Capability Maturity Models
Learn how maturity frameworks such as CMMI, CERT-RMM, and CMMC help organisations measure and improve process capability, cybersecurity resilience, and service delivery.
What is a Capability Maturity Model?
A Capability Maturity Model (CMM) provides a structured path for organisations to assess current process capability, identify gaps, and define milestones for improvement. Maturity levels offer a common language to communicate organisational proficiency internally and to regulators, customers, and partners.
Key Objectives
- Measure repeatability, consistency, and effectiveness of processes
- Prioritise investments based on maturity gaps and risk appetite
- Benchmark against industry peers or contractual requirements
- Enable continuous improvement and cultural change
Common Application Areas
- Software and systems engineering (CMMI for Development/Services)
- Cybersecurity resilience (CERT-RMM, CMMC)
- Business process management and operational governance
- Vendor assurance programmes and managed service providers
Five-Level Maturity Model (Generic)
| Level | Name | Characteristics |
|---|---|---|
| 1 | Initial | Processes are ad-hoc and reactive. Success depends on individual effort. Unpredictable outcomes. |
| 2 | Managed | Basic project management processes exist. Work is planned and tracked, but still largely reactive. |
| 3 | Defined | Organisation-wide standard processes are documented, tailored, and institutionalised. Knowledge sharing occurs. |
| 4 | Quantitatively Managed | Processes are measured and controlled using statistical methods. Performance baselines guide decision making. |
| 5 | Optimising | Continuous improvement is embedded. Innovative practices and feedback loops drive proactive change. |
Tip: Map your organisation’s current state against these levels to frame improvement goals and highlight quick wins.
CMMI 2.0 (Capability Maturity Model Integration)
Developed by ISACA (formerly CMMI Institute) with models for Development, Services, and Supplier Management.
- Practice areas grouped into Stakeholder Satisfaction, Work Management, Engineering, Supporting, and Improvement
- Maturity levels 1–5 (as above) or capability levels (0–3) for specific practice areas
- Appraisals (SCAMPI / Benchmark appraisals) provide formal ratings recognised by government clients
- Emphasises performance measurement, agile integration, and governance
CERT-RMM (Resilience Management Model)
Developed by Carnegie Mellon’s Software Engineering Institute for operational resilience.
- Focuses on convergence of cyber security, business continuity, and IT operations
- 26 process areas covering risk management, service continuity, incident response, workforce
- Maturity scale from 0 (Incomplete) to 5 (Optimised)
- Forms the foundation for the US Department of Defense’s CMMC 2.0 Level 2 requirements
CMMC 2.0 Overview
Maturity Levels
- Level 1 – Foundational: 17 practices aligned with FAR 52.204-21 (basic safeguarding)
- Level 2 – Advanced: 110 practices mapped to NIST SP 800-171, third-party assessment for priority contractors
- Level 3 – Expert (forthcoming): Expected to align with NIST SP 800-172 for critical programs
Implementation Tips
- Conduct a gap analysis against required practices and documentation artefacts
- Establish continuous monitoring to sustain certification readiness
- Integrate with broader governance frameworks (ISO 27001, NIST CSF)
- Maintain evidence repository for assessments (policies, procedures, screenshots, ticket logs)
Getting Started with Maturity Improvement
- Define Scope: Identify business units, services, and processes to assess.
- Baseline Assessment: Use maturity questionnaires or facilitated workshops to score current state.
- Prioritise Gaps: Focus on areas with highest risk or contractual significance.
- Develop Roadmap: Align improvement projects with budgets, resources, and governance cycles.
- Measure & Report: Track metrics (KPIs/KRIs) and communicate progress to stakeholders.
- Institutionalise: Update policies, training, and incentive structures to sustain gains.