Secure, Compliant & Resilient · Maturity Measurement · Free Forever

SCR-CMM — Capability Maturity Model — Measure & Advance Your Cybersecurity Program

The SCR Capability Maturity Model (SCR-CMM) provides a five-level maturity scoring system for every control in the Common Controls Framework™ — enabling organizations to assess where they are today, define where they need to be, and measure progress over time.

Maturity Levels

1,400+

Controls with CMM Criteria

Domains Assessed

FREE

Creative Commons

⬇ Download the SCR-CMM Explore Additional SCF Content

Common Controls Framework™

The SCF is the exclusive, trademarked Common Controls Framework™ (CCF™) — a Living Control Set with 33 domains, 1,400+ controls, and mappings to 200+ laws, regulations & frameworks. SCR-CMM is the maturity measurement model built on the CCF™. Free. Always.

SCR-CMM maturity criteria are built directly into the SCF spreadsheet download — every control has five maturity level descriptions. No separate tool or license required. Available in Excel, CSV, and NIST OSCAL JSON.

About SCR-CMM

Beyond Compliance — Measure Program Capability

A binary pass/fail assessment answers the question “Are we compliant?” The SCR-CMM answers a far more useful question: “How well are we actually doing this?”

Compliance frameworks tell organizations what controls to implement. They do not provide a meaningful way to measure whether those controls are implemented effectively, consistently, or sustainably. An organization can have a documented policy (Level 2) or a fully automated, continuously monitored, optimized control (Level 5) — both might satisfy a compliance checkbox, but only one represents genuine risk reduction.

The SCR-CMM fills this gap. Every SCF control includes descriptive criteria for each of the five maturity levels — from Level 1: Ad Hoc (no formal process) through Level 5: Optimized (continuous improvement and automation). Organizations can score each control, calculate domain-level maturity, and produce a defensible, evidence-supported program maturity score.

Built Into the SCF Spreadsheet — No Separate Download Required

SCR-CMM criteria are integrated directly into the SCF Excel download. Every row in the control catalog includes a CMM criteria column for each of the five levels. Assessment scores can be entered directly into the spreadsheet.

Typical Organization Maturity Distribution

Average CMM level distribution across domains for a mid-market organization beginning an SCF implementation

Level 1 (Ad Hoc): ~15% — Level 2 (Documented): ~35% — Level 3 (Implemented): ~35% — Level 4 (Measured): ~12% — Level 5 (Optimized): ~3%

About SCR-CMM

Beyond Compliance — Measure Program Capability

A binary pass/fail assessment answers the question “Are we compliant?” The SCR-CMM answers a far more useful question: “How well are we actually doing this?”

Built Into the SCF Spreadsheet — No Separate Download Required

SCR-CMM Maturity Scale

Five Maturity Levels — From Ad Hoc to Optimized

The SCR-CMM uses five descriptive maturity levels, each with specific observable criteria for what “implemented at this level” means for any given SCF control. Assessment is evidence-based — not self-reported opinion.

Level 1 — Ad Hoc

No formal process exists. The control activity may occur informally or sporadically, but it is not documented, not consistently applied, and not assigned to a responsible owner. Results are unpredictable. Success depends on individual knowledge rather than repeatable process. Compliance risk is high — MCR obligations are likely unmet.

Level 2 — Documented

A policy or procedure exists and is formally documented. The control is assigned to a responsible owner. The process is repeatable but may not be consistently followed across the organization. Evidence of the control exists but may be incomplete or periodic. Minimum documentation standards are met. Many MCRs can be satisfied at this level with evidence.

Level 3 — Implemented

The control is formally documented, consistently implemented, and evidence of implementation is regularly generated and retained. The process is applied organization-wide. Personnel are trained on the control. Exceptions are tracked and managed. This is the target level for most organizations and sufficient for the majority of compliance frameworks.

Level 4 — Measured

The control is implemented and its effectiveness is quantitatively measured. Metrics are defined, collected, and reported to management on a regular schedule. Deviations from expected performance trigger defined response procedures. Control performance data informs risk management decisions. Required for high-regulatory environments (FedRAMP, CMMC Level 3, HIPAA audits).

Level 5 — Optimized

The control is implemented, measured, and continuously improved through a formal process. Automation is applied where feasible. Lessons learned from incidents, near-misses, and audit findings are systematically incorporated into control updates. The organization proactively identifies improvement opportunities. Target for enterprise security programs and high-assurance environments.

Scoring Methodology

How SCR-CMM Scoring Works

SCR-CMM scoring is evidence-based and hierarchical — each level’s criteria must be fully satisfied before the next level can be claimed. Maturity scores roll up from control level to domain level to program level.

Scoring Hierarchy

CMM scores are calculated at three levels, enabling both granular control-level analysis and executive-level program reporting:

Control-Level Score (1–5): Each individual SCF control is assessed against the five-level criteria and assigned a score from 1 (Ad Hoc) to 5 (Optimized). Scoring must be supported by documented evidence or an Assessment Observation (AO) from the Evidence Request List (ERL).

Domain-Level Score: The average CMM score across all controls within a given SCF domain (e.g., IAC, NET, MON). Domain scores identify areas of relative strength and weakness within the security program.

Program-Level Score: The weighted average CMM score across all 33 domains, using the SCF proposed control weightings. Produces a single defensible program maturity score for executive and board reporting.

Hierarchical Requirement

A control cannot be scored at Level 3 unless all Level 2 criteria are also satisfied. Each level is fully cumulative. This prevents organizations from claiming higher maturity on individual attributes while ignoring foundational requirements.

CMM Criteria Example

Sample CMM Criteria — IAC Domain

For every SCF control, the SCR-CMM provides observable criteria for each of the five maturity levels. The following illustrates how CMM criteria work for a representative Identity & Access Control (IAC) domain control.

CMM Level

Level Name

Observable Criteria — IAC-09 (Multi-Factor Authentication)

Ad Hoc

No MFA policy exists. MFA is not deployed for any system. Individual administrators may enable MFA at their discretion. No documentation or ownership.

Documented

An MFA policy exists and is formally documented. MFA is required for privileged accounts by policy. A responsible owner is assigned. MFA is partially deployed but coverage is inconsistent.

Implemented

MFA is deployed and enforced for all privileged accounts and all remote access. Policy is consistently applied organization-wide. Evidence of enforcement is retained. Exceptions are tracked with documented rationale and management approval.

Measured

MFA coverage is quantitatively measured and reported monthly. Metrics include: MFA enrollment rate by system, MFA bypass attempts, and exception count trends. Deviations trigger defined remediation procedures. Coverage data is reported to security leadership.

Optimized

MFA enforcement is automated and monitored in real time. Continuous improvement processes incorporate threat intelligence on MFA bypass techniques. Phishing-resistant MFA (FIDO2/WebAuthn) is implemented for high-risk accounts. Lessons from incidents inform policy updates.

All 1,400+ controls have CMM criteria in the SCF download

The SCF Excel spreadsheet includes CMM criteria columns for all five levels for every control in the catalog. Assessors can score each control directly in the spreadsheet using the built-in criteria as the assessment standard.

Use Cases

How Organizations Use SCR-CMM

The SCR-CMM is used across the entire GRC lifecycle — from initial program assessment through ongoing monitoring and board-level reporting.

Initial Program Assessment

Conduct a baseline assessment of the organization’s current cybersecurity posture. Score each SCF control at its current CMM level to establish a documented, defensible starting point. Identify domain-level strengths and gaps.

Remediation Prioritization

Use CMM scores combined with SCF control weightings and MCR/DSR classifications to prioritize remediation. MCR controls scoring below Level 3 take highest priority. High-weighted DSR controls at Level 1–2 are next.

Pre-Audit Readiness

Conduct an internal CMM assessment before a third-party audit to identify controls likely to receive findings. Evidence gaps identified by the ERL crosswalk during CMM scoring predict exactly where auditors will look.

Board-Level Reporting

Produce a single, weighted program maturity score suitable for board and executive reporting. Track the program maturity score quarter-over-quarter to demonstrate security investment ROI and improvement trajectory.

Third-Party Risk Assessment

Use the SCR-CMM as the basis for third-party cybersecurity assessments — requiring vendors or partners to self-assess or submit to independent CMM scoring. Standardizes third-party risk comparison across different vendors.

SCF-CAP Preparation

The SCF Conformity Assessment Program (SCF-CAP) uses the SCR-CMM as the scoring standard for organizational certifications. Internal CMM preparation directly prepares organizations for the CAP assessment process.

Continuous Improvement

Plan-Do-Check-Act (PDCA)

The SCR-CMM is designed to operate within a continuous PDCA improvement cycle — enabling organizations to systematically advance control maturity over time rather than treating assessment as a one-time event.

Phase 1

PLAN

Define the assessment scope. Select the SCF control subset applicable to your organization’s risk tier and regulatory obligations. Define target CMM levels for each domain based on regulatory requirements and risk appetite.

Phase 2

DO

Conduct the CMM assessment. Score each control using the built-in criteria in the SCF spreadsheet. Gather evidence using the ERL. Document gaps, assign owners, and define remediation timelines for controls below target level.

Phase 3

CHECK

Calculate domain-level and program-level maturity scores. Compare against prior assessment results to measure improvement. Validate that remediation actions have raised CMM scores as planned. Report results to management.

Phase 4

ACT

Update remediation plans for remaining gaps. Set new target CMM levels for the next cycle. Advance controls that reached their target level toward the next level. Incorporate assessment findings into the security roadmap and budget planning.

Related SCR Models

SCR-CMM Works With SCR-RMM

The SCR-CMM and SCR-RMM are companion models — maturity measurement and risk management work together within the same SCF-based program framework.

You Are Here

SCR-CMM — Capability Maturity Model

Defines how to measure and score control implementation maturity — providing the measurement system that tells the organization how well each control is implemented, not just whether it exists on paper.

✓

Five maturity levels (Ad Hoc → Optimized)

✓

Observable criteria for every SCF control

✓

Control, domain, and program-level scoring

✓

Evidence-based — not self-reported opinion

Companion Model

SCR-RMM — Risk Management Model

Defines the risk management process — using CMM scores as the input for risk assessment and residual risk calculation. Without CMM scores, the RMM cannot produce meaningful risk measurements.

✓

Three scalable risk tiers (Foundational, Intermediate, Advanced)

✓

MCR/DSR classification for compliance vs security risk

✓

Seven-step risk assessment process

✓

Risk treatment and monitoring framework

Learn About SCR-RMM →

Creative Commons — No Cost — No Registration Required

Download the SCR-CMM — Free

SCR-CMM criteria are built into every row of the SCF download — five maturity level descriptions for all 1,400+ controls across 33 domains. No separate download, no license, no registration required.

⬇ Download the SCR-CMM Explore Additional SCF Content

Licensed under Creative Commons Attribution 4.0. Volunteer-driven by the SCF Council. No registration required.