Cybersecurity Capacity Maturity Model for Nations (CMM) - 2021 EDITION
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Cybersecurity Capacity Maturity Model for Nations (CMM) 2021 EDITION
Executive Summary
The world’s economies continue to develop with an ever- Capacity Centre undertook a global collaborative exercise
increasing dependence on technology. If we do not ensure aimed at extracting and synthesising the community’s latest
that cybersecurity capacity exists across the entirety of knowledge. The GCSCC developed change proposals based
cyberspace, we will inevitably create cyber-ghettos. In such on lessons learned from CMM deployments, and undertook
environments, cyber-harm may become prevalent and cyber- a series of online and offline consultations with experts, to
attacks can easily be launched. The ability of countries to validate the findings and discuss the changes. Those who
respond and grow capacity in the face of changing threats were consulted included the GCSCC Expert Advisory Panel,
– be they due to trends in technology use, the socio-political strategic, regional and implementation partners of the
climate, or evolution of the threat-actor ecosystem – has GCSCC, and other experts from academia, international and
never been more important. regional organisations, governments, the private sector, and
civil society. Based on their input, indicators for each Aspect
The Cybersecurity Capacity Maturity Model for Nations have been identified, designed, refined, and validated.
(CMM) helps nations understand what works, what
does not work and why, across all areas of cybersecurity Actors around the world, ranging from individuals to nation
capacity. This is important so that governments and states, need to ensure that cyberspace and the systems
enterprises can adopt policies and make investments that dependent on it are resilient to increasing attacks. The
have the potential to significantly enhance safety and CMM 2021 Edition and its deployment will continue to
security in cyberspace, while also respecting human rights, contribute towards efforts to achieve this resilience, not only
such as privacy and freedom of expression. by gaining a more profound understanding of international
cybersecurity capacity, but also by increasing effective
Since 2015, the Global Cyber Security Capacity Centre investment into cybersecurity capacity based on a rigorous
(GCSCC, Capacity Centre) has actively promoted the CMM analysis of data collected from the deployment of the
across sectors, to drive conversation around cybersecurity model. Critical gaps in all areas of international cybersecurity
capacity and to help improve global technology. The will be identified and filled with scalable and effective
resulting adoption of the CMM by various key international countermeasures, in co-operation with international
stakeholders, and the completion of more than 120 CMM partners from the global cybersecurity community.
reviews in more than 85 countries around the world,
demonstrates the positive impact of the research, supports The enhancement of the CMM is not intended to be a D1
government self-assessments and informs the development static exercise; a continuous process of refinement will
of industry tools and resources. be maintained to ensure the CMM remains applicable
to all national contexts and reflects the global state of D2
Prompted by the changing threat landscape and cybersecurity capacity maturity. However, this evolution
corresponding cybersecurity practice, the GCSCC has led a will continue to be a considered exercise, stimulated by
revision of the CMM, the first to be carried out since the D3
evidence and practice.
2016 edition was issued. To produce this 2021 edition, the
D4
D5
2 Cybersecurity Capacity Maturity Model for Nations (CMM) - 2021 EditionContents Executive Summary
A National Cybersecurity Assessment with the CMM
The Dimensions of National Cybersecurity Capacity
2
4
5
The Structure of the CMM 7
Dimension 1: Cybersecurity Policy and Strategy 9
D 1.1: National Cybersecurity Strategy 12
D 1.2: Incident Response and Crisis Management 14
D 1.3: Critical Infrastructure (CI) Protection 16
D 1.4: Cybersecurity in Defence and National Security 17
Dimension 2: Cybersecurity Culture and Society 19
D 2.1: Cybersecurity Mindset 22
D 2.2: Trust and Confidence in Online Services 23
D 2.3: User Understanding of Personal Information Protection Online 26
D 2.4: Reporting Mechanisms 27
D 2.5: Media and Online Platforms 28
Dimension 3: Building Cybersecurity Knowledge and Capabilities 29
D 3.1: Building Cybersecurity Awareness 32
D 3.2: Cybersecurity Education 34
D 3.3: Cybersecurity Professional Training 36
D 3.4: Cybersecurity Research and Innovation 37
Dimension 4: Legal and Regulatory Frameworks 38
D 4.1: Legal and Regulatory Provisions 41
D 4.2: Related Legislative Frameworks 43
D 4.3: Legal and Regulatory Capability and Capacity 45
D 4.4: Formal and Informal Co-operation Frameworks to Combat Cybercrime 47
Dimension 5: Standards and Technologies 48
D 5.1: Adherence to Standards 51
D 5.2: Security Controls 53
D 5.3: Software Quality 55 D1
D 5.4: Communications and Internet Infrastructure Resilience 56
D 5.5: Cybersecurity Marketplace 57
D 5.6: Responsible Disclosure 59 D2
Evolution of the CMM 60
Acknowledgements 61 D3
About the GCSCC 62
D4
D5
3 Cybersecurity Capacity Maturity Model for Nations (CMM) - 2021 EditionA National Cybersecurity
Assessment with the CMM
The CMM review of a country involves data-gathering by a • the enhancement of the internal credibility of the
team of researchers who carry out in-country stakeholder cybersecurity agenda within governments;
consultation and desk research. The output is an evidence-
based report which: • help in defining roles and responsibilities within
governments;
• benchmarks the maturity of a country’s cybersecurity
capacity; • providing evidence to increase funding for cybersecurity
capacity building; and
• details a pragmatic set of actions to contribute to the
advancement of cybersecurity capacity maturity gaps; and • a foundation for country strategy and policy development.
• identifies priorities for investment and future capacity- It is important that a country can evidence its achievements
building, based on a country’s specific needs. in cybersecurity capacity and the CMM identifies what that
evidence should be, and what it demonstrates. Such evidence
According to an independent study commissioned by the gathering is in itself a multi-stakeholder process, involving a
UK Foreign, Commonwealth and Development Office, the wide range of sources and organisations. Discussions can be
benefits of a CMM review for a country are numerous and important to resolve differences of opinion. Whether such
include: discussions can be effective if done remotely (and online), or
will necessitate face-to-face meetings, will depend upon the
• increased cybersecurity awareness and capacity building, country undertaking a review.
and greater collaboration within government;
For more information on the CMM review methodology,
• networking and collaboration with business and wider process and exemplary CMM reports, visit:
society; https://gcscc.ox.ac.uk/the-cmm
D1
D2
D3
D4
D5
4 Cybersecurity Capacity Maturity Model for Nations (CMM) - 2021 EditionCybersecurity Policy Cybersecurity Culture Building Cybersecurity Legal and Standards and
and Strategy and Society Knowledge and Regulatory Technologies
Capabilities Frameworks
The Dimensions
of National Dimension 1
Cybersecurity Policy
Dimension 2
Cybersecurity
Cybersecurity
and Strategy Culture and Society
Capacity
The CMM considers cybersecurity to comprise five Dimensions
which together constitute the breadth of national capacity that a
country requires to be effective in delivering cybersecurity:
1. Developing cybersecurity policy and strategy;
Dimension 3
Dimension 5 Building Cybersecurity
2. Encouraging responsible cybersecurity culture within society;
Standards and
Knowledge and
3. Building cybersecurity knowledge and capabilities; Technologies
Capabilities
4. Creating effective legal and regulatory frameworks; and
5. Controlling risks through standards and technologies.
Dimension 4 D1
Legal and Regulatory
Frameworks
D2
D3
D4
D5
5 Cybersecurity Capacity Maturity Model for Nations (CMM) - 2021 Editionension 1 ension 2 ension 3 nsion 4
imecountry’s mension 5
Dim Dim 1 Cybersecurity
Dimension Dimand Strategy
Policy exploresDthe capacity Di The CMM defines five Stages of maturity for all Dimensions being: start-up,
to develop and deliver cybersecurity strategy, and to enhance its cybersecurity formative, established, strategic, and dynamic. These correspond to the following:
resilience by improving its incident response, cyber defence and critical infrastructure initial development of capacity, being established, being world-leading, and able to
(CI) protection capacities. This Dimension considers effective strategy and policy anticipate and prepare for future cybersecurity needs.
in delivering national cybersecurity capability, while maintaining the benefits of a
cyberspace vital for government, international business and society in general. It should be noted that there are relationships between the Dimensions; for example,
Cybersecurity Policy Cybersecurity Culture Building Cybersecurity Legal and Standards and to be effective in one area of capacity often places requirements on other areas1. It
nsion
andeStrategy Dimension
anden2siCybersecurity
o
Society
n Culturee nand
s
Knowledgeio Society reviewsRegulatory
and
n important
ens ion elements of Technologies
a is also the case that resources are limited and priorities for capacity enhancements
1 Dim 2 Dim
responsible
3 im
DCapabilities
cybersecurity culture
4 im
DFrameworks
such as the understanding
5
of cyber-related risks are likely to require a response which could span multiple Dimensions. Therefore,
in society, the level of trust in Internet services, e-government and e-commerce a benchmarking activity reviews a country against the entire CMM and across all
ension 1 ensiousers’
n 2 understanding enofsipersonal
on 3 nsion 4
eprotection ension 5 Dimensions, enabling an holistic consideration of national capacity.
Dim services,
D im and D im information
D im online. D im
Moreover, this Dimension explores the existence of reporting mechanisms
functioning as channels for users to report cybercrime. In addition, this Dimension
reviews the role of media and social media in shaping cybersecurity values,
Policy Cybersecurity Culture Building and
attitudes Cybersecurity
behaviour. Legal and Standards and
y
2 iand sion
menSociety 3 i mensionand
Knowledge
4 i m ension 5
Regulatory Technologies
D DCapabilities DFrameworks
Dimension 3 Building Cybersecurity Knowledge and Capabilities reviews the
Cybersecurity Policy Cybersecurity Culture Building Cybersecurity Legal and Standards and
availability, quality and uptake of programmes for various groups of stakeholders,
nsion
andeStrategy anden sio
Society
n e
Knowledgen sionand en sio
Regulatoryn Technologies
1 Dim 2 including m
Di the government,
3 private m
i sector4and the population
DCapabilities im as a 5whole, and relate
DFrameworks
to cybersecurity awareness-raising programmes, formal cybersecurity educational
programmes, and professional training programmes.
ulture Building Cybersecurity Dimension Legal4 and Standards and
y3 imensionand
Knowledge 4 im ensiLegal
Regulatory
and Regulatory
on 5Dimension 1
Frameworks examines the government’s
TechnologiesDimension 2
DCapabilities DFrameworks
capacity to design and enact national legislation that directly and indirectly
Cybersecurity Policy Cybersecurity
relates to cybersecurity, with a particular
and Strategy emphasis placed on the topics of
Policy Cybersecurity Culture Building Cybersecurity Legal andCulture and SocietyStandards and
sion 3 regulatory requirements for cybersecurity, cybercrime-related legislation and
y
2 anden
Dim
Society imensionand
Knowledge
DCapabilities 4 mension 5
iRegulatory
DFrameworks
Technologies
related legislation. The capacity to enforce such laws is examined through law
enforcement, prosecution, regulatory bodies and court capacities. Moreover, this
Dimension observes issues such as formal and informal co-operation frameworks
curity Legal and to combat cybercrime.
Standards and
nd
im en sio
Regulatoryn 5Dimension 1
Technologies
Dimension 2
s4 DFrameworks Dimension 5 Standards and Technologies addresses effective and widespread
Cybersecurity Policy Cybersecurity
ulture use of cybersecurity
and Strategy
Building Cybersecurity Legal andCulturetechnology to protect
and SocietyStandards and individuals, organisations and national
y3 m ensionand
Knowledge
i 4 im ensionThis
infrastructure.
Regulatory 5 Dimension specifically
Technologies examines the implementation of
DCapabilities DFrameworks
cybersecurity standards and good practices, the deployment of processes and D1
Dimension 3
controls,
Dimension 5 and the development of technologies and products in Building order toCybersecurity
reduce
Standards and
cybersecurity risks. Knowledge and
Standards and Technologies Capabilities
D2
y Dimension 1 TechnologiesDimension 2
s
Cybersecurity Policy Cybersecurity
curity
and Strategy Legal andCulture and SocietyStandards and D3
imension 5
nd Regulatory Technologies
s4 DFrameworks
Dimension 3 D4
DimensionFor
5 a country to reach an established level of maturity under the Aspect ‘Initiatives by Government’ in Factor 3.1 Building Cybersecurity Awareness, one of the requirements that must be met is that the content
1
Building Cybersecurity
of the co-ordinated national cybersecurity awareness-raising programme includes explicit links to national cybersecurity strategy. Similarly, for a country to reach an established level of maturity under the Aspect
Standards and
Knowledge
‘Administration’ in Factor 3.2 Cybersecurity Education, cybersecurity education priorities and from the multi-stakeholder consultation process should be reflected in the national cybersecurity strategy.
resulting
Technologies DimensionCapabilities
4
Legal and Regulatory
D5
Dimension 2
Cybersecurity Frameworks
6 Cybersecurity Capacity Maturity Model for Nations (CMM) - 2021 Edition
ulture and SocietyStandards and
y TechnologiesThe Structure of the CMM
Dimension Indicator
The five Dimensions together cover the breadth of national cybersecurity capacity assessed Indicators represent the most basic part of CMM’s structure. Each Indicator describes
by the CMM. Each Dimension is constituted by a range of Factors, which capture the core the steps, actions, or building blocks that are indicative of a specific Stage of maturity. To
capacities required to deliver the Dimension. Together, they represent the different ‘lenses’ have successfully reached a Stage of maturity, a country will need to convince itself that it
through which cybersecurity capacity can be evidenced and analysed. can evidence each of the Indicators. In order to elevate a country’s cybersecurity capacity
maturity, all of the Indicators within a particular Stage will need to have been fulfilled. Most
Factor of these Indicators are binary in nature, i.e., the country can either evidence it has fulfilled
the Indicator criteria, or it cannot provide such evidence.
Within the five Dimensions, Factors describe what it means to possess cybersecurity
capacity. These are the essential elements of national capacity, which are then measured for
maturity Stage. The complete list of Factors seeks to holistically incorporate all of a nation’s
cybersecurity capacity needs. Most Factors are composed of a number of Aspects which
structure the Factor’s Indicators into more concise parts (which directly relate to evidence
DIMENSION
gathering and measurement). However, some Factors that are more limited in scope do not
have specific Aspects.
FACTOR
Aspect
Where a Factor possesses multiple components, these are Aspects. Aspects are an ASPECT
organisational method to divide Indicators into smaller clusters that are easier to
comprehend. The number of Aspects depends on the themes that emerge in the content of
the Factor and the overall complexity of the Factor.
START-UP FORMATIVE ESTABLISHED STRATEGIC DYNAMIC
STAGE STAGE STAGE STAGE STAGE
Stage
Indicators Indicators Indicators Indicators Indicators
Stages define the degree to which a country has progressed in relation to a certain Factor or
Aspect of cybersecurity capacity. The CMM consists of five distinct Stages of maturity: start-up,
D1
formative, established, strategic, dynamic (detailed on page 8). A CMM review will benchmark
a country against these Stages, capturing existing cybersecurity capacity, from which a country
can improve or decline depending on the actions taken (or inaction). Within each Stage there D2
are a number of Indicators which a country has to fulfil to successfully have reached the Stage.
D3
D4
D5
7 Cybersecurity Capacity Maturity Model for Nations (CMM) - 2021 EditionDimension 5 Building
Standards and Dimension 1 Cybersecurity
Dimension 2
Cybersecurity Policy Cybersecurity
Cybersecurity
Policy Culture
Knowledge Building Cy
and Cybersecurity
Technologies and Strategy and Society
Capabilities
and Strategy Culture andKnowle
Society
Dimension 4 Capab
Legal and Regulatory
Frameworks
The Stages of National Dimension 5
Standards and
Dimensio
Building
Dimension 1 Cy
Cybersecurity Capacity
Technologies CybersecurityKnowledge
Policy
Capabilities
and Strategy
Dimension 4
Legal and Regulatory
Stages define the degree to which a country has progressed in relation to a certain Factor or Aspect of cybersecurity capacity Frameworks Dynamic
(see page 7). A CMM review will benchmark a country against these Stages, capturing existing cybersecurity capacity.
Dimension 5
Start-up Standards and
Technologies
At this Stage, either no cybersecurity maturity exists, orStart-up
it is very Stage Formative
embryonic in nature. There mightStage Established
be initial discussions about Stage Strategic Stage Dynamic Stage
cybersecurity capacity building, but no concrete actions have been taken. There may be an absence of observable evidence at Dimension 4
this Stage; Legal and Regulatory
StrategicFrameworks
Formative
Some features of the Aspect have begun to grow and be formulated, but may be ad hoc, disorganised, poorly defined or simply Dimension 5
new. However, evidence of this activity can be clearly demonstrated; Standards and
Start-up Stage Formative Stage Established Stage Technologies
Strategic Stage Dynamic Stage
Established Dimension 4
The Indicators of the Aspect are in place, and evidence shows that they are working. There is not, however, well thought-out Legal and Regulatory
consideration of the relative allocation of resources. Little trade-off decision-making has been made concerning the relative Established Frameworks
investment in the various elements of the Aspect. But the Aspect is functional and defined;
Strategic
Start-up Stage Formative Stage Established Stage Strategic Stage
Choices have been made about which parts of the Aspect are important, and which are less important for the particular
organisation or nation. The strategic Stage reflects the fact that these choices have been made, conditional upon the nation or Dimen
organisation’s particular circumstances; and Legal and R
Formative Frame
Dynamic
D1
At this Stage, there are clear mechanisms in place to alter national strategy depending on the prevailing circumstances, such
as the technology of the threat environment, global conflict, or a significant change in one area of concern (e.g. cybercrime
or privacy). There is also evidence of global leadership on cybersecurity issues. Key sectors, at least, have devised methods Start-up Stage Formative Stage Established Stage D2 S
for changing strategies at any stage during their development. Rapid decision-making, reallocation of resources, and constant
attention to the changing environment are feature of this Stage.
D3
The CMM allows the benchmarking of current national cybersecurity capacity. Understanding the requirements to achieve Start-up
higher levels of capacity will directly indicate areas for further investment, and how to evidence such capacity levels. The CMM
can also be used to build business cases for investment and expected performance enhancements. Combining a CMM review D4
with national risk assessments, social, and economic strategies can further prioritise which capacity enhancements to make.
Start-up Stage Formative Stage Establish
D5
8 Cybersecurity Capacity Maturity Model for Nations (CMM) - 2021 Editionand Strategy
Dimension 1: Cybersecurity
Policy and Strategy
imension 1
D
This Dimension explores the country’s capacity to develop and deliver
cybersecurity strategy and enhance its cybersecurity resilience through
improving its incident response, cyber defence and critical infrastructure
protection capacities. This Dimension considers effective strategy and
policy in delivering national cybersecurity capability, while maintaining
the benefits of a cyberspace vital for government, international business
and society in general.
D1
D 1.1
D 1.2
D 1.3
D 1.4
D2
D3
D4
D5
9 Cybersecurity Capacity Maturity Model for Nations (CMM) - 2021 EditionFactor Factor
D 1.1: National Cybersecurity Strategy D 1.2: Incident Response and Crisis Management
Cybersecurity strategy is essential to mainstreaming This Factor addresses the capacity of the government
a cybersecurity agenda across government because it to identify and determine characteristics of national
helps prioritise cybersecurity as an important policy level incidents in a systematic way. It also reviews the
area, determines responsibilities and mandates of key government’s capacity to organise, co-ordinate, and
cybersecurity government and non-governmental actors, operationalise incident response, and whether cybersecurity
and directs allocation of resources to the emerging and has been integrated into the national crisis management
existing cybersecurity issues and priorities framework
> Navigate to Factor > Navigate to Factor
Aspects Aspects
• Strategy Development: this Aspect addresses the • Identification and Categorisation of Incidents: this Aspect
development of a national strategy, allocation of identifies whether internal mechanisms are in place for
implementation authorities across sectors and civil society, identifying and categorising incidents;
and an understanding of national cybersecurity risks and
threats which drive capacity building at a national level; • Organisation: this Aspect addresses the existence of a
mandated central body designated to collect incident
• Content: this Aspect addresses the content of the national information, and its relationship with the public and private
cybersecurity strategy and whether it is linked explicitly sector for national level incident response; and
to national risks, priorities and objectives such as national
security, public awareness raising, and mitigation of • Integration of Cyber into National Crisis Management: this
cybercrime, incident response capability and critical national Aspect explores to what extent cybersecurity is integrated
infrastructure protection; into the national crisis management framework.
D1
• Implementation and Review: this Aspect addresses the
existence of an over-arching programme for cybersecurity D 1.1
co-ordination, including a departmental owner or co-
ordinating body with a consolidated budget; and D 1.2
• International Engagement: this Aspect explores to
D 1.3
what extent the country is aware of the existence of
international discussions on cybersecurity policy, and how
D 1.4
the international debates on cybersecurity policy and
related issues affect the country’s interests and international
standing. D2
D3
D4
D5
10 Cybersecurity Capacity Maturity Model for Nations (CMM) - 2021 EditionFactor Factor
D 1.3: Critical Infrastructure (CI) Protection D 1.4: Cybersecurity in Defence
and National Security
This Factor studies the government’s capacity to identify
CI assets, the regulatory requirements specific to the This Factor explores whether the government has the capacity
cybersecurity of CI, and the implementation of good to design and implement a strategy for cybersecurity within
cybersecurity practice by CI operators national security and defence. It also reviews the level of
> Navigate to Factor cybersecurity capability within the national security and
defence establishment, and the collaboration arrangements on
Aspects cybersecurity between civil and defence entities
• Identification: this Aspect addresses the existence of a > Navigate to Factor
general list of CI assets, sectors and operators, and an audit
of CI assets on a regular basis; Aspects
• Defence Force Cybersecurity Strategy: this Aspect
• Regulatory Requirements: this Aspect addresses the addresses the existence of a strategy for supporting
existence of regulatory requirements specific to the cybersecurity within national security and defence,
cybersecurity of CI; and and whether it is supported by appropriate legal
authorities and relevant operational doctrine and rules of
• Operational Practice: this Aspect explores whether CI
engagement;
operators implement recognised industry standards, and
the existence of arrangements for collaboration across and • Defence Force Cybersecurity Capability: this Aspect
within sectors. reviews the level of cybersecurity capability and
organisational structures within the national security
establishment; and
D1
• Civil Defence Co-ordination: this Aspect examines the
collaboration on cybersecurity between civil and defence
entities, and the existence of adequate resources in place. D 1.1
D 1.2
D 1.3
D 1.4
D2
D3
D4
D5
11 Cybersecurity Capacity Maturity Model for Nations (CMM) - 2021 EditionFactor - D 1.1: National Cybersecurity Strategy
Aspect Start-Up Formative Established Strategic Dynamic
No national cybersecurity Processes for strategy A national cybersecurity strategy Strategy review and renewal The national cybersecurity
strategy exists, although development have been has been published. processes are in place. strategy and implementation
planning processes for initiated. plan are both proactively
An assessment of country-specific Emerging cybersecurity risks
strategy development may reviewed to take account of
An outline/draft national national cybersecurity risk has been are regularly assessed and used
have begun. broader strategic developments
cybersecurity strategy has been conducted. to update the strategy and
within the country (political,
Advice may have been sought articulated. implementation plan.
The strategy reflects the needs economic, social, technical, legal
from international partners.
Consultation processes have and roles of relevant stakeholders The impact of the strategy and environmental).
been agreed for key stakeholder across government (national and on risk and harm reduction is
Strategy The country is an acknowledged
groups, including private sector, sub-national), business and civil understood and is used to inform
authority within the international
Development civil society and international society. funding and priority decisions.
community and is supporting
partners.
An implementation programme is the development of national and
in place which covers the scope of global cybersecurity strategies.
the strategy.
Cybersecurity considerations are
Mechanisms are in place to enable embedded within other relevant
strategy ‘owners’ to monitor national-level strategies and
achievement of outcomes, address implementation programmes.
implementation issues and
maintain strategy alignment.
Various national policies and Content exists that reflects The content of the national The content takes account of the The content takes account of the
strategies may exist that refer country-specific priorities and cybersecurity strategy is based on impact on cybersecurity risk of impact of broader developments
to cybersecurity, but these circumstances. a comprehensive risk assessment emerging technologies and their on cybersecurity risk (political,
are not comprehensive and that includes explicit links to use within critical infrastructure, economic, social, technical, legal
Links exist between the strategy
there is little evidence that wider national level economic and the wider economy and society. and environmental).
(or draft strategy) and priorities D1
these reflect specific national political policies and strategies.
such as national security, The outcomes defined in The content of the national
priorities and circumstances.
digital strategy and economic The content includes actions the strategy are specific and cybersecurity strategy promotes
development, but these are to raise public and business measurable. Metrics have and encourages bilateral and D 1.1
generally ad hoc and lack detail. awareness, mitigate cybercrime, been defined which enable multilateral co-operation
establish incident response stakeholders to evaluate the between countries to ensure
The strategy (or draft strategy) D 1.2
capability, promote public-private effectiveness of the strategy in a secure, resilient and trusted
defines the key outcomes against
Content which success can be evaluated.
partnership and protect critical reducing harm. cyberspace.
infrastructure and the wider D 1.3
Consideration has been given
economy.
to how the beneficial outcomes
Consideration has been given to of the strategy can be sustained
D 1.4
how the national cybersecurity beyond the strategy’s lifetime,
strategy might incorporate or including how the maintenance
support wider online policy of new capabilities will be
objectives such as: child protection; financed. D2
the promotion of Human Rights;
the promotion of Equality, Diversity
and Inclusion; and managing D3
disinformation.
D4
D5
12 Cybersecurity Capacity Maturity Model for Nations (CMM) - 2021 EditionFactor - D 1.1: National Cybersecurity Strategy
Aspect Start-Up Formative Established Strategic Dynamic
No overarching A co-ordinated cybersecurity A detailed implementation plan has Outcome-oriented metrics are Mechanisms are in place
national cybersecurity implementation programme is been published including actions, being used to monitor the impact to make more far-reaching
implementation programme being developed with relevant responsible entities and resource that the programme is having on changes to the programme in
has been developed. stakeholders involved, including budgets. The implementation plan risk reduction (and other relevant the event of significant changes
the private sector and civil involves relevant stakeholders across strategy goals). in circumstance (political,
society. government and other sectors. economic, social, technical, legal
There is evidence of these
and environmental).
Actions within the programme A co-ordinating body has been metrics being used to refine
have been assigned to specific assigned. The body has sufficient action plans. The programme contributes
‘owners’ but the availability of authority to ensure that action to the global development of
Metrics (both progress and
adequate resources has not yet ‘owners’ are held to account. outcome-oriented metrics and
outcome-oriented metrics) are
Implementation been confirmed. their application.
The resources required to deliver the drawn from a wide variety of
and Review Mechanisms to review processes actions of the programme have been governmental, non-governmental
are limited or ad hoc. identified and are in place. Budget and international sources.
shortfalls are identified and escalated
There is independent oversight
to the relevant authority.
and/or assurance of the
Programme review processes and programme.
metrics are in place that allow
progress to be measured and risks,
issues and dependencies to be
escalated to the relevant authority.
These processes are adequately
funded.
There is limited awareness The country is aware of the An assessment has been made of The country is actively building The country is a leading actor
of the principal international existence of international how the international debates on international communities in building consensus, fostering D1
debates relating to discussions on cybersecurity cybersecurity policy and related of interest around specific inclusivity and shaping the
cybersecurity policy (such policy and related issues. issues affect the country’s interests cybersecurity policy goals and international debates on key
as cybersecurity norms, and international standing. Specific promoting their adoption. cybersecurity policy issues. D 1.1
The country may, on occasion,
mutual legal assistance, engagement objectives have been
participate in regional or The country makes a major The country is focused on the
Internet Governance, data defined accordingly. Multiple
international discussions on contribution to regional/ future, seeing emerging issues D 1.2
sovereignty, data protection). stakeholders have been involved in
matters related to cybersecurity international operational bodies (around new technology or new
International this process.
The country may benefit issues, but does not generally and is actively involved in types of threat), and is initiating
Engagement from regional/ international play an active role. The country is actively participating building capacity in third-party new international debates D 1.3
operational collaboration in relevant international bodies and countries. around the key issues.
The country may participate
networks but does not forums, either directly or through D 1.4
in relevant operational The country is actively involved
actively engage. relevant representative bodies.
collaboration and policy bodies in creating new regional/
Their voices are being heard and
(such as FIRST*, regional CERT** international collaboration
are having an impact.
bodies, the IGF***, or the UN mechanisms. D2
GGE****), but takes mainly a The country actively contributes to
passive role. regional/ international operational
collaboration and policy bodies. D3
* Forum of Incident Response and Security Teams
** Computer Emergency Response Team D4
*** Internet Governance Forum
**** The United Nations Group of Governmental Experts
D5
13 Cybersecurity Capacity Maturity Model for Nations (CMM) - 2021 EditionFactor - D 1.2: Incident Response and Crisis Management
Aspect Start-Up Formative Established Strategic Dynamic
No process for identifying and Some organisations and sectors Most major organisations Insights arising from national The criteria for categorising
categorising national-level have internal mechanisms for have internal mechanisms for level incidents are routinely incidents are sufficiently flexible
incidents exists. identifying and categorising identifying and categorising analysed in order to establish to cater for rapidly emerging
incidents within their purview. incidents. lessons and inform broader changes in the underlying
Identification cybersecurity policy and strategy. technological or threat
A process for identifying A central registry of national-
environment.
and national-level incidents is under level cybersecurity incidents
Categorisation development. exists and a process for timely The country is contributing
escalation of incidents, from the to international best practice
of Incidents There is no central registry in
organisational to the national in incident identification and
place but ad-hoc arrangements
level, is in place. categorisation.
exist for dealing with the most
significant events. Individual national incidents are
categorised according to severity
and resources are allocated
accordingly.
No organisation for national-level A national CERT* might exist but A national body for incident The national body undertakes The government’s overall
cyber incident response exists. lacks sufficient resources and response has been established. a wide range of engagement operational response is
skills. It has the resources, skills, activities such as convening adaptive to changes in the
A few organisations may have
documented processes and legal communities of interest, running underlying technical and threat
internal cybersecurity response Processes for managing incidents
authorities required to address cross-sector exercises and environment.
mechanisms in place but co- are still in development.
the range of cyber incident promoting best cybersecurity
ordination is minimal. The country is contributing to
Some organisations from scenarios that the country is likely practices.
international best practice on
public and private sectors have to face (including out-of-hours
The national body innovates to how to organise operational
internal cybersecurity response capability, if appropriate).
provide a range of additional responses to cybersecurity
mechanisms in place but co-
ordination with the national
Relationships and protocols services that improve the threats. D1
are in place to enable incident country’s ability to prevent,
CERT is ad hoc.
management co-ordination detect, respond and recover
The role of sub-national bodies between the national body and from threats. D 1.1
Organisation is unclear. other elements of the public and
The national body is widely
Bilateral co-operation with private sectors.
recognised as an authoritative D 1.2
international partners is limited The role of sub-national bodies voice on cybersecurity within the
or ad hoc. in incident response is clear country.
and mechanisms are in place to D 1.3
The effectiveness of the national
enable co-ordination between the
body in reducing cyber risk and
national and sub-national levels. D 1.4
harm is regularly evaluated
There is regular sharing of threat and benchmarked against
and vulnerability information, international good practice.
and operational good practices D2
between the national body and a
wide range of public and private
sector organisations, as well as D3
international partners.
D4
* Computer Emergency Response Team
D5
14 Cybersecurity Capacity Maturity Model for Nations (CMM) - 2021 EditionFactor - D 1.2: Incident Response and Crisis Management
Aspect Start-Up Formative Established Strategic Dynamic
No framework exists for national- A national crisis management Cybersecurity is fully integrated Lessons learnt from cyber crisis The country is contributing to
level crisis management. framework is in development into the national crisis exercises are used to inform the debate on the integration
and a specific organisation has management framework and the both national crisis management of cyber into national and
Cybersecurity has not been
been allocated responsibility organisation responsible for crisis policy and the national international crisis management.
considered as a potential
for leading national-level crisis management is equipped to deal cybersecurity strategy and
national-level crisis scenario. Emergency communications
response. with a range of cybersecurity- implementation plan.
capabilities are capable of
Emergency communication related scenarios.
Cybersecurity has been International crisis planning operating beyond the country’s
capabilities are limited.
recognised as relevant to The role of a cyber incident and exercising with partners border in order to support third-
national crisis management, management authority within exists and routinely includes party countries and global crisis
Integration of both as a factor in its own right the crisis management process is cybersecurity as an element. responses.
Cybersecurity and as an element of other crisis well defined and established, and
The resilience of emergency
scenarios. escalation thresholds are fully
into National understood.
communications has been stress-
Crisis An exercise programme is in tested against a wide range of
development and includes National crisis management potential scenarios.
Management
cybersecurity-based scenarios. scenarios with cybersecurity
components are regularly
Emergency communication
exercised.
capabilities are in place but may
not be well integrated or lack Emergency communication
resilience to cyber disruption. systems are regularly tested
for cyber resilience against a
range of cybersecurity-related
scenarios.
D1
D 1.1
D 1.2
D 1.3
D 1.4
D2
D3
D4
D5
15 Cybersecurity Capacity Maturity Model for Nations (CMM) - 2021 EditionFactor - D 1.3: Critical Infrastructure (CI) Protection
Aspect Start-Up Formative Established Strategic Dynamic
There may be some A list of general CI assets, sectors The list of CI assets has been The list of CI assets is adaptive to There is flexibility in the process
appreciation of what and operators has been created. formalised and incorporates a range of strategic shifts in the underlying for identifying CI assets to cater
constitutes a CI asset, but no appropriate public and private sector technical, social and economic for rapidly emerging changes in
formal categorisation of CI organisations. environment. the underlying technological or
assets has been produced. threat environment.
Specific operators have been identified Interdependencies between
Identification and are aware of their status. sectors are managed. The country is actively involved
in the identification and
The list is kept up to date to Cross-border dependencies are
prioritisation of global CI assets.
reflect changes in the country’s managed.
circumstances. Cross-sector and cross-border
dependencies are mitigated.
Cross-border dependencies have been
identified.
There are no existing The need for baseline CI operators are mandated by Novel approaches to regulatory Regulatory frameworks are
regulatory requirements standards to govern CI assets is regulation to meet appropriate supervision are being developed sufficiently flexible to cater for
specific to the cybersecurity acknowledged but these are not cybersecurity standards (either in to improve CI cybersecurity while rapidly emerging changes in
of CI. explicitly mandated in regulation. the form of specific cyber regulation also facilitating effective and the underlying technological or
or as part of broader regulatory efficient CI service delivery. threat environment.
Sector regulators do not
requirements).
Regulatory routinely assess CI operators for The country is promoting best The country is actively involved
compliance. Mandatory breach reporting and practice regulatory approaches at in establishing regulatory
Requirements vulnerability disclosure requirements an international level. approaches to assuring global CI.
are in place.
Formal processes are in place to
evaluate CI operator compliance with
regulatory standards and incident and D1
vulnerability disclosure.
D 1.1
A few CI operators may Many CI operators are CI operators are consistently There is extensive collaboration The country and its CI operators
be implementing good implementing good cybersecurity implementing recognised industry among CI operators and with are contributing to the
cybersecurity practices, but practice. standards and the effectiveness public authorities to develop international debate on global D 1.2
this is inconsistent. of their cybersecurity controls are strategies that enhance collective critical infrastructure resilience.
There is some self-assessment
regularly assessed. cybersecurity. D 1.3
against recognised industry Experts from the regulators
standards. Mechanisms are in place for operators The resilience of the critical and CI operators are recognised
to share threat and vulnerability infrastructure ecosystem as internationally for their D 1.4
Some informal arrangements
information, best practices and lessons a whole has been assessed contribution to addressing
Operational exist for collaboration across and
learned from incidents and near against a range of scenarios, and global infrastructure protection
Practice within sectors.
misses. measures are in place to address challenges. D2
systemic risks to the economy
CI operators participate fully in
and society.
national incident response and crisis
management planning and exercising. D3
Mechanisms are in place for public
authorities to provide information and
other practical support to CI operators, D4
both pre- and post- incident.
D5
16 Cybersecurity Capacity Maturity Model for Nations (CMM) - 2021 EditionFactor - D 1.4: Cybersecurity in Defence and National Security
Aspect Start-Up Formative Established Strategic Dynamic
The potential impact of The potential impact of A strategy for cybersecurity for Defence strategy includes Strategy and doctrine are
cybersecurity on national cybersecurity on national national security and defence appropriate considerations of not static but are adaptive to
security and defence may have security and defence has been has been formally adopted deterrence. changing capabilities and to the
been considered but has not assessed and a strategy for (stand-alone or as part of a wider geo-political and technical threat
The country’s defence and
been formally articulated. addressing these risks is under document). environment.
national security establishment
development.
The strategy is supported by (alongside other stakeholders) The strategy is designed to
This analysis includes risks to the appropriate legal authorities and is actively engaged in the promote stability in cyberspace.
ability of the country’s military relevant operational doctrine global debate on international This includes measures to predict
and other national security and rules of engagement. These humanitarian law and norms and influence the strategies and
assets to operate in a contested are consistent with international of behaviour as they relate actions and reactions of potential
Defence Force cyber environment. humanitarian law. to conflict in cyberspace. allies and adversaries.
Cybersecurity Declaratory strategy and
The dependence of national
Strategy security and military entities on
published doctrine may be part
of this.
the cybersecurity of other parts of
the critical national infrastructure
is understood and is addressed
in the defence cybersecurity
strategy.
Cybersecurity considerations
inform other elements of national
security and defence strategy,
where relevant.
Specialist cybersecurity capability Specialist cybersecurity capability Capabilities and organisational Relevant deterrence and Defence cybersecurity
within the national security requirements are understood, structures are in place and defence/resilience capabilities capabilities are able to support D1
establishment is limited. and relevant organisational have been tested. Resourcing is are in place, forming part of the multilateral responses to shared
structures have been defined. provided through the national country’s defence cybersecurity national security challenges.
Initial steps have been taken to military estimate or equivalent strategy. D 1.1
establish these. process.
Cybersecurity is embedded in
Operational doctrine and rules of wider operational and command D 1.2
Defence Force engagement are fully embedded training within the country’s
Cybersecurity in training. military forces.
Capability D 1.3
Specialist intelligence resources
are being applied to provide
support and are appropriately D 1.4
resourced.
Mechanisms to facilitate
collaboration with allies are in D2
place and have been tested.
D3
D4
D5
17 Cybersecurity Capacity Maturity Model for Nations (CMM) - 2021 EditionFactor - D 1.4: Cybersecurity in Defence and National Security
Aspect Start-Up Formative Established Strategic Dynamic
Collaboration on cybersecurity Informal collaboration on Collaboration on cybersecurity Civil defence collaboration on The country is leading the
between civil and defence cybersecurity between civil between civil and defence entities cybersecurity is built into the international debate on best
entities is limited. and defence entities may exist exists and has been formalised. strategic planning of both sectors practice in cross-governmental,
but has not been formalised. and designed to address a range civil-defence cybersecurity
Respective roles have been
Defence entities have not been of future crisis scenarios. collaboration.
defined within the country’s crisis
formally resourced to undertake
management procedures. Mechanisms are in place that
this work.
enable defence and the national
The resources required within
security community to draw on
the defence and national security
the skills and capabilities of the
Civil Defence community, to support civil and
broader economy and society.
Co-ordination CI authorities, have been formally
(For example, via a formal cyber
assessed and assigned.
reserve force)
Formal mechanisms are in
place to determine military/
national security cybersecurity
dependencies on civil and CI
infrastructure. The ability of civil
and CI infrastructure operators to
provide these services has been
assured.
D1
D 1.1
D 1.2
D 1.3
D 1.4
D2
D3
D4
D5
18 Cybersecurity Capacity Maturity Model for Nations (CMM) - 2021 Editionnd Strategy and Society
Dimension 2: Cybersecurity
Culture and Society
mension1 imension 2
D
This Dimension reviews important elements of a responsible
cybersecurity culture such as the understanding of cyber-
related risks in society, the level of trust in Internet services,
e-government and e-commerce services, and users’
understanding of personal information protection online.
Moreover, this Dimension explores the existence of reporting
mechanisms functioning as channels for users to report D1
cybercrime. In addition, this Dimension reviews the role of
media and social media in shaping cybersecurity values, D2
attitudes and behaviour.
D 2.1
D 2.2
D 2.3
D 2.4
D 2.5
D3
D4
D5
19 Cybersecurity Capacity Maturity Model for Nations (CMM) - 2021 EditionFactor Factor
D 2.1: Cybersecurity Mindset D 2.2: Trust and Confidence in Online Services
This Factor evaluates the degree to which cybersecurity This Factor reviews critical skills, the management of
is prioritised and embedded in the values, attitudes, and disinformation, the level of users’ trust and confidence in
practices of government, the private sector, and users the use of online services in general, and of e-government
across society at large. A cybersecurity mindset consists and e-commerce services in particular.
of values, attitudes and practices–including habits > Navigate to Factor
of individual users, experts, and other actors–in the
cybersecurity ecosystem that increase the capacity of users Aspects
to protect themselves online • Digital Literacy and Skills: this Aspect examines whether
> Navigate to Factor Internet users critically assess what they see or receive
online;
Aspects
• Awareness of Risks: this Aspect examines the level of • User Trust and Confidence in Online Search and
awareness of cybersecurity risks within the government, Information: this Aspect examines whether users trust in
private sector and users; the secure use of the Internet based on indicators of website
legitimacy;
• Priority of Security: this Aspect examines the extent to
which the government, private sector and users make • Disinformation: this Aspect examines the existence of tools
cybersecurity a priority; and and resources to address online disinformation;
• Practices: this Aspect examines whether the government, • User Trust in E-government Services: this Aspect examines
D1
private sector and users follow safe cybersecurity practices. whether there are government e-services offered, whether
trust exists in the secure provision of such services, and if
efforts are in place to promote such trust in the application D2
of security measures; and
• User Trust in E-commerce Services: this Aspect examines D 2.1
whether e-commerce services are offered and established in
a secure environment and trusted by users. D 2.2
D 2.3
D 2.4
D 2.5
D3
D4
D5
20 Cybersecurity Capacity Maturity Model for Nations (CMM) - 2021 EditionFactor Factor Factor
D 2.3: User Understanding of Personal D 2.4: Reporting Mechanisms D 2.5: Media and Online Platforms
Information Protection Online
This Factor explores the existence of reporting mechanisms that This Factor explores whether cybersecurity is a common subject
This Factor looks at whether Internet users and stakeholders function as channels for users to report Internet-related crime of discussion across mainstream media, and an issue for broad
within the public and private sectors recognise and such as online fraud, cyber-bullying, child abuse online, identity discussion on social media. Moreover, this Factor looks at the
understand the importance of protecting personal theft, privacy and security breaches, and other incidents. role of media in conveying information about cybersecurity to
information online, and whether they are sensitive of their > Navigate to Factor the public, thus shaping their cybersecurity values, attitudes
privacy rights. and online behaviour.
> Navigate to Factor Aspects > Navigate to Factor
• Reporting Mechanisms: (as above)
Aspects Aspects
• Personal Information Protection Online: (as above) • Media and Social Media: (as above)
D1
D2
D 2.1
D 2.2
D 2.3
D 2.4
D 2.5
D3
D4
D5
21 Cybersecurity Capacity Maturity Model for Nations (CMM) - 2021 EditionFactor - D 2.1: Cybersecurity Mindset
Aspect Start-Up Formative Established Strategic Dynamic
The government has minimal Leading government agencies There is widespread awareness Government agencies across all Government agencies at all levels
or no level of awareness of have a minimal level of of cybersecurity risks within most levels are aware of cybersecurity are fully aware of cybersecurity
cybersecurity risks. awareness of cybersecurity government agencies. risks and proactively anticipating risks and use them to update
risks. new risks. cybersecurity policies and
The private sector has minimal There is widespread awareness
operational practices.
or no level of awareness of Leading private firms have a of cybersecurity risks within most Private sector actors at all levels are
Awareness of cybersecurity risks. minimal level of awareness of private firms. fully aware of cybersecurity risks Most private sector actors across
cybersecurity risks. and are anticipating new risks. all levels mitigate cybersecurity
Risks Users have minimal or no level A growing number of Internet
risks and use them to update
of awareness of cybersecurity A limited proportion of Internet users within society have Users are fully aware of
cybersecurity policies and
risks. users have awareness of awareness of cybersecurity risks. cybersecurity risks and try to
operational practices.
cybersecurity risks. anticipate new risks.
Most users identify and
anticipate cybersecurity risks and
try to adapt their behaviour.
The government has minimal or Leading government agencies Most government agencies at all Government agencies across all Government agencies at all levels
no recognition of the need to and private firms recognise the levels are making cybersecurity levels routinely prioritise and habitually, as a matter of course,
prioritise cybersecurity. need to prioritise cybersecurity. a priority. reassess cybersecurity priorities in prioritise cybersecurity.
response to changing threats to the
Private sector actors have Private firms recognise the Most private firms at all levels Private sector actors at all
population.
minimal or no recognition of the need to prioritise cybersecurity. are making cybersecurity a levels habitually prioritise
need to prioritise cybersecurity. priority. Most private sector actors across cybersecurity, as a matter of
A limited proportion of Internet
all levels routinely prioritise and course.
Users have minimal or no users recognise the need to A growing number of Internet
reassess cybersecurity priorities in
recognition of the need to prioritise cybersecurity. users within society make Users habitually prioritise D1
Priority of response to changing threats to the
prioritise cybersecurity. cybersecurity a priority. cybersecurity and take steps to
Security Surveys and metrics to assess population.
improve their security online.
No surveys or metrics exist knowledge of cybersecurity Surveys and metrics to evaluate
Most users routinely prioritise D2
to document cybersecurity in within the nation are limited or knowledge of cybersecurity Survey results and metrics are
cybersecurity and seek to take
government, private sector, or ad hoc. within the nation are available. used to refine cybersecurity
proactive steps to improve
across users. policies, inform operational
cybersecurity.
practices and IT-related initiatives D 2.1
Surveys and metrics are routinely within the nation.
conducted and publicised in fields
of government, business and D 2.2
industry, and among users.
D 2.3
The government agencies do Leading government agencies Most government agencies at all Government agencies across Government agencies at all
not follow safe cybersecurity follow safe cybersecurity levels follow safe cybersecurity all levels routinely follow safe levels habitually follow and D 2.4
practices. practices. practices. cybersecurity practices. also develop safe cybersecurity
practices. D 2.5
Private sector companies do Leading private firms follow Most private firms at all levels Most private sector actors,
not follow safe cybersecurity safe cybersecurity practices. follow safe cybersecurity practices. (including SMEs) across all levels Private sector actors at all levels
Practices practices.
A limited but growing Most Internet users within this
routinely follow safe cybersecurity habitually follow and develop
practices. safe cybersecurity practices. D3
In this country, very few Internet proportion of Internet country know and follow safe
users follow safe cybersecurity users know or follow safe cybersecurity practices Most users know and routinely Nearly all users know
practices or take protective cybersecurity practices. follow safe cybersecurity practices. and habitually follow safe
D4
measures to ensure their cybersecurity practices as a
security. matter of course.
D5
22 Cybersecurity Capacity Maturity Model for Nations (CMM) - 2021 EditionYou can also read
