Cybersecurity Capacity Maturity Model for Nations (CMM) - 2021 EDITION

Page created by Terrence Campbell
 
CONTINUE READING
Cybersecurity Capacity Maturity Model for Nations (CMM) - 2021 EDITION
Cybersecurity Capacity Maturity
Model for Nations (CMM)           2021 EDITION
Cybersecurity Capacity Maturity Model for Nations (CMM) - 2021 EDITION
Executive Summary
The world’s economies continue to develop with an ever-                   Capacity Centre undertook a global collaborative exercise
increasing dependence on technology. If we do not ensure                  aimed at extracting and synthesising the community’s latest
that cybersecurity capacity exists across the entirety of                 knowledge. The GCSCC developed change proposals based
cyberspace, we will inevitably create cyber-ghettos. In such              on lessons learned from CMM deployments, and undertook
environments, cyber-harm may become prevalent and cyber-                  a series of online and offline consultations with experts, to
attacks can easily be launched. The ability of countries to               validate the findings and discuss the changes. Those who
respond and grow capacity in the face of changing threats                 were consulted included the GCSCC Expert Advisory Panel,
– be they due to trends in technology use, the socio-political            strategic, regional and implementation partners of the
climate, or evolution of the threat-actor ecosystem – has                 GCSCC, and other experts from academia, international and
never been more important.                                                regional organisations, governments, the private sector, and
                                                                          civil society. Based on their input, indicators for each Aspect
The Cybersecurity Capacity Maturity Model for Nations                     have been identified, designed, refined, and validated.
(CMM) helps nations understand what works, what
does not work and why, across all areas of cybersecurity                  Actors around the world, ranging from individuals to nation
capacity. This is important so that governments and                       states, need to ensure that cyberspace and the systems
enterprises can adopt policies and make investments that                  dependent on it are resilient to increasing attacks. The
have the potential to significantly enhance safety and                    CMM 2021 Edition and its deployment will continue to
security in cyberspace, while also respecting human rights,               contribute towards efforts to achieve this resilience, not only
such as privacy and freedom of expression.                                by gaining a more profound understanding of international
                                                                          cybersecurity capacity, but also by increasing effective
Since 2015, the Global Cyber Security Capacity Centre                     investment into cybersecurity capacity based on a rigorous
(GCSCC, Capacity Centre) has actively promoted the CMM                    analysis of data collected from the deployment of the
across sectors, to drive conversation around cybersecurity                model. Critical gaps in all areas of international cybersecurity
capacity and to help improve global technology. The                       will be identified and filled with scalable and effective
resulting adoption of the CMM by various key international                countermeasures, in co-operation with international
stakeholders, and the completion of more than 120 CMM                     partners from the global cybersecurity community.
reviews in more than 85 countries around the world,
demonstrates the positive impact of the research, supports                The enhancement of the CMM is not intended to be a                 D1
government self-assessments and informs the development                   static exercise; a continuous process of refinement will
of industry tools and resources.                                          be maintained to ensure the CMM remains applicable
                                                                          to all national contexts and reflects the global state of          D2
Prompted by the changing threat landscape and                             cybersecurity capacity maturity. However, this evolution
corresponding cybersecurity practice, the GCSCC has led a                 will continue to be a considered exercise, stimulated by
revision of the CMM, the first to be carried out since the                                                                                   D3
                                                                          evidence and practice.
2016 edition was issued. To produce this 2021 edition, the
                                                                                                                                             D4

                                                                                                                                             D5

2       Cybersecurity Capacity Maturity Model for Nations (CMM) - 2021 Edition
Contents                                                                     Executive Summary
                                                                             A National Cybersecurity Assessment with the CMM
                                                                             The Dimensions of National Cybersecurity Capacity
                                                                                                                                                        2
                                                                                                                                                        4
                                                                                                                                                        5
                                                                             The Structure of the CMM                                                   7

                                                                             Dimension 1: Cybersecurity Policy and Strategy                             9
                                                                             D 1.1: National Cybersecurity Strategy                                    12
                                                                             D 1.2: Incident Response and Crisis Management                            14
                                                                             D 1.3: Critical Infrastructure (CI) Protection 		                         16
                                                                             D 1.4: Cybersecurity in Defence and National Security                     17

                                                                             Dimension 2: Cybersecurity Culture and Society                            19
                                                                             D 2.1: Cybersecurity Mindset                                              22
                                                                             D 2.2: Trust and Confidence in Online Services		                          23
                                                                             D 2.3: User Understanding of Personal Information Protection Online       26
                                                                             D 2.4: Reporting Mechanisms                                               27
                                                                             D 2.5: Media and Online Platforms                                         28

                                                                             Dimension 3: Building Cybersecurity Knowledge and Capabilities            29
                                                                             D 3.1: Building Cybersecurity Awareness                                   32
                                                                             D 3.2: Cybersecurity Education                                            34
                                                                             D 3.3: Cybersecurity Professional Training		                              36
                                                                             D 3.4: Cybersecurity Research and Innovation                              37

                                                                             Dimension 4: Legal and Regulatory Frameworks                              38
                                                                             D 4.1: Legal and Regulatory Provisions                                    41
                                                                             D 4.2: Related Legislative Frameworks                                     43
                                                                             D 4.3: Legal and Regulatory Capability and Capacity                       45
                                                                             D 4.4: Formal and Informal Co-operation Frameworks to Combat Cybercrime   47

                                                                             Dimension 5: Standards and Technologies                                   48
                                                                             D 5.1: Adherence to Standards 		                                          51
                                                                             D 5.2: Security Controls                                                  53
                                                                             D 5.3: Software Quality                                                   55   D1
                                                                             D 5.4: Communications and Internet Infrastructure Resilience 				         56
                                                                             D 5.5: Cybersecurity Marketplace 					                                    57
                                                                             D 5.6: Responsible Disclosure                                             59   D2

                                                                             Evolution of the CMM                                                      60
                                                                             Acknowledgements                                                          61   D3
                                                                             About the GCSCC                                                           62

                                                                                                                                                            D4

                                                                                                                                                            D5

3   Cybersecurity Capacity Maturity Model for Nations (CMM) - 2021 Edition
A National Cybersecurity
Assessment with the CMM
The CMM review of a country involves data-gathering by a                  • the enhancement of the internal credibility of the
team of researchers who carry out in-country stakeholder                    cybersecurity agenda within governments;
consultation and desk research. The output is an evidence-
based report which:                                                       • help in defining roles and responsibilities within
                                                                            governments;
• benchmarks the maturity of a country’s cybersecurity
  capacity;                                                               • providing evidence to increase funding for cybersecurity
                                                                            capacity building; and
• details a pragmatic set of actions to contribute to the
  advancement of cybersecurity capacity maturity gaps; and                • a foundation for country strategy and policy development.

• identifies priorities for investment and future capacity-               It is important that a country can evidence its achievements
  building, based on a country’s specific needs.                          in cybersecurity capacity and the CMM identifies what that
                                                                          evidence should be, and what it demonstrates. Such evidence
 According to an independent study commissioned by the                    gathering is in itself a multi-stakeholder process, involving a
UK Foreign, Commonwealth and Development Office, the                      wide range of sources and organisations. Discussions can be
benefits of a CMM review for a country are numerous and                   important to resolve differences of opinion. Whether such
include:                                                                  discussions can be effective if done remotely (and online), or
                                                                          will necessitate face-to-face meetings, will depend upon the
• increased cybersecurity awareness and capacity building,                country undertaking a review.
  and greater collaboration within government;
                                                                          For more information on the CMM review methodology,
• networking and collaboration with business and wider                    process and exemplary CMM reports, visit:
  society;                                                                https://gcscc.ox.ac.uk/the-cmm

                                                                                                                                            D1

                                                                                                                                            D2

                                                                                                                                            D3

                                                                                                                                            D4

                                                                                                                                            D5

4       Cybersecurity Capacity Maturity Model for Nations (CMM) - 2021 Edition
Cybersecurity Policy          Cybersecurity Culture      Building Cybersecurity                Legal and                Standards and
                                                                and Strategy                   and Society               Knowledge and                      Regulatory                Technologies
                                                                                                                            Capabilities                   Frameworks

The Dimensions
of National                                                                                                Dimension 1
                                                                                                         Cybersecurity Policy
                                                                                                                                      Dimension 2
                                                                                                                                       Cybersecurity

Cybersecurity
                                                                                                            and Strategy             Culture and Society

Capacity
The CMM considers cybersecurity to comprise five Dimensions
which together constitute the breadth of national capacity that a
country requires to be effective in delivering cybersecurity:

1. Developing cybersecurity policy and strategy;
                                                                                                                                                                     Dimension 3
                                                                                 Dimension 5                                                                         Building Cybersecurity
2. Encouraging responsible cybersecurity culture within society;
                                                                                  Standards and
                                                                                                                                                                     Knowledge and
3. Building cybersecurity knowledge and capabilities;                              Technologies
                                                                                                                                                                     Capabilities
4. Creating effective legal and regulatory frameworks; and

5. Controlling risks through standards and technologies.

                                                                                                                          Dimension 4                                                                D1
                                                                                                                       Legal and Regulatory
                                                                                                                           Frameworks
                                                                                                                                                                                                 D2

                                                                                                                                                                                                 D3

                                                                                                                                                                                                 D4

                                                                                                                                                                                                 D5

5       Cybersecurity Capacity Maturity Model for Nations (CMM) - 2021 Edition
ension 1                      ension 2                  ension 3                  nsion 4
                                                                                                      imecountry’s               mension 5
                     Dim                          Dim 1 Cybersecurity
                                           Dimension                        Dimand Strategy
                                                                         Policy              exploresDthe           capacity Di                                  The CMM defines five Stages of maturity for all Dimensions being: start-up,
                                           to develop and deliver cybersecurity strategy, and to enhance its cybersecurity                                       formative, established, strategic, and dynamic. These correspond to the following:
                                           resilience by improving its incident response, cyber defence and critical infrastructure                              initial development of capacity, being established, being world-leading, and able to
                                           (CI) protection capacities. This Dimension considers effective strategy and policy                                    anticipate and prepare for future cybersecurity needs.
                                           in delivering national cybersecurity capability, while maintaining the benefits of a
                                           cyberspace vital for government, international business and society in general.                           It should be noted that there are relationships between the Dimensions; for example,
                  Cybersecurity Policy        Cybersecurity Culture    Building Cybersecurity           Legal and              Standards and         to be effective in one area of capacity often places requirements on other areas1. It
                         nsion
                     andeStrategy          Dimension
                                                  anden2siCybersecurity
                                                          o
                                                      Society
                                                            n           Culturee nand
                                                                                  s
                                                                          Knowledgeio  Society reviewsRegulatory
                                                                                      and
                                                                                      n                 important
                                                                                                          ens ion   elements of Technologies
                                                                                                                                a                    is also the case that resources are limited and priorities for capacity enhancements
 1                   Dim         2               Dim
                                           responsible
                                                              3              im
                                                                           DCapabilities
                                                        cybersecurity culture
                                                                                        4             im
                                                                                                     DFrameworks
                                                                               such as the understanding
                                                                                                                  5
                                                                                                            of cyber-related risks                   are likely to require a response which could span multiple Dimensions. Therefore,
                                           in society, the level of trust in Internet services, e-government and e-commerce                          a benchmarking activity reviews a country against the entire CMM and across all
                        ension 1                       ensiousers’
                                                              n 2 understanding    enofsipersonal
                                                                                         on 3                     nsion 4
                                                                                                                 eprotection               ension 5 Dimensions, enabling an holistic consideration of national capacity.
                     Dim                   services,
                                                  D im and                   D im                 information
                                                                                                           D im               online.  D im
                                           Moreover, this Dimension explores the existence of reporting mechanisms
                                           functioning as channels for users to report cybercrime. In addition, this Dimension
                                           reviews the role of media and social media in shaping cybersecurity values,
Policy           Cybersecurity Culture        Building and
                                           attitudes    Cybersecurity
                                                             behaviour.          Legal and                 Standards and
 y
 2                   iand sion
                      menSociety 3                  i mensionand
                                                 Knowledge
                                                                4              i m ension 5
                                                                               Regulatory                   Technologies
                     D                            DCapabilities              DFrameworks
                                           Dimension 3 Building Cybersecurity Knowledge and Capabilities reviews the
                  Cybersecurity Policy         Cybersecurity Culture     Building Cybersecurity                Legal and               Standards and
                                           availability,  quality and uptake  of programmes       for various    groups of stakeholders,
                         nsion
                     andeStrategy                   anden sio
                                                         Society
                                                              n                    e
                                                                            Knowledgen sionand                   en sio
                                                                                                             Regulatoryn                Technologies
 1                   Dim         2         including m
                                                  Di the government,
                                                                3        private m
                                                                               i sector4and the population
                                                                             DCapabilities                   im     as a 5whole, and relate
                                                                                                           DFrameworks
                                           to cybersecurity awareness-raising programmes, formal cybersecurity educational
                                           programmes, and professional training programmes.
ulture          Building Cybersecurity      Dimension  Legal4 and                   Standards  and
y3                    imensionand
                   Knowledge    4                    im  ensiLegal
                                                      Regulatory
                                                                      and Regulatory
                                                               on 5Dimension      1
                                                                                          Frameworks      examines the government’s
                                                                                     TechnologiesDimension 2
                    DCapabilities                  DFrameworks
                                            capacity    to design and enact national legislation that directly and indirectly
                                                                 Cybersecurity Policy             Cybersecurity
                                            relates to cybersecurity,       with a particular
                                                                     and Strategy                 emphasis placed on the topics of
Policy           Cybersecurity Culture         Building Cybersecurity                  Legal andCulture and SocietyStandards and
                             sion 3         regulatory    requirements for cybersecurity,           cybercrime-related      legislation and
 y
 2                    anden
                    Dim
                           Society                   imensionand
                                                  Knowledge
                                                   DCapabilities  4                    mension 5
                                                                                      iRegulatory
                                                                                    DFrameworks
                                                                                                                    Technologies
                                            related    legislation. The capacity       to enforce such laws is examined through law
                                            enforcement, prosecution, regulatory bodies and court capacities. Moreover, this
                                            Dimension observes issues such as formal and informal co-operation frameworks
 curity                 Legal and           to combat     cybercrime.
                                                   Standards    and
nd
                      im  en sio
                      Regulatoryn 5Dimension 1
                                                    Technologies
                                                                  Dimension 2
s4                  DFrameworks             Dimension       5 Standards     and Technologies addresses effective and widespread
                                 Cybersecurity Policy               Cybersecurity
ulture                                      use of cybersecurity
                                     and Strategy
                Building Cybersecurity                 Legal andCulturetechnology       to protect
                                                                        and SocietyStandards   and individuals, organisations and national
y3                     m  ensionand
                   Knowledge
                      i           4                  im  ensionThis
                                            infrastructure.
                                                      Regulatory  5    Dimension      specifically
                                                                                     Technologies   examines the implementation of
                    DCapabilities                  DFrameworks
                                            cybersecurity       standards and good practices, the deployment of processes and                                                                                                                           D1
                                                                                                                               Dimension 3
                                            controls,
                                    Dimension     5 and the development of technologies and products in Building               order toCybersecurity
                                                                                                                                         reduce
                                      Standards and
                                            cybersecurity risks.                                                               Knowledge and
                  Standards and Technologies                                                                                   Capabilities
                                                                                                                                                                                                                                                        D2
y Dimension 1 TechnologiesDimension 2
 s
Cybersecurity Policy            Cybersecurity
 curity
    and Strategy     Legal andCulture and SocietyStandards and                                                                                                                                                                                          D3
                    imension 5
 nd                 Regulatory                    Technologies
s4                DFrameworks
                                                                                             Dimension      3                                                                                                                                           D4
     DimensionFor
               5 a country to reach an established level of maturity under the Aspect ‘Initiatives by Government’ in Factor 3.1 Building Cybersecurity Awareness, one of the requirements that must be met is that the content
             1

                                                                                             Building Cybersecurity
              of the co-ordinated national cybersecurity awareness-raising programme includes explicit links to national cybersecurity strategy. Similarly, for a country to reach an established level of maturity under the Aspect
    Standards and
                                                                                              Knowledge
              ‘Administration’ in Factor 3.2 Cybersecurity Education, cybersecurity education priorities    and from the multi-stakeholder consultation process should be reflected in the national cybersecurity strategy.
                                                                                                         resulting
     Technologies                                                              DimensionCapabilities
                                                                                               4
                                                                             Legal and Regulatory
                                                                                                                                                                                                                                                        D5
 Dimension 2
  Cybersecurity                                                                   Frameworks
                 6         Cybersecurity Capacity Maturity Model for Nations (CMM) - 2021 Edition
 ulture and SocietyStandards and
y                   Technologies
The Structure of the CMM
    Dimension                                                                                           Indicator
    The five Dimensions together cover the breadth of national cybersecurity capacity assessed          Indicators represent the most basic part of CMM’s structure. Each Indicator describes
    by the CMM. Each Dimension is constituted by a range of Factors, which capture the core             the steps, actions, or building blocks that are indicative of a specific Stage of maturity. To
    capacities required to deliver the Dimension. Together, they represent the different ‘lenses’       have successfully reached a Stage of maturity, a country will need to convince itself that it
    through which cybersecurity capacity can be evidenced and analysed.                                 can evidence each of the Indicators. In order to elevate a country’s cybersecurity capacity
                                                                                                        maturity, all of the Indicators within a particular Stage will need to have been fulfilled. Most
    Factor                                                                                              of these Indicators are binary in nature, i.e., the country can either evidence it has fulfilled
                                                                                                        the Indicator criteria, or it cannot provide such evidence.
    Within the five Dimensions, Factors describe what it means to possess cybersecurity
    capacity. These are the essential elements of national capacity, which are then measured for
    maturity Stage. The complete list of Factors seeks to holistically incorporate all of a nation’s
    cybersecurity capacity needs. Most Factors are composed of a number of Aspects which
    structure the Factor’s Indicators into more concise parts (which directly relate to evidence
                                                                                                                                                 DIMENSION
    gathering and measurement). However, some Factors that are more limited in scope do not
    have specific Aspects.
                                                                                                                                                   FACTOR
    Aspect
    Where a Factor possesses multiple components, these are Aspects. Aspects are an                                                                ASPECT
    organisational method to divide Indicators into smaller clusters that are easier to
    comprehend. The number of Aspects depends on the themes that emerge in the content of
    the Factor and the overall complexity of the Factor.
                                                                                                                 START-UP        FORMATIVE       ESTABLISHED       STRATEGIC         DYNAMIC
                                                                                                                   STAGE           STAGE            STAGE            STAGE            STAGE
    Stage
                                                                                                                 Indicators       Indicators       Indicators       Indicators       Indicators
    Stages define the degree to which a country has progressed in relation to a certain Factor or
    Aspect of cybersecurity capacity. The CMM consists of five distinct Stages of maturity: start-up,
                                                                                                                                                                                                           D1
    formative, established, strategic, dynamic (detailed on page 8). A CMM review will benchmark
    a country against these Stages, capturing existing cybersecurity capacity, from which a country
    can improve or decline depending on the actions taken (or inaction). Within each Stage there                                                                                                           D2
    are a number of Indicators which a country has to fulfil to successfully have reached the Stage.

                                                                                                                                                                                                           D3

                                                                                                                                                                                                           D4

                                                                                                                                                                                                           D5

7         Cybersecurity Capacity Maturity Model for Nations (CMM) - 2021 Edition
Dimension 5                                                                                  Building
                                                                                                       Standards and                                                                    Dimension     1 Cybersecurity
                                                                                                                                                                                                                    Dimension 2
                                                                                                                                                                 Cybersecurity Policy Cybersecurity
                                                                                                                                                                                             Cybersecurity
                                                                                                                                                                                                    Policy Culture
                                                                                                                                                                                                   Knowledge              Building Cy
                                                                                                                                                                                                                and Cybersecurity
                                                                                                        Technologies                                                and Strategy                  and  Society
                                                                                                                                                                                                   Capabilities
                                                                                                                                                                                         and Strategy              Culture andKnowle
                                                                                                                                                                                                                               Society
                                                                                                                             Dimension 4                                                                                        Capab
                                                                                                                          Legal and Regulatory
                                                                                                                              Frameworks

The Stages of National                                                                                                          Dimension 5
                                                                                                                                  Standards and
                                                                                                                                                                                                                            Dimensio
                                                                                                                                                                                                                            Building
                                                                                                                                                                                                                    Dimension 1      Cy

Cybersecurity Capacity
                                                                                                                                   Technologies                                                                   CybersecurityKnowledge
                                                                                                                                                                                                                               Policy
                                                                                                                                                                                                                               Capabilities
                                                                                                                                                                                                                     and Strategy
                                                                                                                                                        Dimension 4
                                                                                                                                                      Legal and Regulatory
Stages define the degree to which a country has progressed in relation to a certain Factor or Aspect of cybersecurity capacity                            Frameworks     Dynamic
(see page 7). A CMM review will benchmark a country against these Stages, capturing existing cybersecurity capacity.
                                                                                                                                                           Dimension 5
Start-up                                                                                                                                                     Standards and
                                                                                                                                                              Technologies
    At this Stage, either no cybersecurity maturity exists, orStart-up
                                                              it is very Stage                Formative
                                                                         embryonic in nature. There mightStage                 Established
                                                                                                          be initial discussions about     Stage                Strategic Stage                 Dynamic Stage
    cybersecurity capacity building, but no concrete actions have been taken. There may be an absence of observable evidence at                                                   Dimension 4
    this Stage;                                                                                                                                                            Legal and Regulatory
                                                                                                                                                                     StrategicFrameworks
Formative
    Some features of the Aspect have begun to grow and be formulated, but may be ad hoc, disorganised, poorly defined or simply                                                       Dimension 5
    new. However, evidence of this activity can be clearly demonstrated;                                                                                                               Standards and
                                                                                Start-up Stage                 Formative Stage                          Established Stage               Technologies
                                                                                                                                                                                          Strategic Stage                Dynamic Stage
Established                                                                                                                                                                                                 Dimension 4
    The Indicators of the Aspect are in place, and evidence shows that they are working. There is not, however, well thought-out                                                                         Legal and Regulatory
    consideration of the relative allocation of resources. Little trade-off decision-making has been made concerning the relative                        Established                                         Frameworks
    investment in the various elements of the Aspect. But the Aspect is functional and defined;

Strategic
                                                                                                               Start-up Stage                      Formative Stage                Established Stage                Strategic Stage
    Choices have been made about which parts of the Aspect are important, and which are less important for the particular
    organisation or nation. The strategic Stage reflects the fact that these choices have been made, conditional upon the nation or                                                                                                  Dimen
    organisation’s particular circumstances; and                                                                                                                                                                                Legal and R
                                                                                                                                                     Formative                                                                      Frame
Dynamic
                                                                                                                                                                                                                                     D1
    At this Stage, there are clear mechanisms in place to alter national strategy depending on the prevailing circumstances, such
    as the technology of the threat environment, global conflict, or a significant change in one area of concern (e.g. cybercrime
    or privacy). There is also evidence of global leadership on cybersecurity issues. Key sectors, at least, have devised methods         Start-up Stage                    Formative Stage                 Established Stage        D2      S
    for changing strategies at any stage during their development. Rapid decision-making, reallocation of resources, and constant
    attention to the changing environment are feature of this Stage.
                                                                                                                                                                                                                                     D3
The CMM allows the benchmarking of current national cybersecurity capacity. Understanding the requirements to achieve                          Start-up
higher levels of capacity will directly indicate areas for further investment, and how to evidence such capacity levels. The CMM
can also be used to build business cases for investment and expected performance enhancements. Combining a CMM review                                                                                                                D4
with national risk assessments, social, and economic strategies can further prioritise which capacity enhancements to make.
                                                                                                                                                                     Start-up Stage                   Formative Stage                Establish
                                                                                                                                                                                                                                     D5

8         Cybersecurity Capacity Maturity Model for Nations (CMM) - 2021 Edition
and Strategy

Dimension 1: Cybersecurity
Policy and Strategy

                                                                                imension 1
                                                                               D
This Dimension explores the country’s capacity to develop and deliver
cybersecurity strategy and enhance its cybersecurity resilience through
improving its incident response, cyber defence and critical infrastructure
protection capacities. This Dimension considers effective strategy and
policy in delivering national cybersecurity capability, while maintaining
the benefits of a cyberspace vital for government, international business
and society in general.

                                                                                                D1

                                                                                               D 1.1

                                                                                               D 1.2

                                                                                               D 1.3

                                                                                               D 1.4

                                                                                                D2

                                                                                                D3

                                                                                                D4

                                                                                                D5

9     Cybersecurity Capacity Maturity Model for Nations (CMM) - 2021 Edition
Factor                                                                     Factor
D 1.1: National Cybersecurity Strategy                                     D 1.2: Incident Response and Crisis Management
Cybersecurity strategy is essential to mainstreaming                       This Factor addresses the capacity of the government
a cybersecurity agenda across government because it                        to identify and determine characteristics of national
helps prioritise cybersecurity as an important policy                      level incidents in a systematic way. It also reviews the
area, determines responsibilities and mandates of key                      government’s capacity to organise, co-ordinate, and
cybersecurity government and non-governmental actors,                      operationalise incident response, and whether cybersecurity
and directs allocation of resources to the emerging and                    has been integrated into the national crisis management
existing cybersecurity issues and priorities                               framework
> Navigate to Factor                                                       > Navigate to Factor

Aspects                                                                    Aspects
• Strategy Development: this Aspect addresses the                          • Identification and Categorisation of Incidents: this Aspect
  development of a national strategy, allocation of                          identifies whether internal mechanisms are in place for
  implementation authorities across sectors and civil society,               identifying and categorising incidents;
  and an understanding of national cybersecurity risks and
  threats which drive capacity building at a national level;               • Organisation: this Aspect addresses the existence of a
                                                                             mandated central body designated to collect incident
• Content: this Aspect addresses the content of the national                 information, and its relationship with the public and private
  cybersecurity strategy and whether it is linked explicitly                 sector for national level incident response; and
  to national risks, priorities and objectives such as national
  security, public awareness raising, and mitigation of                    • Integration of Cyber into National Crisis Management: this
  cybercrime, incident response capability and critical national             Aspect explores to what extent cybersecurity is integrated
  infrastructure protection;                                                 into the national crisis management framework.
                                                                                                                                              D1

• Implementation and Review: this Aspect addresses the
  existence of an over-arching programme for cybersecurity                                                                                   D 1.1
  co-ordination, including a departmental owner or co-
  ordinating body with a consolidated budget; and                                                                                            D 1.2

• International Engagement: this Aspect explores to
                                                                                                                                             D 1.3
  what extent the country is aware of the existence of
  international discussions on cybersecurity policy, and how
                                                                                                                                             D 1.4
  the international debates on cybersecurity policy and
  related issues affect the country’s interests and international
  standing.                                                                                                                                   D2

                                                                                                                                              D3

                                                                                                                                              D4

                                                                                                                                              D5

10       Cybersecurity Capacity Maturity Model for Nations (CMM) - 2021 Edition
Factor                                                                     Factor
D 1.3: Critical Infrastructure (CI) Protection                             D 1.4: Cybersecurity in Defence
                                                                           and National Security
This Factor studies the government’s capacity to identify
CI assets, the regulatory requirements specific to the                     This Factor explores whether the government has the capacity
cybersecurity of CI, and the implementation of good                        to design and implement a strategy for cybersecurity within
cybersecurity practice by CI operators                                     national security and defence. It also reviews the level of
> Navigate to Factor                                                       cybersecurity capability within the national security and
                                                                           defence establishment, and the collaboration arrangements on
Aspects                                                                    cybersecurity between civil and defence entities
• Identification: this Aspect addresses the existence of a                 > Navigate to Factor
  general list of CI assets, sectors and operators, and an audit
  of CI assets on a regular basis;                                         Aspects
                                                                           • Defence Force Cybersecurity Strategy: this Aspect
• Regulatory Requirements: this Aspect addresses the                         addresses the existence of a strategy for supporting
  existence of regulatory requirements specific to the                       cybersecurity within national security and defence,
  cybersecurity of CI; and                                                   and whether it is supported by appropriate legal
                                                                             authorities and relevant operational doctrine and rules of
• Operational Practice: this Aspect explores whether CI
                                                                             engagement;
  operators implement recognised industry standards, and
  the existence of arrangements for collaboration across and               • Defence Force Cybersecurity Capability: this Aspect
  within sectors.                                                            reviews the level of cybersecurity capability and
                                                                             organisational structures within the national security
                                                                             establishment; and
                                                                                                                                            D1
                                                                           • Civil Defence Co-ordination: this Aspect examines the
                                                                             collaboration on cybersecurity between civil and defence
                                                                             entities, and the existence of adequate resources in place.   D 1.1

                                                                                                                                           D 1.2

                                                                                                                                           D 1.3

                                                                                                                                           D 1.4

                                                                                                                                            D2

                                                                                                                                            D3

                                                                                                                                            D4

                                                                                                                                            D5

11       Cybersecurity Capacity Maturity Model for Nations (CMM) - 2021 Edition
Factor - D 1.1: National Cybersecurity Strategy
     Aspect                Start-Up                            Formative                            Established                             Strategic                             Dynamic

                           No national cybersecurity           Processes for strategy               A national cybersecurity strategy       Strategy review and renewal           The national cybersecurity
                           strategy exists, although           development have been                has been published.                     processes are in place.               strategy and implementation
                           planning processes for              initiated.                                                                                                         plan are both proactively
                                                                                                    An assessment of country-specific       Emerging cybersecurity risks
                           strategy development may                                                                                                                               reviewed to take account of
                                                               An outline/draft national            national cybersecurity risk has been    are regularly assessed and used
                           have begun.                                                                                                                                            broader strategic developments
                                                               cybersecurity strategy has been      conducted.                              to update the strategy and
                                                                                                                                                                                  within the country (political,
                           Advice may have been sought         articulated.                                                                 implementation plan.
                                                                                                    The strategy reflects the needs                                               economic, social, technical, legal
                           from international partners.
                                                               Consultation processes have          and roles of relevant stakeholders      The impact of the strategy            and environmental).
                                                               been agreed for key stakeholder      across government (national and         on risk and harm reduction is
     Strategy                                                                                                                                                                     The country is an acknowledged
                                                               groups, including private sector,    sub-national), business and civil       understood and is used to inform
                                                                                                                                                                                  authority within the international
     Development                                               civil society and international      society.                                funding and priority decisions.
                                                                                                                                                                                  community and is supporting
                                                               partners.
                                                                                                    An implementation programme is                                                the development of national and
                                                                                                    in place which covers the scope of                                            global cybersecurity strategies.
                                                                                                    the strategy.
                                                                                                                                                                                  Cybersecurity considerations are
                                                                                                    Mechanisms are in place to enable                                             embedded within other relevant
                                                                                                    strategy ‘owners’ to monitor                                                  national-level strategies and
                                                                                                    achievement of outcomes, address                                              implementation programmes.
                                                                                                    implementation issues and
                                                                                                    maintain strategy alignment.

                           Various national policies and       Content exists that reflects         The content of the national             The content takes account of the      The content takes account of the
                           strategies may exist that refer     country-specific priorities and      cybersecurity strategy is based on      impact on cybersecurity risk of       impact of broader developments
                           to cybersecurity, but these         circumstances.                       a comprehensive risk assessment         emerging technologies and their       on cybersecurity risk (political,
                           are not comprehensive and                                                that includes explicit links to         use within critical infrastructure,   economic, social, technical, legal
                                                               Links exist between the strategy
                           there is little evidence that                                            wider national level economic and       the wider economy and society.        and environmental).
                                                               (or draft strategy) and priorities                                                                                                                       D1
                           these reflect specific national                                          political policies and strategies.
                                                               such as national security,                                                   The outcomes defined in               The content of the national
                           priorities and circumstances.
                                                               digital strategy and economic        The content includes actions            the strategy are specific and         cybersecurity strategy promotes
                                                               development, but these are           to raise public and business            measurable. Metrics have              and encourages bilateral and         D 1.1
                                                               generally ad hoc and lack detail.    awareness, mitigate cybercrime,         been defined which enable             multilateral co-operation
                                                                                                    establish incident response             stakeholders to evaluate the          between countries to ensure
                                                               The strategy (or draft strategy)                                                                                                                        D 1.2
                                                                                                    capability, promote public-private      effectiveness of the strategy in      a secure, resilient and trusted
                                                               defines the key outcomes against
     Content                                                   which success can be evaluated.
                                                                                                    partnership and protect critical        reducing harm.                        cyberspace.
                                                                                                    infrastructure and the wider                                                                                       D 1.3
                                                                                                                                            Consideration has been given
                                                                                                    economy.
                                                                                                                                            to how the beneficial outcomes
                                                                                                    Consideration has been given to         of the strategy can be sustained
                                                                                                                                                                                                                       D 1.4
                                                                                                    how the national cybersecurity          beyond the strategy’s lifetime,
                                                                                                    strategy might incorporate or           including how the maintenance
                                                                                                    support wider online policy             of new capabilities will be
                                                                                                    objectives such as: child protection;   financed.                                                                   D2
                                                                                                    the promotion of Human Rights;
                                                                                                    the promotion of Equality, Diversity
                                                                                                    and Inclusion; and managing                                                                                         D3
                                                                                                    disinformation.

                                                                                                                                                                                                                        D4

                                                                                                                                                                                                                        D5

12        Cybersecurity Capacity Maturity Model for Nations (CMM) - 2021 Edition
Factor - D 1.1: National Cybersecurity Strategy
     Aspect                  Start-Up                          Formative                          Established                               Strategic                            Dynamic

                             No overarching                    A co-ordinated cybersecurity       A detailed implementation plan has        Outcome-oriented metrics are         Mechanisms are in place
                             national cybersecurity            implementation programme is        been published including actions,         being used to monitor the impact     to make more far-reaching
                             implementation programme          being developed with relevant      responsible entities and resource         that the programme is having on      changes to the programme in
                             has been developed.               stakeholders involved, including   budgets. The implementation plan          risk reduction (and other relevant   the event of significant changes
                                                               the private sector and civil       involves relevant stakeholders across     strategy goals).                     in circumstance (political,
                                                               society.                           government and other sectors.                                                  economic, social, technical, legal
                                                                                                                                            There is evidence of these
                                                                                                                                                                                 and environmental).
                                                               Actions within the programme       A co-ordinating body has been             metrics being used to refine
                                                               have been assigned to specific     assigned. The body has sufficient         action plans.                        The programme contributes
                                                               ‘owners’ but the availability of   authority to ensure that action                                                to the global development of
                                                                                                                                            Metrics (both progress and
                                                               adequate resources has not yet     ‘owners’ are held to account.                                                  outcome-oriented metrics and
                                                                                                                                            outcome-oriented metrics) are
     Implementation                                            been confirmed.                                                                                                   their application.
                                                                                                  The resources required to deliver the     drawn from a wide variety of
     and Review                                                Mechanisms to review processes     actions of the programme have been        governmental, non-governmental
                                                               are limited or ad hoc.             identified and are in place. Budget       and international sources.
                                                                                                  shortfalls are identified and escalated
                                                                                                                                            There is independent oversight
                                                                                                  to the relevant authority.
                                                                                                                                            and/or assurance of the
                                                                                                  Programme review processes and            programme.
                                                                                                  metrics are in place that allow
                                                                                                  progress to be measured and risks,
                                                                                                  issues and dependencies to be
                                                                                                  escalated to the relevant authority.
                                                                                                  These processes are adequately
                                                                                                  funded.

                             There is limited awareness        The country is aware of the        An assessment has been made of            The country is actively building     The country is a leading actor
                             of the principal international    existence of international         how the international debates on          international communities            in building consensus, fostering       D1
                             debates relating to               discussions on cybersecurity       cybersecurity policy and related          of interest around specific          inclusivity and shaping the
                             cybersecurity policy (such        policy and related issues.         issues affect the country’s interests     cybersecurity policy goals and       international debates on key
                             as cybersecurity norms,                                              and international standing. Specific      promoting their adoption.            cybersecurity policy issues.          D 1.1
                                                               The country may, on occasion,
                             mutual legal assistance,                                             engagement objectives have been
                                                               participate in regional or                                                   The country makes a major            The country is focused on the
                             Internet Governance, data                                            defined accordingly. Multiple
                                                               international discussions on                                                 contribution to regional/            future, seeing emerging issues        D 1.2
                             sovereignty, data protection).                                       stakeholders have been involved in
                                                               matters related to cybersecurity                                             international operational bodies     (around new technology or new
     International                                                                                this process.
                             The country may benefit           issues, but does not generally                                               and is actively involved in          types of threat), and is initiating
     Engagement              from regional/ international      play an active role.               The country is actively participating     building capacity in third-party     new international debates             D 1.3
                             operational collaboration                                            in relevant international bodies and      countries.                           around the key issues.
                                                               The country may participate
                             networks but does not                                                forums, either directly or through                                                                                   D 1.4
                                                               in relevant operational                                                                                           The country is actively involved
                             actively engage.                                                     relevant representative bodies.
                                                               collaboration and policy bodies                                                                                   in creating new regional/
                                                                                                  Their voices are being heard and
                                                               (such as FIRST*, regional CERT**                                                                                  international collaboration
                                                                                                  are having an impact.
                                                               bodies, the IGF***, or the UN                                                                                     mechanisms.                            D2
                                                               GGE****), but takes mainly a       The country actively contributes to
                                                               passive role.                      regional/ international operational
                                                                                                  collaboration and policy bodies.                                                                                      D3

* Forum of Incident Response and Security Teams
** Computer Emergency Response Team                                                                                                                                                                                     D4
*** Internet Governance Forum
**** The United Nations Group of Governmental Experts
                                                                                                                                                                                                                        D5

13        Cybersecurity Capacity Maturity Model for Nations (CMM) - 2021 Edition
Factor - D 1.2: Incident Response and Crisis Management
     Aspect               Start-Up                               Formative                           Established                            Strategic                            Dynamic

                          No process for identifying and         Some organisations and sectors      Most major organisations               Insights arising from national       The criteria for categorising
                          categorising national-level            have internal mechanisms for        have internal mechanisms for           level incidents are routinely        incidents are sufficiently flexible
                          incidents exists.                      identifying and categorising        identifying and categorising           analysed in order to establish       to cater for rapidly emerging
                                                                 incidents within their purview.     incidents.                             lessons and inform broader           changes in the underlying
     Identification                                                                                                                         cybersecurity policy and strategy.   technological or threat
                                                                 A process for identifying           A central registry of national-
                                                                                                                                                                                 environment.
     and                                                         national-level incidents is under   level cybersecurity incidents
     Categorisation                                              development.                        exists and a process for timely                                             The country is contributing
                                                                                                     escalation of incidents, from the                                           to international best practice
     of Incidents                                                There is no central registry in
                                                                                                     organisational to the national                                              in incident identification and
                                                                 place but ad-hoc arrangements
                                                                                                     level, is in place.                                                         categorisation.
                                                                 exist for dealing with the most
                                                                 significant events.                 Individual national incidents are
                                                                                                     categorised according to severity
                                                                                                     and resources are allocated
                                                                                                     accordingly.

                          No organisation for national-level     A national CERT* might exist but    A national body for incident           The national body undertakes         The government’s overall
                          cyber incident response exists.        lacks sufficient resources and      response has been established.         a wide range of engagement           operational response is
                                                                 skills.                             It has the resources, skills,          activities such as convening         adaptive to changes in the
                          A few organisations may have
                                                                                                     documented processes and legal         communities of interest, running     underlying technical and threat
                          internal cybersecurity response        Processes for managing incidents
                                                                                                     authorities required to address        cross-sector exercises and           environment.
                          mechanisms in place but co-            are still in development.
                                                                                                     the range of cyber incident            promoting best cybersecurity
                          ordination is minimal.                                                                                                                                 The country is contributing to
                                                                 Some organisations from             scenarios that the country is likely   practices.
                                                                                                                                                                                 international best practice on
                                                                 public and private sectors have     to face (including out-of-hours
                                                                                                                                            The national body innovates to       how to organise operational
                                                                 internal cybersecurity response     capability, if appropriate).
                                                                                                                                            provide a range of additional        responses to cybersecurity
                                                                 mechanisms in place but co-
                                                                 ordination with the national
                                                                                                     Relationships and protocols            services that improve the            threats.                               D1
                                                                                                     are in place to enable incident        country’s ability to prevent,
                                                                 CERT is ad hoc.
                                                                                                     management co-ordination               detect, respond and recover
                                                                 The role of sub-national bodies     between the national body and          from threats.                                                              D 1.1
     Organisation                                                is unclear.                         other elements of the public and
                                                                                                                                            The national body is widely
                                                                 Bilateral co-operation with         private sectors.
                                                                                                                                            recognised as an authoritative                                             D 1.2
                                                                 international partners is limited   The role of sub-national bodies        voice on cybersecurity within the
                                                                 or ad hoc.                          in incident response is clear          country.
                                                                                                     and mechanisms are in place to                                                                                    D 1.3
                                                                                                                                            The effectiveness of the national
                                                                                                     enable co-ordination between the
                                                                                                                                            body in reducing cyber risk and
                                                                                                     national and sub-national levels.                                                                                 D 1.4
                                                                                                                                            harm is regularly evaluated
                                                                                                     There is regular sharing of threat     and benchmarked against
                                                                                                     and vulnerability information,         international good practice.
                                                                                                     and operational good practices                                                                                     D2
                                                                                                     between the national body and a
                                                                                                     wide range of public and private
                                                                                                     sector organisations, as well as                                                                                   D3
                                                                                                     international partners.

                                                                                                                                                                                                                        D4

* Computer Emergency Response Team
                                                                                                                                                                                                                        D5

14        Cybersecurity Capacity Maturity Model for Nations (CMM) - 2021 Edition
Factor - D 1.2: Incident Response and Crisis Management
     Aspect               Start-Up                               Formative                           Established                           Strategic                          Dynamic

                          No framework exists for national-      A national crisis management        Cybersecurity is fully integrated     Lessons learnt from cyber crisis   The country is contributing to
                          level crisis management.               framework is in development         into the national crisis              exercises are used to inform       the debate on the integration
                                                                 and a specific organisation has     management framework and the          both national crisis management    of cyber into national and
                          Cybersecurity has not been
                                                                 been allocated responsibility       organisation responsible for crisis   policy and the national            international crisis management.
                          considered as a potential
                                                                 for leading national-level crisis   management is equipped to deal        cybersecurity strategy and
                          national-level crisis scenario.                                                                                                                     Emergency communications
                                                                 response.                           with a range of cybersecurity-        implementation plan.
                                                                                                                                                                              capabilities are capable of
                          Emergency communication                                                    related scenarios.
                                                                 Cybersecurity has been                                                    International crisis planning      operating beyond the country’s
                          capabilities are limited.
                                                                 recognised as relevant to           The role of a cyber incident          and exercising with partners       border in order to support third-
                                                                 national crisis management,         management authority within           exists and routinely includes      party countries and global crisis
     Integration of                                              both as a factor in its own right   the crisis management process is      cybersecurity as an element.       responses.
     Cybersecurity                                               and as an element of other crisis   well defined and established, and
                                                                                                                                           The resilience of emergency
                                                                 scenarios.                          escalation thresholds are fully
     into National                                                                                   understood.
                                                                                                                                           communications has been stress-
     Crisis                                                      An exercise programme is in                                               tested against a wide range of
                                                                 development and includes            National crisis management            potential scenarios.
     Management
                                                                 cybersecurity-based scenarios.      scenarios with cybersecurity
                                                                                                     components are regularly
                                                                 Emergency communication
                                                                                                     exercised.
                                                                 capabilities are in place but may
                                                                 not be well integrated or lack      Emergency communication
                                                                 resilience to cyber disruption.     systems are regularly tested
                                                                                                     for cyber resilience against a
                                                                                                     range of cybersecurity-related
                                                                                                     scenarios.

                                                                                                                                                                                                                   D1

                                                                                                                                                                                                                  D 1.1

                                                                                                                                                                                                                  D 1.2

                                                                                                                                                                                                                  D 1.3

                                                                                                                                                                                                                  D 1.4

                                                                                                                                                                                                                   D2

                                                                                                                                                                                                                   D3

                                                                                                                                                                                                                   D4

                                                                                                                                                                                                                   D5

15        Cybersecurity Capacity Maturity Model for Nations (CMM) - 2021 Edition
Factor - D 1.3: Critical Infrastructure (CI) Protection
     Aspect                Start-Up                           Formative                              Established                                Strategic                              Dynamic

                           There may be some                  A list of general CI assets, sectors   The list of CI assets has been             The list of CI assets is adaptive to   There is flexibility in the process
                           appreciation of what               and operators has been created.        formalised and incorporates a range of     strategic shifts in the underlying     for identifying CI assets to cater
                           constitutes a CI asset, but no                                            appropriate public and private sector      technical, social and economic         for rapidly emerging changes in
                           formal categorisation of CI                                               organisations.                             environment.                           the underlying technological or
                           assets has been produced.                                                                                                                                   threat environment.
                                                                                                     Specific operators have been identified    Interdependencies between
     Identification                                                                                  and are aware of their status.             sectors are managed.                   The country is actively involved
                                                                                                                                                                                       in the identification and
                                                                                                     The list is kept up to date to             Cross-border dependencies are
                                                                                                                                                                                       prioritisation of global CI assets.
                                                                                                     reflect changes in the country’s           managed.
                                                                                                     circumstances.                                                                    Cross-sector and cross-border
                                                                                                                                                                                       dependencies are mitigated.
                                                                                                     Cross-border dependencies have been
                                                                                                     identified.

                           There are no existing              The need for baseline                  CI operators are mandated by               Novel approaches to regulatory         Regulatory frameworks are
                           regulatory requirements            standards to govern CI assets is       regulation to meet appropriate             supervision are being developed        sufficiently flexible to cater for
                           specific to the cybersecurity      acknowledged but these are not         cybersecurity standards (either in         to improve CI cybersecurity while      rapidly emerging changes in
                           of CI.                             explicitly mandated in regulation.     the form of specific cyber regulation      also facilitating effective and        the underlying technological or
                                                                                                     or as part of broader regulatory           efficient CI service delivery.         threat environment.
                                                              Sector regulators do not
                                                                                                     requirements).
     Regulatory                                               routinely assess CI operators for                                                 The country is promoting best          The country is actively involved
                                                              compliance.                            Mandatory breach reporting and             practice regulatory approaches at      in establishing regulatory
     Requirements                                                                                    vulnerability disclosure requirements      an international level.                approaches to assuring global CI.
                                                                                                     are in place.
                                                                                                     Formal processes are in place to
                                                                                                     evaluate CI operator compliance with
                                                                                                     regulatory standards and incident and                                                                                    D1
                                                                                                     vulnerability disclosure.

                                                                                                                                                                                                                             D 1.1
                           A few CI operators may             Many CI operators are                  CI operators are consistently              There is extensive collaboration       The country and its CI operators
                           be implementing good               implementing good cybersecurity        implementing recognised industry           among CI operators and with            are contributing to the
                           cybersecurity practices, but       practice.                              standards and the effectiveness            public authorities to develop          international debate on global        D 1.2
                           this is inconsistent.                                                     of their cybersecurity controls are        strategies that enhance collective     critical infrastructure resilience.
                                                              There is some self-assessment
                                                                                                     regularly assessed.                        cybersecurity.                                                               D 1.3
                                                              against recognised industry                                                                                              Experts from the regulators
                                                              standards.                             Mechanisms are in place for operators      The resilience of the critical         and CI operators are recognised
                                                                                                     to share threat and vulnerability          infrastructure ecosystem as            internationally for their             D 1.4
                                                              Some informal arrangements
                                                                                                     information, best practices and lessons    a whole has been assessed              contribution to addressing
     Operational                                              exist for collaboration across and
                                                                                                     learned from incidents and near            against a range of scenarios, and      global infrastructure protection
     Practice                                                 within sectors.
                                                                                                     misses.                                    measures are in place to address       challenges.                            D2
                                                                                                                                                systemic risks to the economy
                                                                                                     CI operators participate fully in
                                                                                                                                                and society.
                                                                                                     national incident response and crisis
                                                                                                     management planning and exercising.                                                                                      D3
                                                                                                     Mechanisms are in place for public
                                                                                                     authorities to provide information and
                                                                                                     other practical support to CI operators,                                                                                 D4
                                                                                                     both pre- and post- incident.

                                                                                                                                                                                                                              D5

16         Cybersecurity Capacity Maturity Model for Nations (CMM) - 2021 Edition
Factor - D 1.4: Cybersecurity in Defence and National Security
     Aspect               Start-Up                               Formative                             Established                            Strategic                           Dynamic

                          The potential impact of                The potential impact of               A strategy for cybersecurity for       Defence strategy includes           Strategy and doctrine are
                          cybersecurity on national              cybersecurity on national             national security and defence          appropriate considerations of       not static but are adaptive to
                          security and defence may have          security and defence has been         has been formally adopted              deterrence.                         changing capabilities and to the
                          been considered but has not            assessed and a strategy for           (stand-alone or as part of a wider                                         geo-political and technical threat
                                                                                                                                              The country’s defence and
                          been formally articulated.             addressing these risks is under       document).                                                                 environment.
                                                                                                                                              national security establishment
                                                                 development.
                                                                                                       The strategy is supported by           (alongside other stakeholders)      The strategy is designed to
                                                                 This analysis includes risks to the   appropriate legal authorities and      is actively engaged in the          promote stability in cyberspace.
                                                                 ability of the country’s military     relevant operational doctrine          global debate on international      This includes measures to predict
                                                                 and other national security           and rules of engagement. These         humanitarian law and norms          and influence the strategies and
                                                                 assets to operate in a contested      are consistent with international      of behaviour as they relate         actions and reactions of potential
     Defence Force                                               cyber environment.                    humanitarian law.                      to conflict in cyberspace.          allies and adversaries.
     Cybersecurity                                                                                                                            Declaratory strategy and
                                                                                                       The dependence of national
     Strategy                                                                                          security and military entities on
                                                                                                                                              published doctrine may be part
                                                                                                                                              of this.
                                                                                                       the cybersecurity of other parts of
                                                                                                       the critical national infrastructure
                                                                                                       is understood and is addressed
                                                                                                       in the defence cybersecurity
                                                                                                       strategy.
                                                                                                       Cybersecurity considerations
                                                                                                       inform other elements of national
                                                                                                       security and defence strategy,
                                                                                                       where relevant.

                          Specialist cybersecurity capability    Specialist cybersecurity capability   Capabilities and organisational        Relevant deterrence and             Defence cybersecurity
                          within the national security           requirements are understood,          structures are in place and            defence/resilience capabilities     capabilities are able to support      D1
                          establishment is limited.              and relevant organisational           have been tested. Resourcing is        are in place, forming part of the   multilateral responses to shared
                                                                 structures have been defined.         provided through the national          country’s defence cybersecurity     national security challenges.
                                                                 Initial steps have been taken to      military estimate or equivalent        strategy.                                                                D 1.1
                                                                 establish these.                      process.
                                                                                                                                              Cybersecurity is embedded in
                                                                                                       Operational doctrine and rules of      wider operational and command                                            D 1.2
     Defence Force                                                                                     engagement are fully embedded          training within the country’s
     Cybersecurity                                                                                     in training.                           military forces.
     Capability                                                                                                                                                                                                        D 1.3
                                                                                                       Specialist intelligence resources
                                                                                                       are being applied to provide
                                                                                                       support and are appropriately                                                                                   D 1.4
                                                                                                       resourced.
                                                                                                       Mechanisms to facilitate
                                                                                                       collaboration with allies are in                                                                                 D2
                                                                                                       place and have been tested.

                                                                                                                                                                                                                        D3

                                                                                                                                                                                                                        D4

                                                                                                                                                                                                                        D5

17        Cybersecurity Capacity Maturity Model for Nations (CMM) - 2021 Edition
Factor - D 1.4: Cybersecurity in Defence and National Security
     Aspect               Start-Up                               Formative                         Established                            Strategic                            Dynamic

                          Collaboration on cybersecurity         Informal collaboration on         Collaboration on cybersecurity         Civil defence collaboration on       The country is leading the
                          between civil and defence              cybersecurity between civil       between civil and defence entities     cybersecurity is built into the      international debate on best
                          entities is limited.                   and defence entities may exist    exists and has been formalised.        strategic planning of both sectors   practice in cross-governmental,
                                                                 but has not been formalised.                                             and designed to address a range      civil-defence cybersecurity
                                                                                                   Respective roles have been
                                                                 Defence entities have not been                                           of future crisis scenarios.          collaboration.
                                                                                                   defined within the country’s crisis
                                                                 formally resourced to undertake
                                                                                                   management procedures.                 Mechanisms are in place that
                                                                 this work.
                                                                                                                                          enable defence and the national
                                                                                                   The resources required within
                                                                                                                                          security community to draw on
                                                                                                   the defence and national security
                                                                                                                                          the skills and capabilities of the
     Civil Defence                                                                                 community, to support civil and
                                                                                                                                          broader economy and society.
     Co-ordination                                                                                 CI authorities, have been formally
                                                                                                                                          (For example, via a formal cyber
                                                                                                   assessed and assigned.
                                                                                                                                          reserve force)
                                                                                                   Formal mechanisms are in
                                                                                                   place to determine military/
                                                                                                   national security cybersecurity
                                                                                                   dependencies on civil and CI
                                                                                                   infrastructure. The ability of civil
                                                                                                   and CI infrastructure operators to
                                                                                                   provide these services has been
                                                                                                   assured.

                                                                                                                                                                                                                  D1

                                                                                                                                                                                                                 D 1.1

                                                                                                                                                                                                                 D 1.2

                                                                                                                                                                                                                 D 1.3

                                                                                                                                                                                                                 D 1.4

                                                                                                                                                                                                                  D2

                                                                                                                                                                                                                  D3

                                                                                                                                                                                                                  D4

                                                                                                                                                                                                                  D5

18        Cybersecurity Capacity Maturity Model for Nations (CMM) - 2021 Edition
nd Strategy                                                                       and Society

  Dimension 2: Cybersecurity
  Culture and Society
mension1                                                                          imension 2
                                                                                 D
  This Dimension reviews important elements of a responsible
  cybersecurity culture such as the understanding of cyber-
  related risks in society, the level of trust in Internet services,
  e-government and e-commerce services, and users’
  understanding of personal information protection online.
  Moreover, this Dimension explores the existence of reporting
  mechanisms functioning as channels for users to report                                         D1
  cybercrime. In addition, this Dimension reviews the role of
  media and social media in shaping cybersecurity values,                                        D2
  attitudes and behaviour.
                                                                                                D 2.1

                                                                                                D 2.2

                                                                                                D 2.3

                                                                                                D 2.4

                                                                                                D 2.5

                                                                                                 D3

                                                                                                 D4

                                                                                                 D5

  19    Cybersecurity Capacity Maturity Model for Nations (CMM) - 2021 Edition
Factor                                                                     Factor
D 2.1: Cybersecurity Mindset                                               D 2.2: Trust and Confidence in Online Services
This Factor evaluates the degree to which cybersecurity                    This Factor reviews critical skills, the management of
is prioritised and embedded in the values, attitudes, and                  disinformation, the level of users’ trust and confidence in
practices of government, the private sector, and users                     the use of online services in general, and of e-government
across society at large. A cybersecurity mindset consists                  and e-commerce services in particular.
of values, attitudes and practices–including habits                        > Navigate to Factor
of individual users, experts, and other actors–in the
cybersecurity ecosystem that increase the capacity of users                Aspects
to protect themselves online                                               • Digital Literacy and Skills: this Aspect examines whether
> Navigate to Factor                                                         Internet users critically assess what they see or receive
                                                                             online;
Aspects
• Awareness of Risks: this Aspect examines the level of                    • User Trust and Confidence in Online Search and
  awareness of cybersecurity risks within the government,                    Information: this Aspect examines whether users trust in
  private sector and users;                                                  the secure use of the Internet based on indicators of website
                                                                             legitimacy;
• Priority of Security: this Aspect examines the extent to
  which the government, private sector and users make                      • Disinformation: this Aspect examines the existence of tools
  cybersecurity a priority; and                                              and resources to address online disinformation;

• Practices: this Aspect examines whether the government,                  • User Trust in E-government Services: this Aspect examines
                                                                                                                                              D1
  private sector and users follow safe cybersecurity practices.              whether there are government e-services offered, whether
                                                                             trust exists in the secure provision of such services, and if
                                                                             efforts are in place to promote such trust in the application    D2
                                                                             of security measures; and

                                                                           • User Trust in E-commerce Services: this Aspect examines         D 2.1
                                                                             whether e-commerce services are offered and established in
                                                                             a secure environment and trusted by users.                      D 2.2

                                                                                                                                             D 2.3

                                                                                                                                             D 2.4

                                                                                                                                             D 2.5

                                                                                                                                              D3

                                                                                                                                              D4

                                                                                                                                              D5

20       Cybersecurity Capacity Maturity Model for Nations (CMM) - 2021 Edition
Factor                                                                     Factor                                                               Factor
D 2.3: User Understanding of Personal                                      D 2.4: Reporting Mechanisms                                          D 2.5: Media and Online Platforms
Information Protection Online
                                                                           This Factor explores the existence of reporting mechanisms that      This Factor explores whether cybersecurity is a common subject
This Factor looks at whether Internet users and stakeholders               function as channels for users to report Internet-related crime      of discussion across mainstream media, and an issue for broad
within the public and private sectors recognise and                        such as online fraud, cyber-bullying, child abuse online, identity   discussion on social media. Moreover, this Factor looks at the
understand the importance of protecting personal                           theft, privacy and security breaches, and other incidents.           role of media in conveying information about cybersecurity to
information online, and whether they are sensitive of their                > Navigate to Factor                                                 the public, thus shaping their cybersecurity values, attitudes
privacy rights.                                                                                                                                 and online behaviour.
> Navigate to Factor                                                       Aspects                                                              > Navigate to Factor
                                                                           • Reporting Mechanisms: (as above)
Aspects                                                                                                                                         Aspects
• Personal Information Protection Online: (as above)                                                                                            • Media and Social Media: (as above)

                                                                                                                                                                                                                  D1

                                                                                                                                                                                                                  D2

                                                                                                                                                                                                                 D 2.1

                                                                                                                                                                                                                 D 2.2

                                                                                                                                                                                                                 D 2.3

                                                                                                                                                                                                                 D 2.4

                                                                                                                                                                                                                 D 2.5

                                                                                                                                                                                                                  D3

                                                                                                                                                                                                                  D4

                                                                                                                                                                                                                  D5

21       Cybersecurity Capacity Maturity Model for Nations (CMM) - 2021 Edition
Factor - D 2.1: Cybersecurity Mindset
     Aspect                Start-Up                              Formative                           Established                            Strategic                                 Dynamic

                           The government has minimal            Leading government agencies         There is widespread awareness          Government agencies across all            Government agencies at all levels
                           or no level of awareness of           have a minimal level of             of cybersecurity risks within most     levels are aware of cybersecurity         are fully aware of cybersecurity
                           cybersecurity risks.                  awareness of cybersecurity          government agencies.                   risks and proactively anticipating        risks and use them to update
                                                                 risks.                                                                     new risks.                                cybersecurity policies and
                           The private sector has minimal                                            There is widespread awareness
                                                                                                                                                                                      operational practices.
                           or no level of awareness of           Leading private firms have a        of cybersecurity risks within most     Private sector actors at all levels are
     Awareness of          cybersecurity risks.                  minimal level of awareness of       private firms.                         fully aware of cybersecurity risks        Most private sector actors across
                                                                 cybersecurity risks.                                                       and are anticipating new risks.           all levels mitigate cybersecurity
     Risks                 Users have minimal or no level                                            A growing number of Internet
                                                                                                                                                                                      risks and use them to update
                           of awareness of cybersecurity         A limited proportion of Internet    users within society have              Users are fully aware of
                                                                                                                                                                                      cybersecurity policies and
                           risks.                                users have awareness of             awareness of cybersecurity risks.      cybersecurity risks and try to
                                                                                                                                                                                      operational practices.
                                                                 cybersecurity risks.                                                       anticipate new risks.
                                                                                                                                                                                      Most users identify and
                                                                                                                                                                                      anticipate cybersecurity risks and
                                                                                                                                                                                      try to adapt their behaviour.

                           The government has minimal or         Leading government agencies         Most government agencies at all        Government agencies across all            Government agencies at all levels
                           no recognition of the need to         and private firms recognise the     levels are making cybersecurity        levels routinely prioritise and           habitually, as a matter of course,
                           prioritise cybersecurity.             need to prioritise cybersecurity.   a priority.                            reassess cybersecurity priorities in      prioritise cybersecurity.
                                                                                                                                            response to changing threats to the
                           Private sector actors have            Private firms recognise the         Most private firms at all levels                                                 Private sector actors at all
                                                                                                                                            population.
                           minimal or no recognition of the      need to prioritise cybersecurity.   are making cybersecurity a                                                       levels habitually prioritise
                           need to prioritise cybersecurity.                                         priority.                              Most private sector actors across         cybersecurity, as a matter of
                                                                 A limited proportion of Internet
                                                                                                                                            all levels routinely prioritise and       course.
                           Users have minimal or no              users recognise the need to         A growing number of Internet
                                                                                                                                            reassess cybersecurity priorities in
                           recognition of the need to            prioritise cybersecurity.           users within society make                                                        Users habitually prioritise             D1
     Priority of                                                                                                                            response to changing threats to the
                           prioritise cybersecurity.                                                 cybersecurity a priority.                                                        cybersecurity and take steps to
     Security                                                    Surveys and metrics to assess                                              population.
                                                                                                                                                                                      improve their security online.
                           No surveys or metrics exist           knowledge of cybersecurity          Surveys and metrics to evaluate
                                                                                                                                            Most users routinely prioritise                                                   D2
                           to document cybersecurity in          within the nation are limited or    knowledge of cybersecurity                                                       Survey results and metrics are
                                                                                                                                            cybersecurity and seek to take
                           government, private sector, or        ad hoc.                             within the nation are available.                                                 used to refine cybersecurity
                                                                                                                                            proactive steps to improve
                           across users.                                                                                                                                              policies, inform operational
                                                                                                                                            cybersecurity.
                                                                                                                                                                                      practices and IT-related initiatives   D 2.1
                                                                                                                                            Surveys and metrics are routinely         within the nation.
                                                                                                                                            conducted and publicised in fields
                                                                                                                                            of government, business and                                                      D 2.2
                                                                                                                                            industry, and among users.
                                                                                                                                                                                                                             D 2.3
                           The government agencies do            Leading government agencies         Most government agencies at all        Government agencies across                Government agencies at all
                           not follow safe cybersecurity         follow safe cybersecurity           levels follow safe cybersecurity       all levels routinely follow safe          levels habitually follow and           D 2.4
                           practices.                            practices.                          practices.                             cybersecurity practices.                  also develop safe cybersecurity
                                                                                                                                                                                      practices.                             D 2.5
                           Private sector companies do           Leading private firms follow        Most private firms at all levels       Most private sector actors,
                           not follow safe cybersecurity         safe cybersecurity practices.       follow safe cybersecurity practices.   (including SMEs) across all levels        Private sector actors at all levels
     Practices             practices.
                                                                 A limited but growing               Most Internet users within this
                                                                                                                                            routinely follow safe cybersecurity       habitually follow and develop
                                                                                                                                            practices.                                safe cybersecurity practices.           D3
                           In this country, very few Internet    proportion of Internet              country know and follow safe
                           users follow safe cybersecurity       users know or follow safe           cybersecurity practices                Most users know and routinely             Nearly all users know
                           practices or take protective          cybersecurity practices.                                                   follow safe cybersecurity practices.      and habitually follow safe
                                                                                                                                                                                                                              D4
                           measures to ensure their                                                                                                                                   cybersecurity practices as a
                           security.                                                                                                                                                  matter of course.

                                                                                                                                                                                                                              D5

22         Cybersecurity Capacity Maturity Model for Nations (CMM) - 2021 Edition
You can also read