Security & Privacy Capability Maturity Model (SP-CMM)

The SP-CMM is meant to solve the problem of objectivity in both establishing and evaluating cybersecurity and privacy controls. There are three main objectives for the SP-CMM:

Provide CISOs/CPOs/CIOs with objective criteria that can be used to establish expectations for a cybersecurity & privacy program
Provide objective criteria for project teams so that secure practices are appropriately planned and budgeted for
Provide minimum criteria that can be used to evaluate third-party service provider controls

There are likely many other use cases that the SP-CMM can be used, but those three objectives listed above drove the development of this project. The reason for this simply comes down to a need by businesses, regardless of size or industry, for a solution that can help fix those three common frustrations that exist in most cybersecurity and privacy programs. We want to help eliminate, or at least minimize, the Fear, Uncertainty & Doubt (FUD) that is used to justify purchases and/or evaluate controls by injecting objectivity into the process.

Not Just Another CMM

There are many competing models that exist to demonstrate maturity. Given the available choices, the SCF decided to leverage an existing framework, rather than reinvent the wheel. In simple terms, we provided control-level criteria to an existing CMM model.

The SP-CMM draws upon the high-level structure of the Systems Security Engineering Capability Maturity Model v2.0 (SSE-CMM), since we felt it was the best model to demonstrate varying levels of maturity for people, processes and technology at a control level. If you are unfamiliar with the SSE-CMM, it is well-worth your time to read through the SSE-CMM Overview Document that is hosted by the US Defense Technical Information Center (DTIC).

Nested Approach to Maturity Targets

By using the term “nested” regarding maturity, we are referring how the SP-CMM’s control criteria were written to acknowledge that each succeeding level of maturity is built upon its predecessor. Essentially, you cannot run without first learning how to walk. Likewise, you cannot walk without first learning how to crawl. This approach to defining cybersecurity & privacy control maturity is how the SP-CMM is structured.

SP-CMM Levels

The six (6) SP-CMM levels are:

CMM 0 – Not Performed
CMM 1 – Performed Informally
CMM 2 – Planned & Tracked
CMM 3 – Well Defined
CMM 4 – Quantitatively Controlled
CMM 5 – Continuously Improving

CMM 0 - Not Performed

This level of maturity is defined as “non-existence practices,” where the control is not being performed.

There are no identifiable work products of the process.

CMM 0 practices, or a lack thereof, would be considered negligent. The reason for this is if a control is reasonably-expected to exist, by not performing the control that would be negligent behavior. The need for the control could be due to a law, regulation or contractual obligation (e.g., client contract or industry association requirement).

CMM 1 - Performed Informally

This level of maturity is defined as “ad hoc practices,” where the control is being performed, but lacks completeness & consistency.

Base practices of the process area are generally performed.
The performance of these base practices may not be rigorously planned and tracked.
Performance depends on individual knowledge and effort.
There are identifiable work products for the process.

CMM 1 practices are generally considered to be negligent. The reason for this is if a control is reasonably-expected to exist, by only implementing ad-hoc practices in performing the control that could be considered negligent behavior. The need for the control could be due to a law, regulation or contractual obligation (e.g., client contract or industry association requirement).

Note – The reality with a CMM 1 level of maturity is often:

For smaller organizations, the IT support role only focuses on “break / fix” work or the outsourced IT provider has a limited scope in its support contract.
For medium / large organizations, there is IT staff but there is no management focus to spend time on the control.

CMM 2 - Planned & Tracked

This level of maturity is defined as “requirements-driven practices,” where the expectations for controls are known (e.g., statutory, regulatory or contractual compliance obligations) and practices are tailored to meet those specific requirements.

Performance of the base practices in the process area is planned and tracked.
Performance according to specified procedures is verified.
Work products conform to specified standards and requirements.

CMM 2 practices are generally considered to be “audit ready” with an acceptable level of evidence to demonstrate due diligence and due care in the execution of the control. CMM 2 practices are generally targeted on specific systems, networks, applications or processes that require the control to be performed for a compliance need (e.g., PCI DSS, HIPAA, NIST 800-171, etc.).

It can be argued that CMM 2 practices focus more on compliance over security. The reason for this is the scoping of CMM 2 practices are narrowly-focused and are not organization-wide.

Note – The reality with a CMM 2 level of maturity is often:

For smaller organizations:
- IT staff have clear requirements to meet applicable compliance obligations or the outsourced IT provider is properly scoped in its support contract to address applicable compliance obligations.
- It is unlikely that there is a dedicated cybersecurity role and at best it is an additional duty for existing personnel
For medium / large organizations:
- IT staff have clear requirements to meet applicable compliance obligations.
- There is most likely a dedicated cybersecurity role or a small cybersecurity team.

CMM 3 - Well Defined

This level of maturity is defined as “enterprise-wide standardization,” where the practices are well-defined and standardized across the organization.

Base practices are performed according to a well-defined process using approved, tailored versions of standard, documented processes.
Process is planned and managed using an organization-wide, standardized process.

CMM 3 practices are generally considered to be “audit ready” with an acceptable level of evidence to demonstrate due diligence and due care in the execution of the control. Unlike CMM 2 practices that are narrowly focused, CMM 3 practices are standardized across the organization.

It can be argued that CMM 3 practices focus on security over compliance, where compliance is a natural byproduct of those secure practices. These are well-defined and properly-scoped practices that span the organization, regardless of the department or geographic considerations.

Note – The reality with a CMM 3 level of maturity is often:

For smaller organizations:
- There is a small IT staff that has clear requirements to meet applicable compliance obligations.
- There is a very competent leader (e.g., security manager / director) with solid cybersecurity experience who has the authority to direct resources to enact secure practices across the organization.
For medium / large organizations:
- IT staff have clear requirements to implement standardized cybersecurity & privacy principles across the enterprise.
- In addition to the existence of a dedicated cybersecurity team, there are specialists (e.g., engineers, SOC analysts, GRC, privacy, etc.)
- There is a very competent leader (e.g., CISO) with solid cybersecurity experience who has the authority to direct resources to enact secure practices across the organization.

CMM 4 - Quantitatively Controlled

This level of maturity is defined as “metrics-driven practices,” where in addition to being well-defined and standardized practices across the organization, there are detailed metrics to enable governance oversight.

Detailed measures of performance are collected and analyzed. This leads to a quantitative understanding of process capability and an improved ability to predict performance.
Performance is objectively managed, and the quality of work products is quantitatively known..

CMM 4 practices are generally considered to be “audit ready” with an acceptable level of evidence to demonstrate due diligence and due care in the execution of the control, as well as detailed metrics enable an objective oversight function. Metrics may be daily, weekly, monthly, quarterly, etc.

Note – The reality with a CMM 4 level of maturity is often:

For smaller organizations, it is unrealistic to attain this level of maturity.
For medium / large organizations:
- IT staff have clear requirements to implement standardized cybersecurity & privacy principles across the enterprise.
- In addition to the existence of a dedicated cybersecurity team, there are specialists (e.g., engineers, SOC analysts, GRC, privacy, etc.)
- There is a very competent leader (e.g., CISO) with solid cybersecurity experience who has the authority to direct resources to enact secure practices across the organization
- Business stakeholders are made aware of the status of the cybersecurity and privacy program (e.g., quarterly business reviews to the CIO/CEO/board of directors). This situational awareness is made possible through detailed metrics.

CMM 5 - Continuously Improving

This level of maturity is defined as “world-class practices,” where the practices are not only well-defined and standardized across the organization, as well as having detailed metrics, but the process is continuously improving.

Quantitative performance goals (targets) for process effectiveness and efficiency are established, based on the business goals of the organization.
Continuous process improvement against these goals is enabled by quantitative feedback from performing the defined processes and from piloting innovative ideas and technologies.

CMM 5 practices are generally considered to be “audit ready” with an acceptable level of evidence to demonstrate due diligence and due care in the execution of the control and incorporates a capability to continuously improve the process. Interestingly, this is where Artificial Intelligence (AI) and Machine Learning (ML) would exist, since AI/ML would focus on evaluating performance and making continuous adjustments to improve the process. However, AI/ML are not requirements to be CMM 5.

Note – The reality with a CMM 5 level of maturity is often:

For smaller organizations, it is unrealistic to attain this level of maturity.
For medium-sized organizations, it is unrealistic to attain this level of maturity.
For large organizations:
- IT staff have clear requirements to implement standardized cybersecurity & privacy principles across the enterprise.
- In addition to the existence of a dedicated cybersecurity team, there are specialists (e.g., engineers, SOC analysts, GRC, privacy, etc.)
- There is a very competent leader (e.g., CISO) with solid cybersecurity experience who has the authority to direct resources to enact secure practices across the organization.
- Business stakeholders are made aware of the status of the cybersecurity and privacy program (e.g., quarterly business reviews to the CIO/CEO/board of directors). This situational awareness is made possible through detailed metrics.
- The organization has a very aggressive business model that requires not only IT, but its cybersecurity and privacy practices, to be innovative to the point of leading the industry in how its products and services are designed, built or delivered.
- The organization invests heavily into developing AI/ML technologies to made near real-time process improvements to support the goal of being an industry leader.

The SP-CMM is meant to solve the problem of objectivity in both establishing and evaluating cybersecurity and privacy controls. There are three main objectives for the SP-CMM...