Advancing Cybersecurity Capability Measurement Using the CERT(registered trademark)-RMM Maturity Indicator Level Scale
CARNEGIE-MELLON UNIV PITTSBURGH PA SOFTWARE ENGINEERING INST
Pagination or Media Count:
A maturity model is a set of characteristics, attributes, indicators, or patterns that represent progression and achievement in a particular domain or discipline. Maturity models typically have levels arranged in an evolutionary scale that defines measurable transitions from one level of maturity to another. The current version of the CERT registered trademark Resilience Management Model CERT-RMM v1.2 utilizes the maturity architecture levels and descriptions as provided in the Capability Maturity Model Integration CMMI constellation models to ensure consistency with CMMI. The spacing between maturity levels often causes CERT-RMM practitioners some difficulty. To address some of these issues, the CERT Division of Carnegie Mellon Universitys Software Engineering Institute did a comprehensive review of the existing specific and generic goals and practices in CERT-RMM to determine if a better scale could be developed to help users of the model show incremental improvement in maturity without breaking the original intent of the CMMI maturity levels. This technical note presents the results the Maturity Indicator Level Scale, or CERT-RMM MIL scale. The first application of the MIL scale was in the Cyber Resilience Review CRR, a comprehensive review process based on CERT-RMM and developed in collaboration with the Department of Homeland Security to measure the effectiveness of resilience practices by owners and operators of critical infrastructure. Upon successful application in the CRR, the MIL scale was adapted for use in the Electricity Subsector Cybersecurity Capability Maturity Model ES-C2M2, which was developed collaboratively with the Department of Energy to comply with a White House initiative to examine and characterize the cybersecurity posture of the electric grid. The application of the MIL scale in the CRR and the ES-C2M2 is addressed in the appendices to this note.
- Computer Programming and Software
- Computer Systems Management and Standards
- Military Operations, Strategy and Tactics