Cybersecurity Capacity Maturity Model for Nations (CMM)

From the GCSCC

Cybersecurity Capacity Maturity Model for Nations (CMM)

Portal Team 's picture

Posted By: 

Portal Team

This revised Cybersecurity Capacity Maturity Model for Nations (CMM) builds upon the success of the first, which was deployed since 2015 through cooperation with our strategic partners: Organization of American States (OAS), World Bank, Commonwealth Telecommunications Organisation (CTO) and the International Telecommunication Union (ITU). Through these partnerships, the CMM has been deployed in over 70 countries, including UK, Kosovo, Bhutan, Uganda, Senegal, Kyrgyz Republic, Cyprus, Lithuania, Madagascar and Indonesia, and underpinned a regional study in Latin America and the Caribbean through collaboration with the OAS: Cybersecurity Report 2016: Are We Ready in Latin America and the Caribbean?

See the complete list of countries here

In the revised CMM we respond to the constantly changing and evolving nature of cybersecurity capacity and the developments in the field. In order to achieve this we incorporated lessons learnt gained of the model’s deployment across the world, and included insights that we gauged from a thorough consultation process with the Capacity Centre’s Expert Advisory Panel and other cybersecurity experts.

The Cybersecurity Capacity Maturity Model for Nations maintains the structure of the first version by looking at cybersecurity capacity through the five dimensions crucial to building a country’s cybersecurity capacity:

  • Cybersecurity Policy and Strategy
  • Cyber Culture and Society
  • Cybersecurity Education, Training and Skills
  • Legal and Regulatory Frameworks
  • Standards, Organisations, and Technologies

The five distinct stages of maturity within each of the dimensions remain unchanged: start-up, formative, established, strategic, and dynamic. These serve as a measure of existing cybersecurity capacity which countries can then use to develop their cybersecurity capacity building strategies.  

To improve the clarity and precision of the model, we incorporated details related to crucial issues detected in the cybersecurity-capacity environment: for example, regarding the importance of protection of personal information online, the existence of effective mechanisms for users to report cybercrime, and the presence of both educational and professional training frameworks. These issues also highlighted the need to account for developing awareness of software quality and for the existence of technical security and cryptographic controls. With these enhancements to the content and structure, the CMM incorporates revisions based on lessons learnt from the field, consultations with our expert panel and responds to trends and developments in the cybersecurity capacity landscapes (click here for more details on the changes in the revised CMM).

Our effort to improve the CMM is an ongoing exercise as we continue to deploy the model across the world with our partners this year. The new lessons learnt will be used to further improve the model. Our aim is to ensure the CMM remains applicable to all national contexts and reflects the fast-changing state of cybersecurity capacity maturity in the different regions across the globe.


CMM Dimension 1: Cybersecurity Policy and Strategy

CMM Dimension 2: Cyber Culture and Society

CMM Dimension 3: Cybersecurity Education, Training and Skills

CMM Dimension 4: Legal and Regulatory Frameworks

CMM Dimension 5: Standards, Organisations, and Technologies

CMM Revised Edition: Summary of Changes


CMM revised edition_09022017.pdfDownload


FRENCH VERSION available here