Secure Controls Framework
Download The SCF
Start Here
Free Content
GRC Fundamentals
SCF Certified
Marketplace
Free Content

SCR-CMM: Capability Maturity Model. Measure & Advance Your Cybersecurity Program

The Secure, Compliant & Resilient Capability Maturity Model (SCR-CMM) provides a six-level (L0–L5) maturity scoring system for every control in the Secure Controls Framework (SCF), enabling organizations to objectively assess where they are today, define where they need to be, and measure progress over time. Built on the SSE-CMM v2.0 structure.

6
Maturity Levels (L0–L5)
1,400+
Controls with CMM Criteria
33
Domains Assessed
FREE
Creative Commons
Download the SCR-CMM
Browse Free Content
About SCR-CMM

Beyond Compliance: Measure Cybersecurity Capability Maturity

The SCR-CMM is meant to solve the problem of objectivity in both establishing and evaluating cybersecurity and data privacy controls. It draws upon the high-level structure of the Systems Security Engineering Capability Maturity Model v2.0 (SSE-CMM).

The SCR-CMM is meant to solve the problem of objectivity in both establishing and evaluating cybersecurity and data privacy controls. It draws upon the high-level structure of the .

A binary pass/fail assessment answers the question “Are we compliant?” The SCR-CMM answers a far more useful question: “How well are we actually doing this?” Compliance frameworks tell organizations what controls to implement, but they do not provide a meaningful way to measure whether those controls are implemented effectively, consistently, or sustainably.

There are many competing models that exist to demonstrate maturity. Given the available choices, the SCF decided to leverage an existing framework, rather than reinvent the wheel. In simple terms, we provided control-level criteria to an existing CMM model.

Four Core Objectives of the SCR-CMM

  • Provide CISO/CPOs/CIOs with objective criteria to establish expectations for a cybersecurity & privacy program.
  • Provide objective criteria for project teams to appropriately plan and budget.
  • Provide minimum criteria to evaluate third-party service provider controls.
  • Provide a means to perform due diligence of cybersecurity and privacy practices as part of Mergers & Acquisitions (M&A).
Methodology

Nested Approach to Maturity

By using the term “nested,” we refer to how the SCR-CMM’s control criteria were written to acknowledge that each succeeding level of maturity is built upon its predecessor. Essentially, you cannot run without first learning how to walk.

This approach to defining cybersecurity & privacy control maturity is how the SCR-CMM is structured. The following two questions should be kept in mind when evaluating the maturity of a control (or Assessment Objective):

  • "Do I have reasonable evidence to defend my analysis/decision?"
  • "If there was an incident and I was deposed in a legal setting, can I justify my analysis/decision without perjuring myself?"

Do you need to answer “yes” to every bullet pointed criteria under a level of maturity? No. Every organization is different. The maturity criteria items associated with SCF controls are to help establish what would reasonably exist for each level of maturity. Fundamentally, the decision comes down to assessor experience, professional competence and common sense.

Secure Controls Framework (SCF) and Secure Compliant Resilient (SCR) logos above text Capability Maturity Model (SCR-CMM) with a button below labeled Click To View Example and a PDF icon.

Maintaining the Integrity of Maturity-Based Criteria

Consciously designating a higher level of maturity (based on objective criteria) to make an organization appear more mature should be considered fraud. There is no room in cybersecurity and data protection operations for unethical parties.

Key Concept

Maturity (Governance) ≠ Assurance (Security)

While a more mature implementation of controls can equate to an increased level of security, higher maturity and higher assurance are not mutually inclusive. Maturity is simply a measure of governance activities pertaining to a specific control or set of controls.

According to NIST, assurance is “grounds for confidence that the set of intended security controls in an information system are effective in their application.” Increased rigor in control testing is what leads to increased assurance. Therefore, increased rigor and increased assurance are mutually inclusive.

Level 1: Standard Rigor

Standard rigor assessments determine whether safeguards are implemented and free of obvious errors. This provides a minimum level of assurance.

Level 2: Enhanced Rigor

Enhanced rigor assessments determine whether safeguards are implemented, free of obvious/apparent errors, and provide increased grounds for confidence that controls are implemented correctly and operating as intended.

Level 3: Comprehensive Rigor

Comprehensive rigor assessments provide further increased confidence that controls are implemented correctly, operating as intended on an ongoing and consistent basis, with support for continuous improvement.

SCR-CMM Maturity Scale

Six Maturity Levels: L0 Through L5

The SCR-CMM uses six descriptive maturity levels drawn from the SSE-CMM v2.0 structure. Each level has specific observable criteria for what “implemented at this level” means for any given SCF control.

Capability Maturity Model (CMM) levels depicted as ascending steps from 0 to 5, showing progression from Non-Existent Practices at CMM 0 to World-Class Practices at CMM 5.

Level 0: Not Performed

This level of maturity is defined as “non-existence practices,” where the control is not being performed:

  • Practices are non-existent, where a reasonable person would conclude the control is not being performed.
  • Evidence of due care and due diligence do not exist to demonstrate compliance with applicable statutory, regulatory and/or contractual obligations.

L0 practices, or a lack thereof, are generally considered to be negligent. The reason for this is if a control is reasonably-expected to exist, by not performing the control that is negligent behavior. The need for the control could be due to a law, regulation or contractual obligation (e.g., client contract or industry association requirement).

Note – The reality with a L0 level of maturity is often:

  • Practices are non-existent, where a reasonable person would conclude the control is not being performed.
  • Evidence of due care and due diligence do not exist to demonstrate compliance with applicable statutory, regulatory and/or contractual obligations.

Level 1: Performed Informally

This level of maturity is defined as “ad hoc practices,” where the control is being performed, but lacks completeness & consistency:

  • Practices are “ad hoc” where the intent of a control is not met due to a lack consistency and formality.
  • When the control is met, it lacks consistency and formality (e.g., rudimentary practices are performed informally).
  • A reasonable person would conclude the control is not consistently performed in a structured manner.
  • Performance depends on specific knowledge and effort of the individual performing the task(s), where the performance of these practices is not proactively governed.
  • Limited evidence of due care and due diligence exists, where it would be difficult to legitimately disprove a claim of negligence for how cybersecurity/privacy controls are implemented and maintained.

L1 practices are generally considered to be negligent. The reason for this is if a control is reasonably-expected to exist, by only implementing ad-hoc practices in performing the control that could be considered negligent behavior. The need for the control could be due to a law, regulation or contractual obligation (e.g., client contract or industry association requirement).

Note – The reality with a L1 level of maturity is often:

  • For smaller organizations, the IT support role only focuses on “break / fix” work or the outsourced IT provider has a limited scope in its support contract.
  • For medium / large organizations, there is IT and/or cybersecurity staff but there is no management focus to spend time or resources on the control.

Level 2: Planned & Tracked

Practices are “requirements-driven” where the intent of control is met in some circumstances, but not standardized across the entire organization:

  • Practices are “requirements-driven” (e.g., specified by a law, regulation or contractual obligation) and are tailored to meet those specific compliance obligations (e.g., evidence of due diligence).
  • Performance of a control is planned and tracked according to specified procedures and work products conform to specified standards (e.g., evidence of due care).
  • Controls are implemented in some, but not all applicable circumstances/environments (e.g., specific enclaves, facilities or locations).
  • A reasonable person would conclude controls are “compliance-focused” to meet a specific obligation, since the practices are applied at a local/regional level and are not standardized practices across the enterprise.
  • Sufficient evidence of due care and due diligence exists to demonstrate compliance with specific statutory, regulatory and/or contractual obligations.

L2 practices are generally considered to be “audit ready” with an acceptable level of evidence to demonstrate due diligence and due care in the execution of the control. L2 practices are generally targeted on specific systems, networks, applications or processes that require the control to be performed for a compliance need (e.g., PCI DSS, HIPAA, CMMC, NIST 800-171, etc.).

Note – The reality with a L2 level of maturity is often:

  • For smaller organizations:
  • IT staff have clear requirements to meet applicable compliance obligations or the outsourced IT provider is properly scoped in its support contract to address applicable compliance obligations.
  • It is unlikely that there is a dedicated cybersecurity role and at best it is an additional duty for existing personnel.
  • For medium / large organizations:
  • IT staff have clear requirements to meet applicable compliance obligations.
  • There is most likely a dedicated cybersecurity role or a small cybersecurity team.

Level 3: Well-Defined

This level of maturity is defined as “enterprise-wide standardization,” where the practices are well-defined and standardized across the organization:

  • Practices are standardized “enterprise-wide” where the control is well-defined and standardized across the entire enterprise.
  • Controls are implemented in all applicable circumstances/environments (deviations are documented and justified).
  • Practices are performed according to a well-defined process using approved, tailored versions of standardized processes.
  • Performance of a control is according to specified well-defined and standardized procedures.
  • Control execution is planned and managed using an enterprise-wide, standardized methodology.
  • A reasonable person would conclude controls are “security-focused” that address both mandatory and discretionary requirements. Compliance could reasonably be viewed as a “natural byproduct” of secure practices.
  • Sufficient evidence of due care and due diligence exists to demonstrate compliance with specific statutory, regulatory and/or contractual obligations.
  • The Chief Information Security Officer (CISO) , or similar function, develops a security-focused Concept of Operations (CONOPS) that documents organization-wide management, operational and technical measures to apply defense-in-depth techniques (note - in this context, a CONOPS is a verbal or graphic statement of intent and assumptions regarding operationalizing the identified tasks to achieve the CISO’s stated objectives. The result of the CONOPS is operating the organization’s cybersecurity and data protection program so that it meets business objectives). Control or domain-specific CONOPS may be incorporated as part of a broader operational plan for the cybersecurity and privacy program (e.g., cybersecurity-specific business plan)

L3 practices are generally considered to be “audit ready” with an acceptable level of evidence to demonstrate due diligence and due care in the execution of the control. Unlike L2 practices that are narrowly focused, L3 practices are standardized across the organization.

It can be argued that L3 practices focus on security over compliance, where compliance is a natural byproduct of those secure practices. These are well-defined and properly-scoped practices that span the organization, regardless of the department or geographic considerations.

Note – The reality with a L3 level of maturity is often:

  • For smaller organizations:
  • There is a small IT staff that has clear requirements to meet applicable compliance obligations.
  • There is a very competent leader (e.g., security manager / director) with solid cybersecurity experience who has the authority to direct resources to enact secure practices across the organization.
  • For medium / large organizations:
  • IT staff have clear requirements to implement standardized cybersecurity & privacy principles across the enterprise.
  • In addition to the existence of a dedicated cybersecurity team, there are specialists (e.g., engineers, SOC analysts, GRC, privacy, etc.)
  • There is a very competent leader (e.g., CISO) with solid cybersecurity experience who has the authority to direct resources to enact secure practices across the organization.

Level 4: Quantitatively Controlled

This level of maturity is defined as “metrics-driven practices,” where in addition to being well-defined and standardized practices across the organization, there are detailed metrics to enable governance oversight:

  • Practices are “metrics-driven” and provide sufficient management insight (based on a quantitative understanding of process capabilities) to predict optimal performance, ensure continued operations, and identify areas for improvement.
  • Practices build upon established L3 maturity criteria and have detailed metrics to enable governance oversight.
  • Detailed measures of performance are collected and analyzed. This leads to a quantitative understanding of process capability and an improved ability to predict performance.
  • Performance is objectively managed, and the quality of work products is quantitatively known.

L4 practices are generally considered to be “audit ready” with an acceptable level of evidence to demonstrate due diligence and due care in the execution of the control, as well as detailed metrics enable an objective oversight function. Metrics may be daily, weekly, monthly, quarterly, etc.

Note – The reality with a L4 level of maturity is often:

  • For smaller organizations, it is unrealistic to attain this level of maturity.
  • For medium / large organizations:
  • IT staff have clear requirements to implement standardized cybersecurity & privacy principles across the enterprise.
  • In addition to the existence of a dedicated cybersecurity team, there are specialists (e.g., engineers, SOC analysts, GRC, privacy, etc.)
  • There is a very competent leader (e.g., CISO) with solid cybersecurity experience who has the authority to direct resources to enact secure practices across the organization.
  • Business stakeholders are made aware of the status of the cybersecurity and privacy program (e.g., quarterly business reviews to the CIO/CEO/board of directors). This situational awareness is made possible through detailed metrics.

Level 5: Continuously Improving

Detailed measures of performance are collected and analyzed. This leads to a quantitative understanding of process capability and an improved ability to predict performance.

  • Practices are “world-class” capabilities that leverage predictive analysis.
  • Practices build upon established L4 maturity criteria and are time-sensitive to support operational efficiency, which likely includes automated actions through machine learning or Artificial Intelligence (AI).
  • Quantitative performance goals (targets) for process effectiveness and efficiency are established, based on the business goals of the organization.
  • Process improvements are implemented according to “continuous improvement” practices to affect process changes.

L5 practices are generally considered to be “audit ready” with an acceptable level of evidence to demonstrate due diligence and due care in the execution of the control and incorporates a capability to continuously improve the process. Interestingly, this is where Artificial Intelligence (AI) and Machine Learning (ML) would exist, since AI/ML would focus on evaluating performance and making continuous adjustments to improve the process. However, AI/ML are not required to be L5.

Note – The reality with a L5 level of maturity is often:

  • For small and medium-sized organizations, it is unrealistic to attain this level of maturity.
  • For large organizations:
  • IT staff have clear requirements to implement standardized cybersecurity & privacy principles across the enterprise.
  • In addition to the existence of a dedicated cybersecurity team, there are specialists (e.g., engineers, SOC analysts, GRC, privacy, etc.)
  • There is a very competent leader (e.g., CISO) with solid cybersecurity experience who has the authority to direct resources to enact secure practices across the organization.
  • Business stakeholders are made aware of the status of the cybersecurity and privacy program (e.g., quarterly business reviews to the CIO/CEO/board of directors). This situational awareness is made possible through detailed metrics.
  • The organization has a very aggressive business model that requires not only IT, but its cybersecurity and privacy practices, to be innovative to the point of leading the industry in how its products and services are designed, built or delivered.
  • The organization invests heavily into developing AI/ML technologies to make near real-time process improvements to support the goal of being an industry leader.
Defining Targets

Defining a Capability Maturity “Sweet Spot”

For most organizations, the “sweet spot” for maturity targets is between L2 and L4 levels. What defines the ideal target is generally based on resource limitations and other business constraints.

Negligence Considerations

Without the ability to demonstrate evidence of both due care and due diligence, an organization may be found negligent. The "negligence threshold" is between L1 and L2. At L2, practices are formalized to the point that documented evidence exists.

Risk Considerations

Risk associated with the control in question decreases with maturity, but noticeable risk reductions are harder to attain above L3. Oversight and process automation can decrease risk, but generally not as noticeably as steps taken to attain L3.

Process Review Lag Considerations

Process improvements increase with maturity, based on shorter review cycles and increased process oversight. What might have been an annual review cycle can be near real-time with AI and Machine Learning.

Stakeholder Value Considerations

Perceived value of security controls increases with maturity. However, perceived value tends to decrease after L3 since the additional cost and complexity becomes harder to justify to business stakeholders.

Internal vs External Maturity Shift

L0–L3 are “internal” maturity levels for cybersecurity and data privacy teams, whereas L4–L5 are “external” maturity levels that expand beyond those teams. It isn’t until L4–L5 where there is true business stakeholder involvement in oversight and process improvement.

Use Cases

How Organizations Use SCR-CMM

The SCR-CMM is used across the entire GRC lifecycle, from establishing program expectations through ongoing evaluation and due diligence.

Use Case 1: Objective Criteria to Build a Cybersecurity Program

Provide CISO/CIOs with objective criteria that can be used to establish expectations for a cybersecurity & privacy program. The SCR-CMM defines what “good enough” looks like at each maturity level, eliminating subjective interpretations.

Use Case 2: Assist Project Teams to Plan & Budget

Provide objective criteria for project teams so that secure, compliant and resilient practices are appropriately planned and budgeted for. Maturity targets translate directly into resource requirements and timelines.

Use Case 3: Evaluate External Service Provider Practices

Provide objective criteria to evaluate External Service Provider (ESP) practices. The SCR-CMM provides a standardized measurement framework for third-party risk assessments and vendor due diligence.

Use Case 4: Due Diligence in Mergers, Acquisitions & Divestitures

Provide a means to perform due diligence of cybersecurity and data privacy capabilities as part of MA&D activities. Maturity scores provide an objective, defensible assessment of an acquisition target’s security posture.

Assessment Methodology

Assessment Methods

Assessors/auditors are expected to review artifacts and other evidence to independently verify that an organization meets the intent for all applicable controls. There are three assessment methods:

Examine

The process of checking, inspecting, reviewing, observing, studying or analyzing one or more assessment objects to facilitate understanding, achieve clarification or obtain evidence.

Interview

The process of conducting discussions with individuals or groups in an organization to facilitate understanding, achieve clarification or lead to the location of evidence.

Test

The process of exercising one or more assessment objects under specified conditions to compare actual with expected behavior.

Continuous Improvement

Plan-Do-Check-Act (PDCA)

The SCR-CMM is designed to operate within a continuous PDCA improvement cycle, enabling organizations to systematically advance control maturity over time.

P

PLAN

Define the assessment scope. Select the SCF control subset applicable to your organization’s risk tier and regulatory obligations. Define target CMM levels for each domain based on regulatory requirements and risk appetite.

D

DO

Conduct the CMM assessment. Score each control using the built-in L0–L5 criteria in the SCF spreadsheet. Gather evidence using the ERL. Document gaps, assign owners, and define remediation timelines for controls below target level.

C

CHECK

Calculate domain-level and program-level maturity scores. Compare against prior assessment results to measure improvement. Validate that remediation actions have raised CMM scores as planned. Report results to management.

A

ACT

Update remediation plans for remaining gaps. Set new target CMM levels for the next cycle. Advance controls that reached their target level toward the next level. Incorporate findings into the security roadmap and budget planning.

Related SCR Models

SCR-CMM Works With SCR-RMM

The SCR-CMM and SCR-RMM are companion models. Maturity measurement and risk management work together within the same SCF-based program framework.

SCR-CMM: Capability Maturity Model

Defines how to measure and score control implementation maturity, providing the measurement system that tells the organization how well each control is implemented.

Six maturity levels (L0 Not Performed → L5 Continuously Improving)

Observable criteria for every SCF control

Based on SSE-CMM v2.0 structure (ISO/IEC 21827)

Evidence-based, not self-reported opinion

SCR-RMM: Risk Management Model

Defines how to identify, assess, and treat cybersecurity risk, providing the risk management framework that determines which controls matter most and how to allocate resources.

Structured risk identification & assessment

Risk treatment planning & tracking

Integrates with SCR-CMM maturity scoring

Built on the SCF control catalog

Learn About SCR-RMM →

Join 25,000+ GRC Professionals

Get the latest SCF updates, cybersecurity insights, and community news delivered to your inbox. You know you want to do it!

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Controls are your security, compliance & resilience program - A control is the power to influence or direct behaviors and the course of events.

DOWNLOAD THE SCF

Start Here

What Is The SCF?How To Implement (SCRMS)Domains & PrinciplesLaws & Frameworks (LRF)Relationship Mapping (STRM)NIST OLIR ParticipationESG Considerations

Free Content

SCF DownloadRisk Management (SCR-RMM)Maturity Model (SCR-CMM)Assessment Standards (CDPAS)Mergers & Acquisitions (MA&D)Privacy Principles (DPMP)Evidence Request List (ERL)Scoping Guide (USG)

Resources

GRC FundamentalsSCF CertifiedMarketplaceFAQAbout

Support

DonateVolunteer

© 2026 Secure Controls Framework Council, LLC. All rights reserved.

Terms & ConditionsPrivacyCookiesSitemap