Why is CMMI Level 3 Relevant for Cybersecurity?

Maturity models have been around for more than three decades, as early as the 1980s.  The original intent of the Capability Maturity Model (CMM) was to assess the United States Department of Defense (D.O.D.) contractors’ processes.  The success of the software projects was measured using the CMM measurements.  Higher maturity scores were equivalent to better processes.  Higher scores also meant that the contractors used established and reputable processes and best practices for software design, development and quality assurance.

The context in which the term ‘maturity’ was used had special significance.  It was used in reference to specific aspects of the assessment, where the level of organization and optimization of each operation could range from ad hoc to formal.  Because CMM’s initial focus was particularly aimed at improving the software development process, its scope and application was very limited. For this reason, the Software Engineering Institute (SEI) at Carnegie Mellon University revised it.  It then became known as the Capability Maturity Model Integration (CMMI).  This new framework superseded the original CMM in scope.

The extended scope of CMMI now allows it to have a footprint in multiple disciplines.  These include Information and Communication Technology (ICT), business process management, service management, civil engineering, manufacturing and cybersecurity.