The Cybersecurity Capacity Maturity Model for Nations (CMM) is a globally recognised tool for assessing a country’s cyber capacity and preparedness. At the invitation of governments, OCSC’s Research and Capacity Building Team conduct multi-stakeholder national cyber capacity reviews through a combination of desk research and in-country consultations. The CMM is designed to understand a country’s cyber capacity in a holistic manner that extends beyond IT to policy, legislature, culture, and more. The comprehensive review enables nations to understand where they stand now on their cyber maturity journey and prioritise what steps to take next. Upon request, OCSC goes one step further after the CMM, working with the country through a roadmap process to plot the chosen next steps in sequence against an agreed timeline.
CMM Overview
The CMM Review helps host nations understand and benchmark where they stand now on the cybersecurity maturity journey and identify their own priorities for next steps, while providing specific recommendations for national policies, strategies, and activities to strengthen capacity and resilience. Consultations conducted with key stakeholders from all sectors ensure that the assessment is informed by the daily experience of those on the ground directly involved in cybersecurity. This level of engagement ensures that the assessment captures local strengths, priorities, challenges, and opportunities.
Subsequent CMM Reviews after the initial benchmarking assessment facilitate the evaluation of what impact capacity building activities have had and consideration of what works, what doesn’t work and why.
Following a CMM review, OCSC can work with the country and key stakeholders to co-design a Cyber Roadmap that plots the sequence of chosen actions to lift maturity against an agreed and phased timeline.
Regional Impact of the CMM
An independent evaluation commissioned by the UK Foreign, Commonwealth and Development Office, conducted in 2020, revealed that participating nations found several benefits from conducting a CMM review, including:
- increased cybersecurity awareness and capacity building, and greater collaboration within government;
- networking and collaboration with business and wider society;
- the enhancement of the internal credibility of the cybersecurity agenda within governments;
- help in defining roles and responsibilities within governments;
- providing evidence to increase funding for cybersecurity capacity building; and
- a foundation for country strategy and policy development.
Testimonials:
“The CMM gave us a clear picture as to where we are and what sort of things that we need to do, it helps us identify where our strengths is, in regards to communication in terms of incident response due to an attack or something of that sort. So definitely it gives us a clear guidance on what we expect to see. ” (John Jack, Deputy CIO, Government of Vanuatu)
“The CMM Report, more so the recommendations, are quite crucial. We see what needs to be done, so we have more control on the things that we want to prioritise and then try to work with our development partners in implementing such recommendations… In a way 2019 becomes our baseline, so reassessment will be good so we can see what further we can improve. But, on that it also will tell us from 2019 and this point in time, what progress have we made. So I think in a way we are self-evaluating ourselves” (Domingo Kabunare, Chief Information Security Officer, Government of Kiribati)
“The Roadmap will get us more focused in terms of building our cybersecurity capacity and that roadmap will be almost like a strategy for us to be more efficient. It will also assist with donor priorities, that roadmap will also identify to donors the requirement we need” (Geoff Harris, Secretary of ICT, Ministry of Communications and Media, Government of Nauru)
“For some of these developing and small island nations, that’s the kind of support we need. If we haven’t clearly mapped out or sequenced what needs to be done, this review process does that for us.” (Steven Matainaho, Secretary of Department of Information and Communications Technology, Government of Papua New Guinea)
The Methodology of the CMM
The CMM was developed by the Global Cyber Security Capacity Centre (GCSCC) at the University of Oxford in 2014, in consultation with 200+ international experts drawn from governments, international organisations, academia, public and private sectors, and civil society. In 2015 the first reviews were conducted and since then the model has evolved, with the latest version released in 2021. Reviews are by invitation only and are always in coordination with the host country. The process involves data-gathering by a team of researchers who carry out in-country multi-stakeholder consultations and desk research to cover all dimensions of the CMM.
The Dimensions of Cybersecurity
The CMM considers cybersecurity to comprise five Dimensions which together constitute the breadth of national capacity that a country requires to be effective in delivering cybersecurity:
- Developing cybersecurity policy and strategy;
- Encouraging responsible cybersecurity culture within society;
- Building cybersecurity knowledge and capabilities;
- Creating effective legal and regulatory frameworks; and
- Controlling risks through standards and technologies.
These dimensions are often interrelated and have mutual requirements of one another. Therefore, the CMM as a framework benchmarks a country across the entire CMM, enabling an holistic understanding of national capacity.
The Structure of the CMM
Each Dimension of the CMM is comprised of Factors, which are the essential elements that make up what it means to possess national cybersecurity capacity. These Factors are further broken down into subsequent clusters of Aspects, which make the Factors easier to comprehend. Finally, the CMM identifies a Stage of maturity that a country has progressed to in a certain Factor or Aspect of cybersecurity. This benchmarking is done by the fulfilment of Indicators, which are any steps, actions, or building blocks that a country will need to have achieved to have reached the relevant Stage of maturity.
There are five stages of maturity, ranging from the start-up stage to the dynamic stage. The start-up stage implies an ad-hoc approach to capacity, whereas the dynamic stage represents a strategic approach and the ability to adapt dynamically or to change in response to environmental considerations.
The Evolution of the CMM
The OCSC Director of Research, the Head of Department of Software Systems and Cybersecurity and Professor of Human Factors in Cyber Security at Monash University, and GCSCC Technical Board, peer review all the OCSC CMM reports prior to their submission to the partner nation for review. The CMM as a model is reviewed routinely by the GCSCC Expert Advisory Panel, strategic, regional and implementation partners of the GCSCC (including the OCSC), and other experts from academia, international and regional organisations, governments, the private sector, and civil society.
CMM Pacific Reviews
Since starting the CMM programme in 2017, the OCSC has assisted with 1 CMM review in Europe and led numerous CMM reviews in the Indo-Pacific, continuing to work with countries in the Indo-Pacific upon request.
More information about previous reviews conducted by OCSC can be found here.