Security Frameworks and Maturity Models


NIST Cybersecurity Framework
NIST Cybersecurity Framework
  • NIST Cybersecurity Framework (CSF)
    • Recognizing the national and economic security of the United States depends on the reliable function of critical infrastructure, the President issued Executive Order (EO) 13636, Improving Critical Infrastructure Cybersecurity, in February 2013.
    • The Order directed NIST to work with stakeholders to develop a voluntary framework – based on existing standards, guidelines, and practices – for reducing cyber risks to critical infrastructure. The Cybersecurity Enhancement Act of 2014 reinforced NIST’s EO 13636 role.
  • OWASP Cyber Defense Matrix
    • The Cyber Defense Matrix helps us understand what we need organized through a logical construct so that when we go into the security vendor marketplace, we can quickly discern what products solve what problems and be informed on what is the core function of a given product.
    • Although the Cyber Defense Matrix was initially created to help organize security technologies, many other use cases have been discovered to help build, manage, and operate a security program.
    • The basic construct of the Cyber Defense Matrix starts with two dimensions.
      • The first dimension captures the five operational functions of the NIST Cybersecurity Framework: IDENTIFY, PROTECT, DETECT, RESPOND, and RECOVER.
      • The second dimension captures five assets classes that we try to secure: DEVICES, APPLICATIONS, NETWORKS, DATA, and USERS.
Cyber Defense Matrix (Source: OWASP)

Maturity Models

  • ISACA Capability Maturity Model Integration (CMMI)
    • Administered by the CMMI Institute, a subsidiary of ISACA, it was developed at Carnegie Mellon University (CMU).
    • It is required by many U.S. Government contracts, especially in software development.
    • In March 2016, the CMMI Institute was acquired by ISACA.
  • Cybersecurity Maturity Model Certification (CMMC)
    • The Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)) recognizes that security is foundational to acquisition and should not be traded along with cost, schedule, and performance moving forward.
    • The Department is committed to working with the Defense Industrial Base (DIB) sector to enhance the protection of controlled unclassified information (CUI) within the supply chain.
  • ISO/IEC 21827, Systems Security Engineering — Capability Maturity Model (SSE-CMM)
    • ISO/IEC 21827:2008 describes the essential characteristics of an organization’s security engineering process that must exist to ensure good security engineering.
    • ISO/IEC 21827:2008 does not prescribe a particular process or sequence, but captures practices generally observed in industry.
  • OWASP Software Assurance Maturity Model (SAMM)
    • Our mission is to provide an effective and measurable way for you to analyze and improve your secure development lifecycle.
    • SAMM supports the complete software lifecycle and is technology and process agnostic. We built SAMM to be evolutive and risk-driven in nature, as there is no single recipe that works for all organizations.
    • The Software Assurance Maturity Model (SAMM) is an open framework to help organizations formulate and implement a strategy for software security that is tailored to the specific risks facing the organization.
  • RIMS Risk Maturity Model
    • The RIMS Risk Maturity Model (RMM) is both a best practice framework for enterprise risk management and a free online assessment tool for risk professionals.
    • The RMM allows you to assess the strength of your ERM program and make a plan for improvement based on your results.
CMMI Constellations
CMMI Constellations (Source:
SAMM Overview
SAMM Overview (Source:
CMMC Levels, Processes, and Practices
CMMC Levels, Processes, and Practices (Source: AWS)


1 thought on “Security Frameworks and Maturity Models

  1. Pingback: 安全框架和成熟度模型(Security Frameworks and Maturity Models) – Choson資安大小事

Leave a Reply