Maturity Model

Maturity models are used to standardize development to ensure consistency. In cybersecurity, a software assurance maturity model helps organizations with the development and implementation of a software security strategy. This process involves an assessment of the organization's needs, resources, and risk tolerance as well as providing a benchmark against comparable organizations.

A maturity model has a set of structured levels to describe the reliability and sustainability of the outcomes of an organization's practices, behaviors, and processes. Thus, maturity models facilitate the assessment of an organization's processes and methods, promote consistency, and provide an independent review.

Capability Maturity Model: An Introduction

In addition to using international standards to evaluate their information technology (IT) products, organizations also follow international standards to manage and improve their own performance and capabilities. The Capability Maturity Model (CMM) comprises five levels through which each organization must progress to achieve optimum performance or capability when developing secure software (International Quality Management Systems, n.d.):

  • Level 1: Initial. Apply workforce practices without analyzing their impact.
  • Level 2: Managed. Get managers to take responsibility for managing and developing their employees.
  • Level 3: Defined. Develop workforce competencies and workgroups and align with business strategies.
  • Level 4: Predictable. Empower and integrate workforce competencies. Manage progress through a defined set of metrics.
  • Level 5: Optimizing. Continuously monitor and improve performance.

CMM is the benchmark for comparing the software development processes of two or more organizations.

Working Through Capability Maturity Model Levels

What follows is how a typical medium-sized company might strive to accomplish the CMM Level 5 certification.

Level 1: Initial

At this level, the organization has not started any formalized methodology. When it decides on a formalized methodology for developing secure software, such as CMM, it moves to the second level.

Level 2: Managed

At this level, the organization ramps up the training, working environment, and personnel needed to begin the secure software development life cycle. For example, the organization might initiate training on secure coding practices and training for auditors to show them how to document and evaluate information assets.

Managers then create working environments, in which breakout groups are asked to work on individual aspects of the formalized methodology. For example, an organization might create an auditing group, a secure coding group, a project management group, and departmental leadership groups.

Level 3: Defined

In this level, the organization further defines its methodology by breaking out its personnel into more focused and specific working groups, developing best practices and creating a culture in which the staff participates in the program to increase their investment in the outcome.

The secure coding group, for example, could be further divided into secure coding for databases, secure coding for web servers, and secure coding for network administrators.

The groups then develop best practices for how they will communicate among each other and share/report information, along with best practices for securely coding customer databases and web servers at the subgroup level.

Level 4: Predictable

At this level, the organization's processes are stable and established in ensuring secure coding.

Leaders mentor the staff, and the individual working groups—which now have a deep knowledge of the processes and in-depth frontline experience—are empowered to make their own decisions, such as deciding whether to use a different coding protocol on a customer database based on several small issues on the database.

Performance management is also put into place. The organization identifies a benchmark and establishes metrics to measure progress toward reaching that goal. These metrics are also used to monitor the progress of all teams in the organization.

Level 5: Optimizing

At this level, the organization finally optimizes its process, adapting it to new challenges and continuing to monitor and improve it regularly to ensure continued excellence.


Of the following tasks, consider what level of the Capability Maturity Model (CMM) each would be performed by an organization.

  • monitor progress through established metrics
  • create best practices and workgroups
  • formalize a methodology to improve processes
  • organize the personnel needed to establish workgroups

Monitor Progress Through Established Metrics

The organization puts performance management policies in place that allow it to monitor progress at CMM Level 4.

Create Best Practices and Workgroups

At CMM Level 3, the organization further defines its methodology by developing best practices, breaking out personnel into more focused and specific working groups, and creating a culture in which the staff participates in the program to increase investment in the outcome.

Formalize a Methodology to Improve Processes

The organization starts to formalize a methodology to move to Level 2 during CMM Level 1.

Organize the Personnel Needed to Establish Workgroups

At CMM Level 2, the organization ramps up the training, working environment, and personnel needed to begin the secure software development life cycle.


International Quality Management Systems. (n.d.). People capability maturity model (PCMM).