Cybersecurity Capacity Maturity Model for Nations (CMM) 2021 Edition

The Cybersecurity Capacity Maturity Model for Nations (CMM) facilitates the assessment of a country’s cybersecurity capacity maturity. Developed by the Global Cyber Security Capacity Centre (GCSCC) of University of Oxford in consultation with over two hundred international experts drawn from governments, international organisations, academia, public & private sectors and civil society, the CMM reviews cybersecurity capacity across five dimensions:

The Cybersecurity Capacity Maturity Model for Nations (CMM)  considers cybersecurity to comprise five Dimensions which, together, constitute the breadth of national capacity that a country requires to be effective in delivering cybersecurity:

  1. Developing cybersecurity policy and strategy;
  2. Encouraging responsible cybersecurity culture within society;
  3. Building cybersecurity knowledge and capabilities;
  4. Creating effective legal and regulatory frameworks; and
  5. Controlling risks through standards and technologies.

The CMM allows the benchmarking of current national cybersecurity capacity. Understanding the requirements to achieve higher levels of capacity will directly indicate areas for further investment, and how to evidence such capacity levels. The CMM can also be used to build business cases for investment and expected performance enhancements. Combining a CMM review with national risk assessments, social, and economic strategies can further prioritise which capacity enhancements to make.

A National Cybersecurity Assessment with the CMM

A CMM review of a country involves data-gathering by a team of researchers who carry out in-country stakeholder consultation and desk research. The output is an evidence-based report which:

  • benchmarks the maturity of a country’s cybersecurity capacity;
  • details a pragmatic set of actions to contribute to the advancement of cybersecurity capacity maturity gaps; and
  • identifies priorities for investment and future capacity-building, based on a country’s specific needs.

According to an independent study commissioned by the UK Foreign, Commonwealth and Development Office, the benefits of a CMM review for a country are numerous and include:

  • increased cybersecurity awareness and capacity building, and greater collaboration within government;
  • networking and collaboration with business and wider society;
  • the enhancement of the internal credibility of the cybersecurity agenda within governments;
  • help in defining roles and responsibilities within governments;
  • providing evidence to increase funding for cybersecurity capacity building; and
  • a foundation for country strategy and policy development.

It is important that a country can evidence its achievements in cybersecurity capacity and the CMM identifies what that evidence should be, and what it demonstrates. Such evidence gathering is in itself a multi-stakeholder process, involving a wide range of sources and organisations. Discussions can be important to resolve differences of opinion. Whether such discussions can be effective if done remotely (and online), or will necessitate face-to-face meetings, will depend upon the country undertaking a review.

For more information on the CMM review methodology, process and exemplary reports, visit:

Since 2015, there have been over 120 CMM reviews in more than 85 countries around the world, by various key international stakeholders, such as the World Bank (WB), the Organization of American States (OAS), the International Telecommunication Union (ITU), the Commonwealth Telecommunications Organisation (CTO), NRD Cyber Security (NRD), and the Global Constellation members, the Oceania Cyber Security Centre (OCSC) and the Cybersecurity Capacity Centre for Southern Africa (C3SA).


Relevant links