Capabilities Maturity Model for Security
Domain: Security Engineering None Initial Repeatable Defined Managed Optimizing
-Process areas            
- Base practices            
01 - Administer security controls:
- Establish responsibilities            
- Manage configuration            
- Manage awareness, training, and education programs            
- Manage services and control mechanisms            
02 - Assess impact:
- Prioritize capabilities            
- Identify system assets            
- Select metrics            
- Identify metric relationship            
- Identify and characterize consequences            
- Monitor consequences            
03 - Assess security risk:
- Select risk analysis method            
- Identify exposures            
- Assess exposure risks            
- Assess total uncertainty            
- Prioritize risks            
- Monitor risks and characteristics            
04 - Assess threat:
- Identify natural and human threats            
- Identify unit s of measure for threats            
- Assess threat capabilities and intents            
- Assess likelihood            
- Monitor threats and characteristics            
05 - Assess vulnerability:
- Select vulnerability analysis method            
- Identify vulnerabilities            
- Gather vulnerability data            
- Synthesize system vulnerabilities            
- Monitor vulnerabilities and characteristics            
06 - Build assurance argument:
- Identify assurance objectives            
- Define assurance strategy            
- Control assurance evidence            
- Analyze evidence            
- Provide assurance argument            
07 - Coordinate security:
- Define coordination objectives            
- Identify coordination mechanisms            
- Facilitate coordination            
- Coordinate decisions and recommendations            
08 - Monitor system security posture:
- Analyze event records            
- Monitor changes            
- Identify incidents            
- Monitor safeguards            
- Review security posture            
- Manage incident response            
- Protect monitoring artifacts            
09 - Provide security input:
- Understand security input needs            
- Determine constraints and considerations            
- Identify alternatives            
- Analyze engineering alternatives            
- Provide engineering guidance            
- Provide operational guidance            
10 - Specify security needs:
- Gain understanding of protection needs            
- Identify applicable laws and regulations            
- Identify system security context            
- Capture view of system operation            
- Define requirements            
- Obtain agreement on protection            
11 - Verify and validate security:
- Identify V&V targets            
- Define V&V approach            
- Perform Validation            
- Perform verification            
- Provide V&V results            
Organization:
institutionalization of process areas            
implementation of process areas            
12 - Ensure Quality            
13 - Manage Configurations            
14 - Manage Project Risk            
15 - Monitor and Control Technical Effort            
16 - Plat Technical Effort            
17 - Define Systems Engineering Process            
18 - Improve Systems Engineering Process            
19 - Manage product line evolution            
20 - Manage systems engineering support environment            
21 - Provide ongoing skills and knowledge            
22 - Coordinate with suppliers            
Project:
- Ensure Quality            
- Manage configurations            
- Manage program risk            
- Monitor and control technical effort            
- Plan technical effort            

Capability Level Definitions

Capability Level Item within level Achieved? Value Risk Management Engineering Assurance Coordination
0 Initial - none: 0
1 Initial: few processes are defined, and success depends on individual effort talent and heroic effort 1.0
1.1 base practices performed 1.0        
Total for level per KPA        
2 Repeatable: the necessary process discipline is in place to repeat earlier successes on projects with similar applications 2.0
requirements management 0.1        
project planning 0.1        
project tracking and oversight 0.1        
subcontract management 0.1        
quality assurance 0.1        
configuration management 0.1        
2.1 - planning performance 0.1        
2.2 - disciplined performance 0.1        
2.3 - verifying performance 0.1        
2.4 - tracking performance 0.1        
Total for level per KPA        
3 Defined: the process for both management and engineering activities is documented, standardized, and integrated into an organization-wide process and used by all projects 3.0
process focus 0.1        
process definition 0.1        
training programs 0.1        
integrated management 0.1        
product engineering 0.1        
Intergroup coordination 0.1        
Peer reviews 0.1        
3.1 - defining a standard process 0.1        
3.2 - perform the defined process 0.1        
3.3 - Coordinate practices 0.1        
Total for level per KPA        
4 Managed: both the process and end-products are quantitatively understood and controlled using detailed measures 4.0  
quality management 0.25        
quantitative process management 0.25        
4.1 - establishing measurable performance goals 0.25        
4.2 - objectively managing performance 0.25        
Total for level per KPA        
5 Optimizing: continuous process improvement is enabled by quantitative feedback from the process and from testing innovative ideas and technologies 5.0
defect prevention 0.2        
technology change management 0.2        
process change management 0.2        
4.1 - improving organizational capability 0.2        
4.2 - improving process effectiveness 0.2        
Total for level per KPA        
Grand totals per KPA        

Key Process Areas

1) Security Risk Management - processes dealing with estimating risk at each of the maturity levels;
Commitment to Perform
Ability to Perform
Activities Performed
Measurement and Analysis
Verifying Implementation
2) Engineering - processes involved with architecting a system and managing security requirements;
Commitment to Perform
Ability to Perform
Activities Performed
Measurement and Analysis
Verifying Implementation
3) Assurance Management - processes dealing with generating, managing, presenting assurance evidence;
Commitment to Perform
Ability to Perform
Activities Performed
Measurement and Analysis
Verifying Implementation
4) Coordination - processes that coordinate security engineering activities with other engineering disciplines.
Commitment to Perform
Ability to Perform
Activities Performed
Measurement and Analysis
Verifying Implementation

Process Maturation Goals

Organizational Maturational Goals

Doing a CMM appraisal:

Prepare
scope appraisal
plan appraisal
Pre-onsite
Prepare appraisal team
Administer questionnaire
Collect evidence
Analyze evidence and answers
Onsite phase
Interview executives
interview leads and practitioners
establish findings
develop rating profile
report results
Post-appraisal
Report lessons learned
Report appraisal outcomes
Manage appraisal artifacts

Evaluation matrix

Level 5
Level 4
Level 3
Level 2
Level 1
01020304050607080910111213141516171819202122