What do the three states indicate?
Whatever you wish! You can define your own maturity levels, or adopt definitions from an established framework (see below).
What are some recommended maturity levels?
The U.S. Deparment of Energy Cybersecurity Capability Maturity Model (C2M2) defines four Maturity Indicator Levels (MILs):
| State |
Level |
Description |
| Empty |
MIL0 |
Practices are not performed |
|
MIL1 |
Initial practices are performed but may be ad hoc |
|
MIL2 |
- Practices are documented
- Adequate resources are provided to support the process
|
|
MIL3 |
- Activities are guided by policies (or other organizational directives)
- Responsibility, accountability, and authority for performing the practices are assigned
- Personnel performing the practices have adequate skills and knowledge
- The effectiveness of activities is evaluated and tracked
|