Process Maturity represents an organization’s commitment and consistency to performing their processes. Measuring Process Maturity determines how well practices are defined, executed, and managed. A higher level of Process Maturity contributes to more stable processes that produce consistent and expected results over time. Mature processes are retained during times of stress – enabling an organization to better prevent and respond to a cyberattack.
The CMMC maturity levels serve as a way to measure an organization’s process maturity or process institutionalization. Within the context of the CMMC model, process institutionalization provides additional assurances that the practices associated with each level are implemented effectively. The CMMC model consists of five maturity processes that span Maturity Levels (ML) 2-5 and apply to all domains. Organizations perform practices at Level 1 but process maturity is not assessed for ML 1.
- ML.2.999: Establish a policy that includes [DOMAIN NAME].
- ML.2.998: Document the CMMC practices to implement the [DOMAIN NAME] policy.
- ML.3.997: Establish, maintain, and resource a plan that includes [DOMAIN NAME].
- ML.4.996: Review and measure [DOMAIN NAME] activities for effectiveness.
- ML.5.995: Standardize and optimize a documented approach for [DOMAIN NAME] across all applicable organizational units
Additional information for all the CMMC Processes can be found in the CERT-RMM Generic Goals
Two models that provide key foundational elements of process maturity in the CMMC are CMMI and CERT-RMM
Capability Maturity Model Integration (CMMI)
The Capability Maturity Model Integration (CMMI) is a proven set of global best practices that derives business performance through building and benchmarking key capabilities. The CMMI was originally created by Carnegie Mellon’s Software Engineering Institute (SEI) for the U.S. Department of Defense (DoD) to assess the quality and capability of their software contractors. CMMI models have expanded beyond software engineering to help any organization in any industry build, improve, and measure their capabilities and improve performance. The CMMI knowledge base is a foundational element for the process maturity component of the CMMC. High-performing organizations achieve demonstrable, sustainable business results with CMMI. CMMI best practices focus on what needs to be done to improve performance and align operations to business goals.
More information on the CMMI suite of tools can be found at:
CERT Resilience Management Model (CERT-RMM)
The CERT Resilience Management Model (CERT-RMM) is a process improvement approach to managing operational resilience. It defines essential organizational practices to manage operational resilience. CERT-RMM can be used to determine an organization’s capability to manage resilience, set goals and targets, and develop plans to close identified gaps. By using a process view, CERT-RMM helps organizations respond to disruptions, such as a cyber-attack, with mature and predictable performance. The process maturity component of CMMC was derived from the CERT Resilience Management Model (CERT-RMM).
Other Maturity Models
The three models below are also derivatives of the CERT-RMM and were created by the Software Engineering Institute (SEI) for specific clients:
The Cyber Resilience Review (CRR) was created for the Department of Homeland Security (DHS) to review the cyber resiliency of critical infrastructure. Since the CMMC and the CRR are both derivatives of the RMM, they share a similar architecture and maturity questions.
The Cybersecurity Capability Maturity Model (C2M2) is a model that was developed specifically for the Department of Energy (DoE). This model is also a derivative of the RMM so it shares many similarities to the CMMC.
The External Dependencies Management (EDM) assessment was created for DHS and is used to review the external dependency practices for critical infrastructure organizations. The assessment expands the external dependency management domain from the CRR into its own assessment which focuses on relationship formation, relationship management and service protection and sustainment.