introducing the cyber resilience capability maturity model (CR-CMM)
The Cyber Resilience Capability Maturity Model (CR-CMM) inspired by the SOC-CMM will focus on the maturity and effectiveness of an organization's ability to withstand, recover from, and adapt to cyber threats, leveraging the insights from NIST 800-160 and MITRE frameworks.
The model will be structured around key domains that mirror those used in the SOC-CMM, such as Technology, Process, People, and Business, but adapted to emphasize cyber resilience Services. There are ten core Practices that are leveraged to build capabilities, which are visible in the slide below. These sit at the heart of the CR-CMM.
The maturity levels range from Initial (where resilience practices are reactive and uncoordinated) to Optimized (where resilience is proactive, integrated into all aspects of system design, and supported by continuous improvement).
The CR-CMM will be highly customizable by organizations, enabling them to tailor it to specific threat environments and operational contexts, similar to how NIST SP 800-160 allows for flexibility in applying its resilience constructs based on organizational risk tolerance and system complexity.