Cybersecurity Capacity Maturity Model for Nations

This template is not to be used in article space.

This is the sandbox page where you will draft your initial Wikipedia contribution.

If you're starting a new article, you can develop it here until it's ready to go live.

If you're working on improvements to an existing article, copy only one section at a time of the article to this sandbox to work on, and be sure to use an edit summary linking to the article you copied from. Do not copy over the entire article. You can find additional instructions here.

Remember to save your work regularly using the "Publish page" button. (It just means 'save'; it will still be in the sandbox.) You can add bold formatting to your additions to differentiate them from existing content.

Bibliography sandbox

The Cybersecurity Capacity Maturity Model for Nations

The Cybersecurity Capacity Maturity Model for Nations (CMM) is first of its kind framework for countries to review their cybersecurity capacity, benchmark it and receive recommendation for improvement.^[1] It was designed by Global Cyber Security Capacity Centre of University (GCSCC) of University of Oxford. CMM assesses the capacity of a country from five identified area called dimensions- The dimensions represent the totality of the capacity area required by a country to improve its cybersecurity posture.^[2] The assessment rate each dimension using five levels that range from Start-up, Formative, Established, Strategic and Dynamic. The recommendations includes guidance on areas of cybersecurity to focus and invest in. As at June, 2021, the framework has been adopted and implemented in over 80 countries worldwide.^[3] Its' deployment has been catalyzed by the involvement of international organizations such as the Organization of American States (OAS), the World Bank (WB), the International Telecommunications Union (ITU) and the Commonwealth Telecommunications Union (CTO) and Global Forum on Cyber Expertise (GFCE).^[4]

Overview

The CMM was developed in 2014, through collaborative effort between the GCSCC and over 200 experts from academia, international and regional organizations and the private sector.^[5] Based on pilot exercise that was constructed in 6 countries, modifications to improve the model were made and an updated version was released in 2017. Further consultations based on lesson learnt from CMM deployments resulted in further updates and an updated version in 2021.^[6]

CMM assesses the capacity of a country from five identified area called dimensions. These dimension have been further divided into factors and the factors have aspects. The Dimensions, factors and aspects have changed overtime between versions.

Factors:

These are the components of a nations capacity whose maturity level is measured.

Aspect.

This are smaller subdivision of factors and they help with understanding each factor and they aid in evidence gathering and measurement.

Stage.

This represent how matured a nations is on each factors or aspect. There are 5 stages of maturity; start-up, formative, established, strategic, dynamic. For a nation to met a particular maturity stage, it has to fulfill some indicators.

The 5 dimensions from the 2021 version are:^[2]

1. Developing cybersecurity policy and strategy;

This dimension examines how a nation fares in terms of availability and implementation of Cybersecurity policies and strategy.

2. Encouraging responsible cybersecurity culture within society;

This dimension views how well citizens of a nation are familiar with digital risk and the provision of a viable channel for reporting cybercriminal activities.

3. Building cybersecurity knowledge and capabilities;

This dimension explores structures in place for cybersecurity awareness and education within the nation

4. Creating effective legal and regulatory frameworks;

Examine the ability of a country to develop, ratify and enforce cybersecurity and privacy related legislation.

5. Controlling risks through standards and technologies.

This dimension examines the common use of cybersecurity standard and presence of structures for development of such technologies.

Difference between versions

Version 1 of the framework was released in 2014 and Kosovo was the first pilot country. The 2014 has has 5 dimensions and 21 factors.^[7] The 2016 version has 5 dimensions with 24 factors.^[5] The latest version was released in 2021 with 5 dimensions and 23 factors.^[2]

Between the 2014 and 2016 version, there was no change in the naming of the dimensions. The changes came in 2021 and its represented in table 1.

Table 1 CMM Dimensions changes across versions
Dimensions	2014/2016	2021
D1	Cybersecurity Policy and Strategy	Developing cybersecurity policy and strategy
D2	Cyber Culture and Society	Encouraging responsible cybersecurity culture within society
D3	Cybersecurity Education, Training and Skills	Building cybersecurity knowledge and capabilities
D4	Legal and Regulatory Frameworks	Creating effective legal and regulatory frameworks
D5	Standards, organisations, and technologies	Controlling risks through standards and technologies

Below (table 2) is a representation of how the factors have changed between versions.

Table 2. Changes in Factors between versions.
Factors	2014	2016	2021
D1.1	Documented or Official National Cybersecurity Strategy	National Cybersecurity Strategy	National Cybersecurity Strategy
D1.2	Incident Response	Incident Response	Incident Report and Crisis Management
D1.3	Critical National Infrastructure	Critical Infrastructure (CI) Protection	Critical Infrastructure (CI) Protection
D1.4	Crisis Management	Crisis Management	Cybersecurity in Defense and National Security
D1.5	Cyber Defence Consideration	Cyber defense consideration
D1.6	Digital Redundancy	Communications redundancy
D2.1	Cybersecurity Mind-set	Cybersecurity mind-set	Cybersecurity Mindset
D2.2	Cybersecurity Awareness	Trust and confidence on the Internet	Trust and Confidence in Online Service
D2.3	Confidence and Trust on the Internet	User understanding of personal information protection on the Internet	User Understanding of Personal Information Protection Online
D2.4	Privacy Online	Reporting mechanisms	Reporting Mechanisms
D2.5		Media and social media	Media and Social Media
D3.1	National Availability of Cyber Education and Training	Raising awareness	Building Cybersecurity Awareness
D3.2	National Development of Cyber Security Education	Framework for education	Cybersecurity Education
D3.3	Training and Educational Initiatives within the Public and Private Sector	Framework for professional training	Cybersecurity Professional Training
D3.4	Corporate Governance, Knowledge and Standards		Cybersecurity Research and Innovation
D4.1	Cybersecurity Legal Frameworks	Legal frameworks	Legal and Regulatory Provisions
D4.2	Legal Investigation	Criminal justice system	Related Legislative Framework
D4.3	Responsible Reporting	Formal and informal cooperation frameworks to combat cybercrime	Legal and Regulatory capability and Capacity
D4.4			Formal and Informal Co-operation Frameworks to Combat Cybercrime
D5.1	Adherence to Standards	Adherence to standards	Adherence to Standards
D5.2	Cybersecurity Coordinating Organisations	Internet infrastructure resilience	Security Controls
D5.3	National Infrastructure Resilience	Software quality	Software Quality
D5.4	Cybersecurity Marketplace	Technical security controls	Communications and Internet Infrastructure Resilience
D5.5		Cryptographic controls	Cybersecurity Marketplace
D5.6		Cybersecurity marketplace	Responsible Disclosure
D5.7		Responsible disclosure

The Stages of National Cybersecurity Capacity

The Review Process

CMM Review Process has 3 stages.^[1]^[8]

Stage 1: Desk research and country-partner identification.

The first step is selection of a country. A CMM review can be requested by a country or a country can be selected for assessment by an international or regional organization.

One selected, a relationship is established with host country and necessary stakeholders identified from Academia, Civil Societies, Government Ministries/Department, International Organizations and the Private Sector.

Stage 2: The Review

The actual review with the stakeholders is a three-day consultation process.

Based on the five dimensions, multiple teams are created across stakeholders.

Open discussions or focus groups method is applied to ask and answers questions. Questions and answer can also be collected using online tool.^[9]

Remote follow-up sessions or email may be used for further data collection.

Stage 3: Review Report

A report is presented to the country's government.

It is at the discretion of the country to make it publicly available or not.

The recommendation

The output of the CMM assessment is a report which details the gaps identified from each aspect and the present maturity level of the nation. Depending on a nations need, it recommend the areas that should be given priority in terms of resource allocation.

Sample results from some of the reviews are available here

Nations with CMM

Cybersecurity capacity for over 80 nations have been reviewed using CMM. The list of nations is available here.

References

^ ^a ^b The World Bank. "Global Cybersecurity Capacity Program. "Lessons Learned and Recommendations towards strengthening the Program"" (PDF). documents.worldbank.org. Retrieved 2021-06-23.{{cite web}}: CS1 maint: url-status (link)
^ ^a ^b ^c Global Cyber Security Capacity Centre (2021). "Cybersecurity Capacity Maturity Model for Nations (CMM)" (PDF).{{cite web}}: CS1 maint: url-status (link)
^ "CMM Reviews around the World". gcscc.ox.ac.uk. Retrieved 2021-06-24.
^ RAND (2017). "Developing Cybersecurity Capacity. A proof-of-concept implementation guide" (PDF).{{cite web}}: CS1 maint: url-status (link)
^ ^a ^b "2020 Cybersecurity Report: Risks, Progress, and the Way Forward in Latin America and the Caribbean | Publications" (PDF). publications.iadb.org. Retrieved 2021-06-25.
^ "Development and Evolution of the CMM". gcscc.ox.ac.uk. Retrieved 2021-07-03.
^ Global Cyber Security Capacity Centre (2015). "Cybersecurity Capacity Assessment of the Republic of Kosovo".{{cite web}}: CS1 maint: url-status (link)
^ "CMM Review Process". gcscc.ox.ac.uk. Retrieved 2021-07-03.
^ Organization of American States (2016). "Cybersecurity Are We Ready in Latin America and the Caribbean?".{{cite web}}: CS1 maint: url-status (link)

[:1-1] The World Bank. "Global Cybersecurity Capacity Program. "Lessons Learned and Recommendations towards strengthening the Program"" (PDF). documents.worldbank.org. Retrieved 2021-06-23.{{cite web}}: CS1 maint: url-status (link)

[:0-2] Global Cyber Security Capacity Centre (2021). "Cybersecurity Capacity Maturity Model for Nations (CMM)" (PDF).{{cite web}}: CS1 maint: url-status (link)

[3] "CMM Reviews around the World". gcscc.ox.ac.uk. Retrieved 2021-06-24.

[4] RAND (2017). "Developing Cybersecurity Capacity. A proof-of-concept implementation guide" (PDF).{{cite web}}: CS1 maint: url-status (link)

[:2-5] "2020 Cybersecurity Report: Risks, Progress, and the Way Forward in Latin America and the Caribbean | Publications" (PDF). publications.iadb.org. Retrieved 2021-06-25.

[6] "Development and Evolution of the CMM". gcscc.ox.ac.uk. Retrieved 2021-07-03.

[7] Global Cyber Security Capacity Centre (2015). "Cybersecurity Capacity Assessment of the Republic of Kosovo".{{cite web}}: CS1 maint: url-status (link)

[8] "CMM Review Process". gcscc.ox.ac.uk. Retrieved 2021-07-03.

[9] Organization of American States (2016). "Cybersecurity Are We Ready in Latin America and the Caribbean?".{{cite web}}: CS1 maint: url-status (link)

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]