Organization of American States (OAS), World Bank, Commonwealth Telecommunications Organisation (CTO) and the International Telecommunication Union (ITU). Through these partnerships, the CMM has been used in over 80 countries, including UK, Kosovo, Bhutan, Uganda, Senegal, Kyrgyz Republic, Cyprus, Lithuania, Madagascar and Indonesia, and underpinned a regional study in Latin America and the Caribbean through collaboration with the OAS: Cybersecurity Report 2016: Are We Ready in Latin America and the Caribbean?

In the revised CMM we respond to the constantly changing and evolving nature of cybersecurity capacity and the developments in the field. To achieve this we incorporated lessons learnt gained from the model’s deployment across the world, and included insights gauged from a thorough consultation process with the Capacity Centre’s Expert Advisory Panel and other cybersecurity experts.

The Cybersecurity Capacity Maturity Model for Nations maintains the structure of the first version by looking at cybersecurity capacity through the five dimensions crucial to building a country’s cybersecurity capacity:

  • Cybersecurity Policy and Strategy
  • Cyber Culture and Society
  • Cybersecurity Education, Training and Skills
  • Legal and Regulatory Frameworks
  • Standards, Organisations, and Technologies

The five distinct stages of maturity within each of the dimensions remain unchanged: start-up, formative, established, strategic, and dynamic. These serve as a measure of existing cybersecurity capacity which countries can then use to develop their cybersecurity capacity building strategies.  

To improve the clarity and precision of the model, we incorporated details related to crucial issues detected in the cybersecurity-capacity environment: for example, regarding the importance of protection of personal information online, the existence of effective mechanisms for users to report cybercrime, and the presence of both educational and professional training frameworks. These issues also highlighted the need to account for developing awareness of software quality and for the existence of technical security and cryptographic controls. With these enhancements to the content and structure, the CMM incorporates revisions based on lessons learnt from the field, consultations with our expert panel and responds to trends and developments in the cybersecurity capacity landscapes.

Our effort to improve the CMM is an ongoing exercise as we continue to deploy the model across the world with our partners this year. The new lessons learnt will be used to further improve the model. Our aim is to ensure the CMM remains applicable to all national contexts and reflects the fast-changing state of cybersecurity capacity maturity in the different regions across the globe.

Download the CMM