In three years, I have conducted a gap analysis on four different maturity models for twelve organizations – from Defense Industrial Base subcontractors to energy companies with an OT segment. The result is the same: the team spends a month filling out scorcards, the guide receives a PDF with a radial diagram, the document goes to SharePoint. Six months later, a pentest report comes and refutes half of the estimates. Dormant, flat accounts, SIEM with default rules - all this was "Implemented" in Excel, but broke in an hour on the internal pentest.
The problem is not in the models of maturity. The problem is that the framework is chosen by inertia, and self-assessment is carried out “by memory” without verification. Below is the specific method of choosing a model and a step-by-step process of assessing the VID of VI, which gives the result, not an artifact for the auditor.
Why these four models and what remained outside the frame
Photos of A.D.Maturity are dozens of: NIST CSF with four implementation tiers, CIS Controls v8 with three implementation groups (IG1-IG3, from 56 to 153 safeguards), OWASP SAMM to assess the maturity of AppSec programs, ISO 27001 with PDCA cycle. The article understands four frameworks that close different niches and most often intersect in real projects:
• CMMCC 2.0 - Mandatory certification for DoD contractors, hard binding to NIST SP 800-171
• C2M2 - free DOE tool with IT and OT, initially for energy
• SSE-CMM (ISO/IEC 21827) - standard of maturity of safe engineering processes
• BSIMM - a descriptive security assessment model built on real data from hundreds of organizations
What's left of the box and why. NIST CSF and CIS Controls are a framework for control with a level structure, but not maturity models in the strict sense: they describe “what should be” rather than “as evaluate the progress of implementation.” OWASP SAMM is close to SSE-CMM in focus on development, but already - only AppSec. If your context is one of these frameworks, the article is still useful: the self-assessment technique and the ampage attack surface works universally.
CMMOC certification: three levels for the defense industry
CMCC 2.0 (Cybersecurity Maturity Model Certification) is a U.S. Department of Defense model for the CUI (Controlled Unclassified Information) and FCI (Federal Contract Information) in the supply chain. CMMC 1.0 (2020) included five levels; in 2.0 they were reduced to three:
• Level 1 (Foundational): 17 practices from FAR 522.204-21, annual self-assessment
• Level 2 (Advanced): 110 practices from NIST SP 800-171 Rev 2, C3PAO (Certified Third-Party Assessor) are required for priority contracts
• Level 3 (Expert): practices from NIST SP 800-172, DIBCAC rating
In practice, Level 2 is 110 controls on 14 domains (Access Control, Audit and Accountability, Configuration Management and further). Each control is on NIST SP 800-53 Rev 5: Access Control domain requires a documented access management (AC-1), the Incident Response domain - Incident Processing Procedures (IR-1). Key: the auditor does not check the presence of a policy, but evidence of its implementation. “We have politics” is not the answer. The answer is the log, configuration, the result of the review.
A typical gap is the Access Control domain: the organization has a policy, but does not revise the access. Eyes of the attacker: if access is not reproached, outdated accounts - the initial access vector via T1078 (Valid Accounts). No exploit is needed - enough dormant account with a password from the previous shabble.
Restrictions of CMMC: tied to the DoD supply chain. For organizations outside DIB - excessive. The cost of C3PAO-estimation of Level 2 starts from $50K and can exceed $ 200K for large companies. Self-assessment on Level 1 is free, but the result must be submitted to SPRS (Supplier Performance Risk System).
C2M2 framework: ten domains for IT and OT
C2M2 (Cybersecurity Capability Maturity Model) is a free tool of the US Department of Energy. The current version is 2.1, released in June 2022.
The model contains more than 350 practices, grouped into ten domains: Risk Management, Asset/Change/Configuration Management, Identity and Access Management, Threat and Vulnerability Management, Situational Awareness, Event and Incident Response, Supply Chain Management, Workforce Management, Cybersecurity Architecture and Cybersecurity Program Management.
Each domain is evaluated by four MIL (Maturity Indicator Levels):
• MIL0 : MIL1 practices are not performed
• MIL1 : practices are performed ad hoc - there is a process, there is no documentation
• MIL2 : practices documented, resources for support have been allocated
• MIL3 : staff is responsible, actions are monitored and evaluated
The self-assessment tool is available in two formats: HTML version on c2m2.doe.gov and PDF version on request via [email protected]. DOE states that the assessment can be done in one day. In reality, from one to three days for the average organization, and then if the owners of processes are involved, and not just the security team.
What is useful for security engineers: the model covers the IT and OT assets in the same way. The Thread and Vulnerability Management domain is directly on vulnerability assessment activity. Organization on MIL1 in this domain - scanning irregular, the results are not prioritized. In the internal pentest, this means that the T1082 (System Information Discovery) and T1518 (Software Discovery) give a complete picture of the infrastructure without any evasion. Just nmap -sV - and you can see it.
Restrictions of C2M2: self-assessment without external certification. No one checks the credibility. Organizations tend to overstate assessments - in my practice, the discrepancy into one or two MIL-levels between self-esteem and reality was found in most projects. The model is optimized for energy: Supply Chain and Situational Awareness domains work perfectly for OT, but are less specific to a clean IT sector.
SSE-CMM Standard: Maturity of Safe Engineering Processes
SSE-CMM (Systems Security Engineering Capability Matignity Model, ISO/IEC 21827) focuses not on organizational cybersecurity, but on engineering processes: how the organization designs, implements and verifies security in products and systems. The model evaluates process areas for five levels of maturity - from Performed Informally to Continuously Improving.
Where it is actually used: SSE-CMM makes sense for vendors that develop information security tools or critical systems. In the Russian context - for companies undergoing certification on OUD4 (GOST R ISO/IEC 15408). The processes of SSE-CMM intersect with the requirements of the order FSTEC No. 76 to develop and test SRIS.
Restrictions: ISO/IEC 21827 has not been updated since 2008. Concepts are relevant, but the terminology and examples are outdated. To assess the maturity of AppSec processes today, OWASP SAMM (open, regularly updated) is a more practical alternative. SSE-CMM - as a good tutorial from 2008: the foundation is strong, but it's time to change examples.
BSIMM Security Assessment: Descriptive Model on Market Data
BSIMM (Building Security In Maturity Model) is a fundamentally different approach. CMMC, C2M2 and SSE-CMM are prescriptive models: they say “what you should do.” BSIMM is a descriptive model: it shows “what others are doing,” aggregating data from real entity estimates.
The model is structured around four domains: Governance, Intelligence, SSDL Touchpoints (Secure Software Development Lifecycle) and Deployment. Each domain contains 3 practices (12 total) and more than 120 activities distributed by three levels of maturity.
The main advantage is benchmark against the market. The organization sees that the vast majority of participants perform a specific practice, and it does not. Or that certain activity is introduced only in a small proportion - and it is not worth investing resources in it right now. For CISO it Argument in Budget Conversation, supported by data, not an abstract scale from 1 to 5.
Restrictions: BSIMM-evaluation is carried out by certified aspassers, the cost - tens of thousands of dollars. The model focuses on the security of the software, not on infrastructure protection. And the key nuance: BSIMM describes what it is, but does not prescribe what it should be. If the entire market is not doing something enough, BSIMM will show it as normal. A descriptive model is a mirror, not a compass.
Comparison of frameworks: trade-off table with restrictions
How to choose a framework: decision tree
The choice of maturity model is determined by three factors: regulatory obligations, type of infrastructure and maturity of the IB team.
1. Are you a DoD contractor or work with CUI? CMMC 2.0, no options. It's not a choice, it's a requirement. Start with NIST SP 800-171 self-assessment through DoD Assessment Methodology.
2. Is there an OT infrastructure (SCADA, ICS, industrial controllers)? C2M2. The model is designed for an environment where IT and OT intersect. The domain Asset, Change, and Configuration Management covers the reality of energy and industrial companies better than anything else free.
3. Do you develop software or protections? SSE-CMM for a mature engineering organization. OWASP SAMM - if the AppSec program is only being built. You need a benchmark against the market and the budget allows - BSIMM.
4. Do you need a quick estimate of the maturity of the general information security without reference to the regulator? C2M2 is a free start. NIST CSF v2.0 (Govern, Identify, Protect, Detect, Respond, Recover) - for a wider coverage. CIS Controls IG1-IG3 is a pragmatic alternative with 18 controls and clear implementation groups.
5. Need to convince the board of directors? BSIMM, if you have a budget. The argument of the format "95% of our industry companies make X, but we don't" works better than the abstract scale from 1 to 5. I saw this argument unblocked the budget on SIEM in one meeting.
Example: The Identity and Access Management domain in C2M2 on MIL2 requires a documented access control procedure. There is a policy in Confluence - great. But in AD live 200 dormantt, accounts that were not used for 90+ days. This is MIL1, not MIL2. You can check with one team:
Step 3: Fill out the matrix honestly
For each practice - three options:
• Implemented : there is evidence, there is a process, it works
• Partially Implemented: the process is, but not for all systems, is not documented or checked
• Not Implemented : no process or no evidence
The rule is simple: if there is no evidence, it is Not Implemented, even if “knew exactly what you set up.” The auditor won't accept memories. And you don't have to take them at self-assessment.
Step 4: Build a heatmap and prioritize
Visualize the result in Excel through conditional formatting by domains. Red - Not Implemented, yellow - Partially, green - Implemented. Heatmap is a tool for talking to the management, not an internal document of the IL team.
Prioritization goes on two axles: risk impact (which domains with low maturity create the greatest risk - IAM and Threat Management almost always in the top) and effort to remediate (police documentation - week; deployment of SIEM-integration - quarter).
Levels of maturity of the eyes of the pentester
Each low maturity domain is broadcast to specific TTPs that the attacker exploits without much effort:
Check the password policy - how does the attacker Password Policy Discovery (T1201):
This double look - audit and offensive - turns self-assessment from a tick for a report into a tool with verifiable results.
I have seen twelve such projects and I can say one thing: the model does not matter if the assessment is unfair. Organizations that overstate the MIL-levels at self-assesment, in six months receive a pentest report that refutes every second point of the scorcard. Dormant, flat accounts network without segmentation, SIEM with default rules, passwords in Group Policy Preferences - all this is invisible to the Excel matrix, but can be seen for the Excel matrix net accounts /domain and Permission Groups Discovery (T1069)
The problem is not in the models of maturity. The problem is that the framework is chosen by inertia, and self-assessment is carried out “by memory” without verification. Below is the specific method of choosing a model and a step-by-step process of assessing the VID of VI, which gives the result, not an artifact for the auditor.
Why these four models and what remained outside the frame
Photos of A.D.Maturity are dozens of: NIST CSF with four implementation tiers, CIS Controls v8 with three implementation groups (IG1-IG3, from 56 to 153 safeguards), OWASP SAMM to assess the maturity of AppSec programs, ISO 27001 with PDCA cycle. The article understands four frameworks that close different niches and most often intersect in real projects:
• CMMCC 2.0 - Mandatory certification for DoD contractors, hard binding to NIST SP 800-171
• C2M2 - free DOE tool with IT and OT, initially for energy
• SSE-CMM (ISO/IEC 21827) - standard of maturity of safe engineering processes
• BSIMM - a descriptive security assessment model built on real data from hundreds of organizations
What's left of the box and why. NIST CSF and CIS Controls are a framework for control with a level structure, but not maturity models in the strict sense: they describe “what should be” rather than “as evaluate the progress of implementation.” OWASP SAMM is close to SSE-CMM in focus on development, but already - only AppSec. If your context is one of these frameworks, the article is still useful: the self-assessment technique and the ampage attack surface works universally.
CMMOC certification: three levels for the defense industry
CMCC 2.0 (Cybersecurity Maturity Model Certification) is a U.S. Department of Defense model for the CUI (Controlled Unclassified Information) and FCI (Federal Contract Information) in the supply chain. CMMC 1.0 (2020) included five levels; in 2.0 they were reduced to three:
• Level 1 (Foundational): 17 practices from FAR 522.204-21, annual self-assessment
• Level 2 (Advanced): 110 practices from NIST SP 800-171 Rev 2, C3PAO (Certified Third-Party Assessor) are required for priority contracts
• Level 3 (Expert): practices from NIST SP 800-172, DIBCAC rating
In practice, Level 2 is 110 controls on 14 domains (Access Control, Audit and Accountability, Configuration Management and further). Each control is on NIST SP 800-53 Rev 5: Access Control domain requires a documented access management (AC-1), the Incident Response domain - Incident Processing Procedures (IR-1). Key: the auditor does not check the presence of a policy, but evidence of its implementation. “We have politics” is not the answer. The answer is the log, configuration, the result of the review.
A typical gap is the Access Control domain: the organization has a policy, but does not revise the access. Eyes of the attacker: if access is not reproached, outdated accounts - the initial access vector via T1078 (Valid Accounts). No exploit is needed - enough dormant account with a password from the previous shabble.
Restrictions of CMMC: tied to the DoD supply chain. For organizations outside DIB - excessive. The cost of C3PAO-estimation of Level 2 starts from $50K and can exceed $ 200K for large companies. Self-assessment on Level 1 is free, but the result must be submitted to SPRS (Supplier Performance Risk System).
C2M2 framework: ten domains for IT and OT
C2M2 (Cybersecurity Capability Maturity Model) is a free tool of the US Department of Energy. The current version is 2.1, released in June 2022.
The model contains more than 350 practices, grouped into ten domains: Risk Management, Asset/Change/Configuration Management, Identity and Access Management, Threat and Vulnerability Management, Situational Awareness, Event and Incident Response, Supply Chain Management, Workforce Management, Cybersecurity Architecture and Cybersecurity Program Management.
Each domain is evaluated by four MIL (Maturity Indicator Levels):
• MIL0 : MIL1 practices are not performed
• MIL1 : practices are performed ad hoc - there is a process, there is no documentation
• MIL2 : practices documented, resources for support have been allocated
• MIL3 : staff is responsible, actions are monitored and evaluated
The self-assessment tool is available in two formats: HTML version on c2m2.doe.gov and PDF version on request via [email protected]. DOE states that the assessment can be done in one day. In reality, from one to three days for the average organization, and then if the owners of processes are involved, and not just the security team.
What is useful for security engineers: the model covers the IT and OT assets in the same way. The Thread and Vulnerability Management domain is directly on vulnerability assessment activity. Organization on MIL1 in this domain - scanning irregular, the results are not prioritized. In the internal pentest, this means that the T1082 (System Information Discovery) and T1518 (Software Discovery) give a complete picture of the infrastructure without any evasion. Just nmap -sV - and you can see it.
Restrictions of C2M2: self-assessment without external certification. No one checks the credibility. Organizations tend to overstate assessments - in my practice, the discrepancy into one or two MIL-levels between self-esteem and reality was found in most projects. The model is optimized for energy: Supply Chain and Situational Awareness domains work perfectly for OT, but are less specific to a clean IT sector.
SSE-CMM Standard: Maturity of Safe Engineering Processes
SSE-CMM (Systems Security Engineering Capability Matignity Model, ISO/IEC 21827) focuses not on organizational cybersecurity, but on engineering processes: how the organization designs, implements and verifies security in products and systems. The model evaluates process areas for five levels of maturity - from Performed Informally to Continuously Improving.
Where it is actually used: SSE-CMM makes sense for vendors that develop information security tools or critical systems. In the Russian context - for companies undergoing certification on OUD4 (GOST R ISO/IEC 15408). The processes of SSE-CMM intersect with the requirements of the order FSTEC No. 76 to develop and test SRIS.
Restrictions: ISO/IEC 21827 has not been updated since 2008. Concepts are relevant, but the terminology and examples are outdated. To assess the maturity of AppSec processes today, OWASP SAMM (open, regularly updated) is a more practical alternative. SSE-CMM - as a good tutorial from 2008: the foundation is strong, but it's time to change examples.
BSIMM Security Assessment: Descriptive Model on Market Data
BSIMM (Building Security In Maturity Model) is a fundamentally different approach. CMMC, C2M2 and SSE-CMM are prescriptive models: they say “what you should do.” BSIMM is a descriptive model: it shows “what others are doing,” aggregating data from real entity estimates.
The model is structured around four domains: Governance, Intelligence, SSDL Touchpoints (Secure Software Development Lifecycle) and Deployment. Each domain contains 3 practices (12 total) and more than 120 activities distributed by three levels of maturity.
The main advantage is benchmark against the market. The organization sees that the vast majority of participants perform a specific practice, and it does not. Or that certain activity is introduced only in a small proportion - and it is not worth investing resources in it right now. For CISO it Argument in Budget Conversation, supported by data, not an abstract scale from 1 to 5.
Restrictions: BSIMM-evaluation is carried out by certified aspassers, the cost - tens of thousands of dollars. The model focuses on the security of the software, not on infrastructure protection. And the key nuance: BSIMM describes what it is, but does not prescribe what it should be. If the entire market is not doing something enough, BSIMM will show it as normal. A descriptive model is a mirror, not a compass.
Comparison of frameworks: trade-off table with restrictions
How to choose a framework: decision tree
The choice of maturity model is determined by three factors: regulatory obligations, type of infrastructure and maturity of the IB team.
1. Are you a DoD contractor or work with CUI? CMMC 2.0, no options. It's not a choice, it's a requirement. Start with NIST SP 800-171 self-assessment through DoD Assessment Methodology.
2. Is there an OT infrastructure (SCADA, ICS, industrial controllers)? C2M2. The model is designed for an environment where IT and OT intersect. The domain Asset, Change, and Configuration Management covers the reality of energy and industrial companies better than anything else free.
3. Do you develop software or protections? SSE-CMM for a mature engineering organization. OWASP SAMM - if the AppSec program is only being built. You need a benchmark against the market and the budget allows - BSIMM.
4. Do you need a quick estimate of the maturity of the general information security without reference to the regulator? C2M2 is a free start. NIST CSF v2.0 (Govern, Identify, Protect, Detect, Respond, Recover) - for a wider coverage. CIS Controls IG1-IG3 is a pragmatic alternative with 18 controls and clear implementation groups.
5. Need to convince the board of directors? BSIMM, if you have a budget. The argument of the format "95% of our industry companies make X, but we don't" works better than the abstract scale from 1 to 5. I saw this argument unblocked the budget on SIEM in one meeting.
Example: The Identity and Access Management domain in C2M2 on MIL2 requires a documented access control procedure. There is a policy in Confluence - great. But in AD live 200 dormantt, accounts that were not used for 90+ days. This is MIL1, not MIL2. You can check with one team:
The same query is part of the kill chain attacker at Account Discovery (T1087): search for accounts that no one monitors and which is suitable for the field movement.
Step 3: Fill out the matrix honestly
For each practice - three options:
• Implemented : there is evidence, there is a process, it works
• Partially Implemented: the process is, but not for all systems, is not documented or checked
• Not Implemented : no process or no evidence
The rule is simple: if there is no evidence, it is Not Implemented, even if “knew exactly what you set up.” The auditor won't accept memories. And you don't have to take them at self-assessment.
Step 4: Build a heatmap and prioritize
Visualize the result in Excel through conditional formatting by domains. Red - Not Implemented, yellow - Partially, green - Implemented. Heatmap is a tool for talking to the management, not an internal document of the IL team.
Prioritization goes on two axles: risk impact (which domains with low maturity create the greatest risk - IAM and Threat Management almost always in the top) and effort to remediate (police documentation - week; deployment of SIEM-integration - quarter).
Levels of maturity of the eyes of the pentester
Each low maturity domain is broadcast to specific TTPs that the attacker exploits without much effort:
Check the password policy - how does the attacker Password Policy Discovery (T1201):
If MinimumPasswordLength < 14, LockoutThreshold = 0 (locking is missing), PasswordHistorysize < 12 is on MIL0 in the IAM domain, regardless of what is written in the policy. Attacking through gpresult /r (Group Policy Discovery, T1615) will receive the full GPO picture. There are no restrictions on lateral movement (no tiered access, no LAPS, RDP allowed to everyone) - the Cybersecurity Architecture domain on MIL0-MIL1, whatever it is in the scorcard.
This double look - audit and offensive - turns self-assessment from a tick for a report into a tool with verifiable results.
I have seen twelve such projects and I can say one thing: the model does not matter if the assessment is unfair. Organizations that overstate the MIL-levels at self-assesment, in six months receive a pentest report that refutes every second point of the scorcard. Dormant, flat accounts network without segmentation, SIEM with default rules, passwords in Group Policy Preferences - all this is invisible to the Excel matrix, but can be seen for the Excel matrix net accounts /domain and Permission Groups Discovery (T1069)
