Advancing Cybersecurity Capability Measurement Using the CERT(registered trademark)-RMM Maturity Indicator Level Scale

Abstract

A "maturity model" is a set of characteristics, attributes, indicators, or patterns that represent progression and achievement in a particular domain or discipline. Maturity models typically have levels arranged in an evolutionary scale that defines measurable transitions from one level of maturity to another. The current version of the CERT (registered trademark) Resilience Management Model (CERT-RMM v1.2) utilizes the maturity architecture (levels and descriptions) as provided in the Capability Maturity Model Integration (CMMI) constellation models to ensure consistency with CMMI. The spacing between maturity levels often causes CERT-RMM practitioners some difficulty. To address some of these issues, the CERT Division of Carnegie Mellon University's Software Engineering Institute did a comprehensive review of the existing specific and generic goals and practices in CERT-RMM to determine if a better scale could be developed to help users of the model show incremental improvement in maturity without breaking the original intent of the CMMI maturity levels. This technical note presents the results: the Maturity Indicator Level Scale, or CERT-RMM MIL scale. The first application of the MIL scale was in the Cyber Resilience Review (CRR), a comprehensive review process based on CERT-RMM and developed in collaboration with the Department of Homeland Security to measure the effectiveness of resilience practices by owners and operators of critical infrastructure. Upon successful application in the CRR, the MIL scale was adapted for use in the Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2), which was developed collaboratively with the Department of Energy to comply with a White House initiative to examine and characterize the cybersecurity posture of the electric grid. The application of the MIL scale in the CRR and the ES-C2M2 is addressed in the appendices to this note.

Open PDF

Document Details

Document Type
Technical Report
Publication Date
Nov 01, 2013
Accession Number
ADA592415

Entities

People

  • Matthew J. Butkovic
  • Richard A. Caralli

Organizations

  • Carnegie Mellon University

Tags

Communities of Interest

  • Cyber
  • Engineered Resilient Systems

DTIC Thesaurus Topics

  • Acquisition
  • Best Practices
  • Consistency
  • Cybersecurity
  • Department Of Homeland Security
  • Engineering
  • Homeland Security
  • Indicators
  • Materials
  • Measurement
  • Resilience
  • Risk
  • Risk Management
  • Security
  • Software Development
  • Transitions
  • Vulnerability

Readers

  • Cybersecurity.
  • Organizational Process Management (OPM).
  • Software Engineering.

Technology Areas

  • Cyber
  • Space