The Cybersecurity Capacity Maturity Model for Nations (CMM) is a methodical framework designed to review a country’s cybersecurity capacity. The CMM considers cybersecurity to comprise five Dimensions which, together, constitute the breadth of national capacity that a country requires to be effective in delivering cybersecurity:
- Developing cybersecurity policy and strategy;
- Encouraging responsible cybersecurity culture within society;
- Building cybersecurity knowledge and capabilities;
- Creating effective legal and regulatory frameworks; and
- Controlling risks through standards and technologies.
Dimension: the five Dimensions together cover the breadth of national cybersecurity capacity assessed by the CMM. Each Dimension is constituted by a range of Factors, which capture the core capacities required to deliver the Dimension. Together, they represent the different ‘lenses’ through which cybersecurity capacity can be evidenced and analysed;
Factor: within the five Dimensions, Factors describe what it means to possess cybersecurity capacity. These are the essential elements of national capacity, which are then measured for maturity Stage. The complete list of Factors seeks to holistically incorporate all of a nation’s cybersecurity capacity needs. Most Factors are composed of a number of Aspects which structure the Factor’s Indicators into more concise parts (which directly relate to evidence gathering and measurement). However, some Factors that are more limited in scope do not have specific Aspects;
Aspect: where a Factor possesses multiple components, these are Aspects. Aspects are an organisational method to divide Indicators into smaller clusters that are easier to comprehend. The number of Aspects depends on the themes that emerge in the content of the Factor and the overall complexity of the Factor;
Stage: Stages define the degree to which a country has progressed in relation to a certain Factor or Aspect of cybersecurity capacity. The CMM consists of five distinct Stages of maturity: start-up, formative, established, strategic, dynamic (detailed on page 8). A CMM review will benchmark a country against these Stages, capturing existing cybersecurity capacity, from which a country can improve or decline depending on the actions taken (or inaction). Within each Stage there are a number of Indicators which a country has to fulfil to successfully have reached the Stage.
Indicator: Indicators represent the most basic part of CMM’s structure. Each Indicator describes the steps, actions, or building blocks that are indicative of a specific Stage of maturity. To have successfully reached a Stage of maturity, a country will need to convince itself that it can evidence each of the Indicators. In order to elevate a country’s cybersecurity capacity maturity, all of the Indicators within a particular Stage will need to have been fulfilled. Most of these Indicators are binary in nature, i.e., the country can either evidence it has fulfilled the Indicator criteria, or it cannot provide such evidence .