Continue your mission
Security program maturity models provide structured frameworks for measuring where a security program stands today and charting a credible path toward improvement. From the CMM-derived five-level model to NIST CSF Tiers, C2M2, and CMMC, these frameworks give organizations a common language for communicating security capability to leadership, auditors, and peers.
# Security Program Maturity Models
A security program maturity model is a structured framework that defines progressive levels of capability for a cybersecurity program, from ad hoc and reactive at the lowest level to adaptive and continuously improving at the highest. Maturity models serve two functions: diagnosis (where are we now, and where are the gaps?) and planning (what does the next level require, and in what sequence should we build toward it?).
The concept originates in the Capability Maturity Model (CMM), developed at Carnegie Mellon's Software Engineering Institute in the late 1980s as a way to assess the process maturity of software development organizations. The model's five-level structure proved broadly applicable, and variants emerged across industries. Cybersecurity adopted CMM-derived frameworks extensively, producing several domain-specific models including C2M2, NIST CSF Tiers, CMMC, and numerous proprietary vendor assessments.
What all these models share is the insight that security capability is not binary. Organizations are not "secure" or "insecure." They exist on a spectrum of capability, and moving up that spectrum requires deliberate investment in process, people, and technology in a specific sequence. Trying to operate at Maturity Level 4 without the foundations of Levels 2 and 3 produces fragile, audit-grade security that collapses under real pressure.
Maturity assessments follow a consistent pattern regardless of the specific model being applied. An assessor (internal or external) reviews documented policies, observed practices, system configurations, and evidence artifacts against the criteria for each maturity level or tier. The result is a scored profile showing which capability areas are at which maturity level, where gaps exist relative to a target maturity level, and what specific activities are required to close each gap.
The five-level CMM-derived structure maps to cybersecurity as follows. Level 1 (Initial/Ad Hoc): security activities occur but are informal, undocumented, and dependent on individual heroics. Outcomes are inconsistent and unpredictable. There is no repeatable process. Level 2 (Repeatable/Developing): basic practices exist and are applied consistently in some areas. Success is not fully dependent on individuals, but processes are not organization-wide. Documentation is inconsistent. Level 3 (Defined/Implemented): security practices are formally documented, approved, and implemented across the organization. Processes are standardized. Staff are trained. Level 4 (Managed/Measured): security processes are measured and controlled using quantitative data. Performance is predictable within acceptable limits. Risk management is data-driven. Level 5 (Optimizing/Advanced): continuous improvement is embedded. The organization proactively adapts to new threats and technologies, learns from incidents and near-misses, and feeds operational data back into policy and process improvement.
Most organizations in most industries target Level 3 as the sustainable operating baseline. Level 4 and 5 capabilities are appropriate for organizations with critical infrastructure obligations, high regulatory exposure, or specific contractual requirements.
Maturity models matter because they create a shared, auditable language for security capability that all organizational stakeholders can engage with, not just security practitioners. A board member cannot evaluate whether a security team's technical decisions are correct, but they can understand whether the program is operating at Level 2 or Level 3, whether the target maturity aligns with the organization's risk profile, and whether the program is trending in the right direction.
For procurement and contracting, maturity levels have become a formal gate requirement. The Department of Defense's Cybersecurity Maturity Model Certification (CMMC) requires defense contractors to demonstrate and certify specific maturity levels before they can compete for contracts. This has elevated maturity measurement from an internal governance tool to an external market access requirement, with direct commercial consequences.
For budgeting and resource allocation, maturity models provide justification for security investment that finance leadership can evaluate. A gap analysis showing the specific capability difference between the current Level 2 and the required Level 3 translates directly into a resource and investment roadmap. This is far more persuasive to budget committees than a list of technical vulnerabilities without context.
For incident response and insurance underwriting, maturity assessments have become a standard input. Cyber insurers use maturity scoring to price premiums and set coverage conditions. Organizations that can demonstrate Level 3 or above across key control domains receive materially better terms.
The failure mode in maturity modeling is self-assessed inflation. Organizations declare higher maturity than their practices warrant, either through wishful interpretation of criteria or deliberate misrepresentation. Maturity without operational evidence is theater. The only meaningful maturity is the level at which the organization actually operates under real conditions, not the level it can document on paper for an auditor.
NIST CSF Tiers are the most widely used maturity framework in the United States, applicable across all sectors regardless of size. Tier 1 (Partial): risk management practices are ad hoc and reactive, not informed by organizational risk objectives, no awareness of supply chain risks. Tier 2 (Risk Informed): risk management practices are approved by management but not implemented organization-wide, awareness of supply chain risk exists but inconsistent practices. Tier 3 (Repeatable): security practices are formally approved policy, implemented consistently organization-wide, integrated with business functions and budgeting. Tier 4 (Adaptive): the organization continuously improves its practices, incorporates real-time threat intelligence, and adapts security posture dynamically based on lessons learned and emerging risk. Most commercial organizations target Tier 3; critical infrastructure targets Tier 3-4.
C2M2 (Cybersecurity Capability Maturity Model) was developed by the U.S. Department of Energy for the energy sector and has since been adopted broadly across critical infrastructure. C2M2 uses 10 domains (Asset, Change, and Configuration Management; Identity and Access Management; Threat and Vulnerability Management; Situational Awareness; Information Sharing; Event and Incident Response; Supply Chain and External Dependencies Management; Workforce Management; Cybersecurity Program Management; and a domain for controls specific to operational technology). Each domain is assessed against three Management Indicator Levels (MIL 0, MIL 1, MIL 2, MIL 3). MIL 0 means practices are not performed. MIL 1 means practices are performed but not documented or managed. MIL 2 means practices are documented, managed, and resourced. MIL 3 means practices are managed within a defined policy framework and reviewed for effectiveness.
CMMC (Cybersecurity Maturity Model Certification) is the DoD's mandatory framework for defense industrial base contractors. CMMC 2.0, implemented through the Defense Federal Acquisition Regulation Supplement (DFARS), has three levels. Level 1 requires 17 basic cyber hygiene practices aligned to FAR 52.204-21, with annual self-assessment. Level 2 requires 110 practices fully aligned to NIST SP 800-171, with triennial third-party assessments (C3PAO) required for contracts involving Controlled Unclassified Information (CUI). Level 3 adds additional practices from NIST SP 800-172, with government-led assessments for contracts involving the most sensitive CUI. Level 2 is the relevant target for most DoD contractors.
The maturity assessment process follows a defined methodology. The assessor reviews the organization's policies, procedures, system security plans, and configuration documentation for evidence of defined practices. Interviews validate that documented practices reflect actual operations. Technical reviews confirm that system configurations match claimed controls. Evidence artifacts (logs, tickets, training records, meeting minutes) are collected to substantiate claims. The output is a gap report scored by capability domain against the target maturity level.
Common frameworks and their alignment: ISO 27001 maps roughly to Level 3 in CMM-derived terms (the standard requires documented, implemented, and reviewed controls). SOC 2 Type II maps to Level 2-3 (observed operating effectiveness over a period, but does not require optimization or adaptive improvement). CIS Controls v8 Implementation Groups provide a practical roadmap: IG1 is basic cyber hygiene (Level 2 equivalent), IG2 is comprehensive controls (Level 3 equivalent), IG3 is advanced controls for high-value targets (Level 4 equivalent).
CDA approaches maturity assessment through the lens of the Risk Governance and Assurance (RGA) domain, but maturity measurement cuts across all six domains of the Planetary Defense Model. The Shield, CDA's core diagnostic instrument, provides a 36-point posture measurement (six rings corresponding to the six PDM domains, six segments per ring) that produces a posture score from 0 to 100. This score is CDA's operationalized maturity measurement, tied to observable evidence rather than self-reported levels.
The critical design principle behind The Shield is that maturity must be measured, not declared. CDA's Autonomous Posture Command (APC) methodology in the SPH domain continuously monitors security posture through telemetry and evidence collection. When an organization claims Level 3 maturity in access control, APC validates that claim against observable control behavior: are MFA policies enforced, are privileged access reviews actually occurring on schedule, are authentication anomalies detected and responded to? Discrepancy between declared maturity and measured posture is itself a governance finding.
Under the Perpetual Compliance Assurance (PCA) methodology, maturity assessment is not an annual event. PCA treats compliance and maturity as continuous states, with The Shield providing ongoing visibility into whether the organization is actually operating at its declared maturity level. This is the antidote to the self-assessment inflation problem: when maturity measurement is continuous and evidence-based, organizations cannot game it with pre-audit preparation sprints.
CDA recognizes the distinction between maturity as a capability measurement and maturity as a risk reduction outcome. An organization can achieve Level 3 on paper with fully documented policies and consistently implemented controls and still have high residual risk if those controls are poorly designed for the actual threat environment. CDA pairs maturity assessment with quantitative risk analysis to ensure that capability investment is producing actual risk reduction, not just compliance conformance. Maturity without risk reduction is theater. CDA builds programs where maturity levels represent genuine operational capability tied to measurable security outcomes.
For CMMC-seeking defense contractors, CDA's RGA engagements include gap analysis against NIST SP 800-171 and preparation support for C3PAO assessments. The CDA approach treats CMMC not as an end goal but as a floor: the minimum capability required to operate in the defense market. Building toward CMMC Level 2 while implementing the full CDA program delivers capabilities well above the compliance minimum, which is the correct posture for organizations handling sensitive defense information.
CDA Theater missions that address topics covered in this article.
A GRC platform is software that centralizes governance, risk, and compliance operations into a single system of record.
Internal audit is an independent, objective assurance function that evaluates whether an organization's controls are designed appropriately and operating effectively.
Board-level cybersecurity reporting is the practice of translating an organization's security posture, risk profile, and material incidents into the language of governance: financial exposure, liability, regulatory standing, and competitive position.
Written by Evan Morgan
Found an issue? Help improve this article.