The CMM

OCSC and the CMM

As part of the global constellation of capacity centres working with the University of Oxford’s Cybersecurity Capacity Maturity Model for Nations (CMM), at the invitation of governments, the OCSC conducts multi-stakeholder national cybersecurity capacity assessments.

The Global Cyber Security Capacity Centre (GCSCC) at the University of Oxford developed the CMM as a framework to facilitate the review of the maturity of a country’s cyber security capacity in consultation with 200+ international experts drawn from governments, international organisations, academia, public and private sectors, and civil society. The CMM continues to be refined through expert consultation, with the latest version released in March 2021. As of December 2021, the CMM has been deployed 120+ times in 87 nations across the globe.

The CMM considers that developing effective national cybersecurity policy and strategy must include:

  • encouraging responsible cybersecurity culture within society;

  • building cybersecurity knowledge and capabilities for the existing and future workforce;

  • creating effective legal and regulatory frameworks; and

  • controlling risks through standards and technologies.

Importantly, the CMM takes a view of cybersecurity that extends beyond IT, to the following five dimensions:

Each dimension contains a number of factors which describe what it means to possess cyber security capacity. Each factor presents several aspects grouped by related indicators, which describe steps and actions that once observed define the stage of maturity of that aspect.

There are five stages of maturity, ranging from the start-up stage to the dynamic stage. The start-up stage implies an ad-hoc approach to capacity, whereas the dynamic stage represents a strategic approach and the ability to adapt dynamically or to change in response to environmental considerations.

The OCSC Director of Research and GCSCC Technical Board, peer review all the OCSC CMM reports prior to their submission to the partner nation for review. The Technical Board members are senior academics who lead the development of the different dimensions of the CMM and work at various Universities around the world. They comprise of the following experts:

  • Associate Professor Carsten Rudolph: Carsten is OCSC’s Director of Research and the Head of Department for Software Systems at Monash University.

  • Professor Michael Goldsmith: Michael is the current Director of the GCSCC and a Senior Research Fellow at the Department of Computer Science and Worcester College, at Oxford University.

  • Professor Sadie Creese: Sadie is the founding Director of the GCSCC and a Professor of Cyber Security in the Department of Computer Science at the University of Oxford.

  • Professor William (Bill) Dutton: Bill is an Emeritus Professor at the University of Southern California (USC), and an Oxford Martin School Fellow.

  • Professor Basie Von Solms: Basie is a Research Professor in the Academy for Computer Science and Software Engineering at the University of Johannesburg (UJ) in Johannesburg, South Africa, and the present Director of the UJ Centre for Cyber Security.

  • Dr Jamie Saunders: Jamie is a strategic security consultant and a visiting Professor at the University College London’s Department of Security and Crime Science.

CMM Reviews

The CMM Approach

Depending on the COVID-19 climate, the OCSC team can facilitate either an on-line or an in-country review.

Working with the host government to coordinate focus groups with the right stakeholders from all sectors, the assessment is informed by the daily experience of those on the ground directly involved in cybersecurity. This level of engagement ensures that the assessment captures local strengths, priorities, challenges, and opportunities.

This initial assessment helps host nations understand and benchmark where they stand now on the cybersecurity maturity journey and identify their own priorities for next steps, while providing specific recommendations for national policies, strategies, and activities to strengthening capacity and resilience. A second assessment in the future enables the evaluation of what impact capacity building activities have had and consideration of what works, what doesn’t work and why.

Following the finalisation of the report, the OCSC works with the host nation and the international capacity building community on research and projects that meet the identified needs and requests of the host nation.

The CMM Impact

An independent evaluation conducted in 2020, revealed that the participating nations in the Pacific found the CMM to be of the highest value. According to the authors the CMM provided many benefits to the recipient nations with some of the following noteworthy mentions:

“was foundational to their strategy and policy development, contributing to greater collaboration within government and enabling networking and collaboration with business and the wider society”

“a number of secondary benefits were identified, namely helping to define roles and responsibilities within government and facilitating networking within governments as well as with the private sector”

“contributed to increased cybersecurity awareness and capacity building through the development and/or refinement of their government’s national cybersecurity strategies and related policies”

“contributed to some investments and reforms, such as the development of national Cybersecurity Incident Response Team (CIRT) and Digital Security Authorities”

The OCSC continues to provide some of the best research available in the Pacific region, with the aim of continually providing high impact outcomes and learning experiences that are of value.

CMM Pacific Reviews

OCSC’s ambition is to conduct an Australian CMM Review

Since starting the CMM programme in 2018, the OCSC has conducted seven CMM reviews in the Indo-Pacific and continues to work with countries in the region upon request.

Samoa

Our first review was conducted in the Independent State of Samoa in April 2018 at the invitation of the Ministry of Communications and Information Technology (MCIT), and in collaboration with the International Telecommunication Union (UN-ITU) and the Global Cyber Security Capacity Centre (GCSCC).

As part of this joint mission, ITU and the Asia-Pacific Network Information Centre (APNIC) facilitated a national capacity building workshop for Computer Incident Response Teams (CIRTs) in Samoa to further enhance the nation’s cyber security capacity.

View the report.

Tonga

Our next review saw the same team from OCSC, UN-ITU and GCSCC working together with the Kingdom of Tonga in June 2018, at the invitation of Ministry of Meteorology, Energy, Information, Disaster Management, Environment, Climate Change and Communications (MEIDECC).

As part of this joint mission, UN-ITU conducted a review of Tonga CERT and worked with the Asia-Pacific Network Information Centre (APNIC) to facilitate a national capacity building workshop for Computer Incident Response Teams (CIRTs) to further enhance the nation’s cyber security capacity.

Vanuatu

At the invitation of the Office of the Government Chief Information Officer (OGCIO) in March 2019 the OCSC team joined the Information Telecommunications Union (UN-ITU) to work with the Republic of Vanuatu as part of a joint mission. On this mission the OCSC and the UN-ITU conducted a review of the national CERT of Vanuatu and conducted a workshop to further enhance the nation’s cyber security capacity.

Papua New Guinea

In June 2019 OCSC and the team from the UN-ITU again joined forces, this time to work with the Independent State of Papua New Guinea, at the invitation of the National Information and Communications Technology Authority (NICTA) where the UN-ITU conducted a review of the national CERT of PNG and ran a workshop to further enhance the nation’s cyber security capacity.

Federated States of Micronesia

In January 2020, in collaboration with the Asia-Pacific Telecommunity (APT) and at the invitation of the Department of Transportation, Communications & Infrastructure (TC&I), the OCSC team conducted a review of the Federated States of Micronesia (FSM).

The review was part of an APT Expert Mission and was conducted in conjunction with the Digital FSM workshop with TC&I and the World Bank, in Palikir, Pohnpei, Federated States of Micronesia.

Tuvalu

With the Covid19 pandemic disrupting in country missions, in February 2021 from the invitation of the Tuvalu government, the OCSC conducted an on-line CMM for the Tuvalu nation.

Cook islands

In June 2022 the OCSC team conducted their first in-person CMM review in the Cook Islands since the beginning of the COVID-19 pandemic. Invited by the Office of the Prime Minister they engaged 120 participants over five days of focus groups.

Media:

More on the CMM: