Cybersecurity Capacity Maturity Models
Maturity models
This page provides resources and references for capability maturity models. A capability maturity model focuses on assessing capabilities using characteristics, indicators, attributes, or patterns, often referred to as "processes." Maturity is reflected in repeatable processes that are ingrained in the organization or community's culture. Utilizing a maturity model as a foundation for enhancing practices, processes, and performance offers numerous long-lasting benefits to organizations, industries, and communities of practice.
Key advantages of maturity models include:
- Built-in improvement roadmaps
- Flexibility and adaptability to various contexts
- Easier adoption compared to formal technical standards or compliance-driven regimes
Comparative Overview of Cybersecurity Capacity Maturity Models for Operating Technology (OT) Intensive Sectors
The following models illustrate generic cybersecurity capacity maturity models, incorporating well-known standards and concepts that have gained wide acceptance.
It is important to highlight that while certain models, such as CMM, are publicly accessible and can be utilized by anyone, their effective application necessitates a certain level of expertise. Therefore, it is advisable to collaborate with experienced implementers who are familiar with the methodology of CMM.
|
ES-C2M2 |
PIPE-C2M2 |
|||||
|
|
|
|
|
|
|
|
|
Unit of analysis |
A single company |
A single company |
A single company |
A single company |
A single company |
A single company |
|
Developer |
Dept. of Energy, US |
Dept. of Energy, US |
Dept. of Energy, US |
NARUC, US |
CSA and Mercer, Singapore |
University of Texas, US |
|
Free of charge |
|
 |
|
|
|
|
|
Focus |
Sector specific, electricity sector |
Sector specific, oil and gas |
Generic, supersedes ES-C2M2 and ONG-C2M2 |
Sector Specific, utilities, electricity |
OT/ICS workforce |
Generic |
|
Self-assessment |
|
|
|
|
 |
|
|
Objective |
Assess cyber capability maturity. |
Assess cyber capability maturity. |
Assess cyber capability maturity. |
Assess the cyber capability maturity of public utilities development. |
Develop skills of OT cyber experts build. |
Build a program focused on subsector community response to a cyber incident. |
|
Complexity |
Medium |
Medium |
Medium |
Medium |
High |
Medium |
Comparative Overview of Cybersecurity Capacity Maturity Models
|
|
|
|
|
|
|
|
Unit of analysis |
A single company |
A single company |
A single company |
A country–national level |
A country–national level |
|
Complexity |
Medium |
High |
High |
High |
High |
|
Developer |
Carnegie Mellon University, now ISACA |
National Institute of Standards and Technology, US |
Dept. of Defense, US |
Oxford University |
Potomac Institute for Policy Studies (PIPS) |
|
Free of charge |
|
|
|
|
|
|
Focus |
Generic, initially for software development |
Generic |
Generic |
Generic |
Generic |
|
Self-assessment |
|
|
|
|
|
|
Objective |
A general capability maturity model |
A general resilience framework to manage cyber risks. Simplifies and unifies communication of cybersecurity needs. |
Assure cybersecurity practices and processes. |
A nation's capacity building. |
Country maturity, national cyberinfrastructure |
