What is the Cybersecurity Capability Maturity Model | Blog | Humanize

Download handbook

Home / Blog / What is the Cybersecurity Capability Maturity Model Blog

What is the Cybersecurity Capability Maturity Model

Published on Jul 22 2023

What is the Cybersecurity Capability Maturity Model

Companies with digital assets are constantly at risk of cyberattacks, especially as cybercriminals experiment with ever-more-intricate techniques. The Cybersecurity Capability Maturity Model is a “road map” for companies seeking to establish or improve their cyber defenses.  

This article defines the cybersecurity capability model and describes its features and advantages. 

What is the Cybersecurity Capability Maturity Model? 

A maturity model is a free tool that provides a standardized method for cybersecurity experts to evaluate the development of their cybersecurity programs over time. It aids the company in setting priorities, allocating resources, managing risks and being ready for attacks.  

In the 1980s, software engineering began to develop maturity models. The Capability Maturity Model (CMM) was created to aid the United States Department of Defense in evaluating the maturity of a contractor’s processes. Its job was to estimate the likelihood of delivering a successful software project. After that, capability maturity models have since spread to numerous fields, including cybersecurity, business process management, and service management.  

The United States Department of Energy created the most popular cybersecurity capability maturity model, C2M2, in 2012, with over 350 cybersecurity practices to evaluate the security status of the electricity sector. Later, many companies adopted the C2M2 model to establish a roadmap for improving their cybersecurity over time, determine their appropriate levels of cybersecurity maturity concerning the level of risk they faced, and prioritize the necessary actions and investments. 

Components of the Cybersecurity Capability Maturity Model: C2M2 

The C2M2 model has 350 cybersecurity practices divided into domains. Each cybersecurity practice has a maturity indicator level (MIL) showing how it has developed over time. The C2M2 model’s fundamental components are as follows: 

Practices and Objectives  

The cornerstone of the cybersecurity capability maturity model is the practice, and each practice precisely describes a cybersecurity activity the company may carry out. Each domain’s practices are grouped into objectives that can be fulfilled by putting those objectives into practice. 


There are ten critical domains, each representing a set of practices and concentrating on a particular subject area. In other words, domains group the cybersecurity practices in the capability maturity model. Following are the ten domain categories: 

  1. Risk Management: This domain identifies, assesses, and manages risks 
  2. Asset & Change Management: This domain keeps track of all assets, including operational technology and IT assets, and any changes or developments 
  3. Identity and Access Management: This domain addresses the issue of controlling user identity and access, which includes granting and revoking access and managing privileges 
  4. Threat and Vulnerability Management (TVM): This domain includes cybersecurity techniques for recognizing and addressing threats and vulnerabilities 
  5. Situational Awareness: This domain holds cybersecurity practices to assess the company’s current cybersecurity posture and keep stakeholders informed 
  6. Collaboration & Information Sharing: This domain ensures meeting reporting requirements for cybersecurity, communicating cybersecurity information to internal and external stakeholders, and taking part in information sharing and analysis centers 
  7. Response to an incident: This domain includes the cybersecurity procedures to guarantee business continuity, such as having an emergency response plan 
  8. Supply chain management: This domain establishes cybersecurity standards for suppliers and third-party risk management  
  9. Workforce education: This domain includes delegating responsibility for cybersecurity operations, screening potential hires, training them, and implementing cybersecurity awareness programs for all employees 
  10. Cybersecurity program management: This domain develops a cybersecurity program strategy and plan, secures funding for the program, sets up a cybersecurity architecture, and develops secure software 

Levels of Maturity Indicators (MILs) 

The cybersecurity capability maturity model uses a scale of maturity indicator levels (MIL) to evaluate advancement. Companies reach that level when implementing the cybersecurity procedures outlined in each MIL. These four MILs are: 

MIL0: No (Not Performed) 

MIL0 signifies that the cybersecurity procedures in MIL1 have not been implemented. The company remains in the MIL0 as long as even one of the domain’s MIL1 practices still needs to be executed. 

MIL1: Initiated 

MIL1 denotes the execution of the fundamental cybersecurity procedures that every business must follow. 

MIL2: Performed 

According to MIL2, cybersecurity practices are becoming increasingly comprehensive, sophisticated, and integrated into how the company runs: 

  • The procedures are recorded, and it involves stockholders 
  • The practices are given adequate resources 
  • Standards serve as a guide for the application of practices 
  • The activities are more in-depth or sophisticated than MIL1 activities 

MIL3: Managed 

Compared to MIL2 practices, MIL3 indicates that cybersecurity practices have advanced: 

  • Policies set the direction for domain activities 
  • Regular review of the activities is necessary to ensure compliance 
  • Authorities and responsibilities are clearly delineated and more thorough or sophisticated than MIL2 practices 

All businesses must comply with MIL1 to create a cybersecurity strategy. MIL2 and MIL3 differ depending on the circumstances and sector of the company.  

Benefits of the Cybersecurity Capability Maturity Model  

There are numerous advantages to using and adhering to the cybersecurity capability maturity model, including: 

  • Enhancing cybersecurity posture regardless of the company’s industry 
  • Maximizing investments in cybersecurity
  • Analyzing the effectiveness of the company’s existing cybersecurity measures 
  • Ensuring that everyone in the company understands cybersecurity 
  • Providing the company a snapshot of where it currently stands and where it needs to be in terms of cybersecurity, simplifying the decision-making process 
  • Implementing best practices gradually while using maturity indicators and making small improvements according to the company’s budget and business goals 


Implementing a proactive cyber security strategy is impossible when cybersecurity professionals are constantly bombarded with new cyber threats. Using a cybersecurity capabilities maturity model is an efficient and timely method for developing a cybersecurity strategy, as it helps to clarify what is the most pressing issue and provides breathing room for considering the next steps. 

Discover Salience with our 14-day money back guarantee