Effective CISSP Questions

According to Martin Fowler, a maturity model is a tool that helps people assess the current effectiveness of a person or group and supports figuring out what capabilities they need to acquire next in order to improve their performance. Which of the following is an open-source maturity model to help organizations assess, formulate, and implement a software security strategy that can be integrated into their existing Software Development Lifecycle (SDLC)?
A. Software Assurance Maturity Model (SAMM)
B. Capability Maturity Model Integration (CMMI)
C. Cybersecurity Maturity Model Certification (CMMC)
D. Systems Security Engineering Capability Maturity Model (SSE-CMM)

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is Software Assurance Maturity Model (SAMM).

OWASP’s Software Assurance Maturity Model is an open framework to help organizations formulate and implement a strategy for software security that is tailored to the specific risks facing the organization.

Domain 8: SAMM
SAMM Overview
SAMM Overview (Source:

Capability Maturity Model Integration (CMMI)

  • CMMI is registered in the U.S. Patent and Trademark Office by CMU.
  • Administered by the CMMI Institute, a subsidiary of ISACA, it was developed at Carnegie Mellon University (CMU).
  • In March 2016, the CMMI Institute was acquired by ISACA.

Cybersecurity Maturity Model Certification (CMMC)

  • The Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)) recognizes that security is foundational to acquisition and should not be traded along with cost, schedule, and performance moving forward.
  • The Department is committed to working with the Defense Industrial Base (DIB) sector to enhance the protection of controlled unclassified information (CUI) within the supply chain.

Systems Security Engineering — Capability Maturity Model (SSE-CMM)

  • ISO/IEC 21827:2008 describes the essential characteristics of an organization’s security engineering process that must exist to ensure good security engineering.
  • ISO/IEC 21827:2008 does not prescribe a particular process or sequence, but captures practices generally observed in industry.



My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.

根據馬丁·福勒(Martin Fowler)的觀點,成熟度模型是一種工具,可以幫助人們評估一個人或一個小組的當前有效性,並支持弄清楚他們下一步需要獲得哪些能力以改善其績效。 下列哪個開源成熟度模型可幫助組織評估,制定和實施可整合到其現有軟件開發生命週期(SDLC)中的軟件安全策略?
A. 軟體保證成熟度模型(SAMM)
B. 能力成熟度模型集成(CMMI)
C. 網路安全成熟度模型認證(CMMC)
D. 系統安全工程能力成熟度模型(SSE-CMM)

Leave a Reply