Cybersecurity Capacity Maturity Model for Nations
 | This template is not to be used in article space. This is the sandbox page where you will draft your initial Wikipedia contribution. If you're starting a new article, you can develop it here until it's ready to go live. If you're working on improvements to an existing article, copy only one section at a time of the article to this sandbox to work on, and be sure to use an edit summary linking to the article you copied from. Do not copy over the entire article. You can find additional instructions here. Remember to save your work regularly using the "Publish page" button. (It just means 'save'; it will still be in the sandbox.) You can add bold formatting to your additions to differentiate them from existing content. |
The Cybersecurity Capacity Maturity Model for Nations
The Cybersecurity Capacity Maturity Model for Nations (CMM) is first of its kind framework for countries to review their cybersecurity capacity, benchmark it and receive recommendation for improvement.[1] It was designed by Global Cyber Security Capacity Centre of University (GCSCC) of University of Oxford. The recommendations includes guidance on areas of cybersecurity to focus and invest in. It assesses the capacity of a country from five identified area called dimensions- The dimensions represent the totality of the capacity area required by a country to improve its cybersecurity posture.[2] The assessment rate each dimension using levels that ranges from Start-up, Formative, Established, Strategic and Dynamic. As at June, 2021, the framework has been adopted and implemented in over 80 countries worldwide.[3] Its deployment has been catalyzed by the involvement of international organizations such as the Organization of American States (OAS), the World Bank (WB), the International Telecommunications Union (ITU) and the Commonwealth Telecommunications Union (CTO) and Global Forum on Cyber Expertise (GFCE).[4]
The output of the CMM assessment is a report which details the gaps identified from each aspect and the present maturity level of the nation. Depending on a nations need, it recommend the areas that should be given priority in terms of resource allocation.
Overview
The framework is designed to assist countries participate in a cyberspace that support well-being, human rights and prosperity.
It assesses the capacity of a country from five identified area called dimensions. These dimension have been further divided into factors and the factors have aspects. The Dimensions, factors and aspects have changed overtime between versions.
Factors:
These are the components of a nations capacity whose maturity level is measured.
Aspect.
This are smaller subdivision of factors and they help with understanding each factor and they aid in evidence gathering and measurement.
Stage.
The represent the present how matured a nations is on each factors or aspect. There are 5 stages of maturity, start-up, formative, established, strategic, dynamic. FOr met a particular maturity stage, a national has to fulfill some indicators.
The 5 dimensions from the 2021 version are:
1. Developing cybersecurity policy and strategy;
This dimension examines how a nation fares in terms of availability and implementation of Cybersecurity policies and strategy.
2. Encouraging responsible cybersecurity culture within society;
This dimension views how well citizens of a nation are familiar with digital risk and the provision of a viable channel for reporting cybercriminal activities.
3. Building cybersecurity knowledge and capabilities;
This dimension explores structures in place for cybersecurity awareness and education within the nation
4. Creating effective legal and regulatory frameworks;
Examine the ability of a country to develop, ratify and enforce cybersecurity and privacy related legislation.
5. Controlling risks through standards and technologies.
This dimension examines the common use of cybersecurity standard and presence of structures for development of such technologies.
Difference between versions
Version 1 of the framework was released in 2014 and Kosovo was the first pilot country. The 2014 has has 5 dimension, 21 factors.[5] Version 3 was released in 2016, with 5 dimensions, 24 factors.[6] The latest version was released in 2021 with 5 dimension and 23 factors.[2] Between the 2014 and 2016 version, there were no changes in the naming of factors. Table shows the factor labels between the version.
| Factor | 2014/2016 | 2021 |
|---|---|---|
| D1 | Cybersecurity Policy and Strategy | Developing cybersecurity policy and strategy |
| D2 | Cyber Culture and Society | Encouraging responsible cybersecurity culture within society |
| D3 | Cybersecurity Education, Training and Skills | Building cybersecurity knowledge and capabilities |
| D4 | Legal and Regulatory Frameworks | Creating effective legal and regulatory frameworks |
| D5 | Standards, organisations, and technologies | Controlling risks through standards and technologies |
Below (table 2) is a representation of how the factors have changed between versions.
| Factors | 2014 | 2016 | 2021 |
|---|---|---|---|
| D1.1 | Documented or Official National Cybersecurity Strategy | National Cybersecurity Strategy | National Cybersecurity Strategy |
| D1.2 | Incident Response | Incident Response | Incident Report and Crisis Management |
| D1.3 | Critical National Infrastructure | Critical Infrastructure (CI) Protection | Critical Infrastructure (CI) Protection |
| D1.4 | Crisis Management | Crisis Management | Cybersecurity in Defense and National Security |
| D1.5 | Cyber Defence Consideration | Cyber defense consideration | |
| D1.6 | Digital Redundancy | Cyber defense consideration | |
| D2.1 | Cybersecurity Mind-set | Cybersecurity mind-set | Cybersecurity Mindset |
| D2.2 | Cybersecurity Awareness | Trust and confidence on the Internet | Trust and Confidence in Online Service |
| D2.3 | Confidence and Trust on the Internet | User understanding of personal information protection on the Internet | User Understanding of Personal Information Protection Online |
| D2.4 | Privacy Online | Reporting mechanisms | Reporting Mechanisms |
| D2.5 | Media and social media | Media and Social Media | |
| D3.1 | National Availability of Cyber Education and Training | Raising awareness | Building Cybersecurity Awareness |
| D3.2 | National Development of Cyber Security Education | Framework for education | Cybersecurity Education |
| D3.3 | Training and Educational Initiatives within the Public and Private Sector | Framework for professional training | Cybersecurity Professional Training |
| D3.4 | Corporate Governance, Knowledge and Standards | Cybersecurity Research and Innovation | |
| D4.1 | Cybersecurity Legal Frameworks | Legal frameworks | Legal and Regulatory Provisions |
| D4.2 | Legal Investigation | Criminal justice system | Related Legislative Framework |
| D4.3 | Responsible Reporting | Formal and informal cooperation frameworks to combat cybercrime | Legal and Regulatory capability and Capacity |
| D4.4 | Formal and Informal Co-operation Frameworks to Combat Cybercrime | ||
| D5.1 | Adherence to Standards | Adherence to standards | Adherence to Standards |
| D5.2 | Cybersecurity Coordinating Organisations | Internet infrastructure resilience | Security Controls |
| D5.3 | National Infrastructure Resilience | Software quality | Software Quality |
| D5.4 | Cybersecurity Marketplace | Technical security controls | Communications and Internet Infrastructure Resilience |
| D5.5 | Cryptographic controls | Cybersecurity Marketplace | |
| D5.6 | Cybersecurity marketplace | Responsible Disclosure | |
| D5.7 | Responsible disclosure |
The Stages of National Cybersecurity Capacity
The Structure of the CMM
This section details the aspect in each dimension
The recommendation
This section details the recommendation.
In the recommendations given to nations, each of the aspects has its own recommendation, tailored to meet the criteria listed for each aspect. As an example, there is a recommendation to setup CERT, national cybersecurity strategy etc
Sample results from some of the reviews are available here
Nation with CMM
References
- ^ The World Bank. "Global Cybersecurity Capacity Program. "Lessons Learned and Recommendations towards strengthening the Program"". documents.worldbank.org. Retrieved 2021-06-23.
{{cite web}}: CS1 maint: url-status (link) - ^ a b Global Cyber Security Capacity Centre (2021). "Cybersecurity Capacity Maturity Model for Nations (CMM)" (PDF).
{{cite web}}: CS1 maint: url-status (link) - ^ "CMM Reviews around the World". gcscc.ox.ac.uk. Retrieved 2021-06-24.
- ^ RAND (2017). "Developing Cybersecurity Capacity. A proof-of-concept implementation guide" (PDF).
{{cite web}}: CS1 maint: url-status (link) - ^ Global Cyber Security Capacity Centre (2015). "Cybersecurity Capacity Assessment of the Republic of Kosovo".
{{cite web}}: CS1 maint: url-status (link) - ^ "2020 Cybersecurity Report: Risks, Progress, and the Way Forward in Latin America and the Caribbean | Publications" (PDF). publications.iadb.org. Retrieved 2021-06-25.