CRF

LOGIN

Maturity Model

What Is the CRF Maturity Model?

The CRF Maturity Model (CRF-MM) provides a cybersecurity-specific framework for describing and comparing the maturity of cybersecurity safeguards. It establishes a common scale — five program maturity levels — that organizations, assessors, and stakeholders can use to reason about cybersecurity maturity consistently, without embedding assumptions about assessment flow, implementation sequencing, or validation authority.

The model is intentionally conceptual, not operational. It does not prescribe which safeguards to implement, define assessment workflows, or provide remediation guidance. Those activities live in the CRF platform, assessment tools, and other CRF frameworks. The CRF-MM defines the scale; everything else determines how that scale is applied.

Two Dimensions of Maturity

The CRF-MM formally distinguishes between two dimensions that are often conflated:

Program Maturity — Capability Breadth Describes which cybersecurity capabilities and safeguard categories an organization has adopted. Expressed through the five CRF maturity levels. Higher program maturity reflects a broader, more sophisticated set of capabilities — not necessarily better execution.

Implementation Maturity — Depth and Coverage Describes how consistently and comprehensively an individual safeguard is deployed across the organization. An organization may adopt a higher-maturity safeguard but implement it unevenly. A foundational safeguard may be thoroughly implemented. These dimensions are independent — progression in one does not guarantee progression in the other.

The Five Maturity Levels

  • Level 1 — Foundational: Basic protections exist but are reactive, ad hoc, and unevenly applied

  • Level 2 — Hygiene: Routine, repeatable technical practices address common threats with increasing consistency

  • Level 3 — Governed: Formal policies, ownership, and oversight structures direct cybersecurity activities

  • Level 4 — Controlled: Safeguards are implemented consistently enterprise-wide with structured exception management

  • Level 5 — Monitored: Ongoing visibility into safeguard implementation informs governance and oversight on a continuous basis
maturity model pyramid with different levels

The CRF-MM in the CRF Ecosystem

  • CRF Safeguards — Authoritative source for classifying specific safeguards into maturity levels

  • CRF Assessment Tools — Apply the maturity model by evaluating implementation depth and coverage

  • CRF-GRM and CRF-GRMM — Use the maturity model as context for governance and oversight discussions

  • CRF-AF and CRF-BIM — Reference the maturity model indirectly through validation and evidence activities

Who Is This For?

  • CISOs and security leaders assessing program breadth and identifying capability gaps
  • Risk and compliance teams who need a consistent language for describing cybersecurity posture
  • Auditors and assessors evaluating safeguard implementation depth and coverage
  • Executives who need to understand what cybersecurity maturity means — and what it does not

What’s New in v2026?

  • Two Dimensions of Maturity: The headline addition — a formal distinction between Program Maturity (which capabilities your program has adopted) and Implementation Maturity (how consistently each safeguard is actually deployed). These are intentionally independent; progression in one doesn’t guarantee progression in the other.

  • Observable Implementation States: A new section defines how implementation maturity is described using observable conditions — from not implemented through partial to full coverage — focused on what can be seen, not how an organization got there

  • CMMI Comparison: A new section explicitly differentiates the CRF-MM from CMMI — different scope, different levels, different purpose — and clarifies they are complementary, not competing

  • CRF Ecosystem Positioning: Defines how the MM connects to the Safeguards, assessment tools, GRM, and Audit Framework across the CRF system

Download - v2026

Frequently Asked Questions

The CRF-MM (Maturity Model) is a framework developed by the Cybersecurity Risk Foundation and IANS Research, designed to guide organizations in enhancing their cybersecurity maturity through five levels, from foundational to monitored safeguards.

Adopting the CRF-MM helps organizations systematically improve their cybersecurity defenses, align security practices with business objectives, and ensure resilience against evolving cyber threats.

The five levels are Foundational, Hygiene, Governed, Controlled, and Monitored, each representing a stage in the maturity of an organization's cybersecurity program.

Yes, organizations can navigate the CRF-MM independently. However, collaborating with cybersecurity experts can provide additional insights and support, enhancing the effectiveness of the maturity assessment and improvement process.

It's recommended to reassess your cybersecurity maturity annually using the CRF-MM. This ensures your cybersecurity measures remain effective and aligned with the latest threats, technologies, and business objectives.

Download for Free

Provide your email address below, and we’ll instantly send the Maturity Model to your inbox.

Untitled(Required)

Become a member

  • Access to our entire catalog of research and resources
  • Customizable Maturity Model template (MS Word, Markdown)
  • Unlimited Downloads
  • Removed CRF Branding
  • Commercial license to use our Maturity Model template
Subscribe for $350 / Year