Cybersecurity Capacity Maturity Model for Nations (CMM)

As nations across the globe continue to develop various infrastructures, there is an ever-increasing reliance on information and communication technologies, including the Internet. The vitality of cyberspace will depend on each nation’s success in building capacity in the face of changing cyber-threats, whether it is due to trends in the diffusion of technology, technical advances, social and political change, or the evolution of threat-actor ecosystems, The need for greater capacity has never been so important.

Building Cybersecurity Capacity is a journey that a country or an organisation takes in developing greater resilience to a point where they have built systems and created policies to prevent, prepare for, and respond to cyber-attacks.

The Cybersecurity Capacity Maturity Model for Nations (CMM) by the Global Cyber Security Capacity Centre (GCSCC) at the University of Oxford, provides a framework that helps countries to understand what does and doesn’t work across all areas of cyber security and can compare cybersecurity capacity across different nations over time. Its methodology ensures that we collect insights from different actors and groups of stakeholders to reflect a broad view of the cybersecurity capacity in each nation.

Developed in consultation with over two hundred international experts drawn from governments, international organisations, academia, public and private sectors, and civil society, the CMM reviews cyber security capacity across five interconnected dimensions, which together constitute the breadth of national capacity that a country requires to be effective in delivering cyber security:

1. Cybersecurity policy and strategy
2. Cybersecurity culture and society
3. Building cybersecurity knowledge and capabilities
4. Legal and regulatory frameworks
5. Standards and technologies

NRD Cyber Security is a strategic partner of the GCSCC in deploying the CMM and facilitating nations in the assessment of the maturity of their cyber security capacity

Our process

  • Invitation: A government invites NRD Cyber Security to conduct a CMM review.
  • Desk research: The review team carries out desktop research to get an initial understanding of the cyber security context in the country.
  • In-country stakeholder consultations: Relevant stakeholders and cyber security experts are invited for consultations and focus group discussions, generating information for assessment.
  • Analysis and reporting: The review team analyses the information gathered through a process of structured field coding and drafts an evidence-based report that benchmarks the maturity of a country’s cyber security capacity, identifies possible exposure to risks, and identifies priorities for investment and future capacity building.
  • Report reviewed by the Technical Board: The draft of the CMM report is reviewed by the technical board of the GCSCC, consisting of senior academics and cyber security experts. 
  • Governmental approval: The draft report is sent to the government for feedback and approval.


  • Drives increased cyber security awareness and capacity building and contributes to greater collaboration within government
  • Helps define roles and responsibilities within governments
  • Enhances internal credibility of the cyber security agenda within governments
  • Involves the entire government/whole of society to collaborate by facilitating direct conversations with cyber security stakeholders from academia, civil society, business, critical infrastructures, legislators, government, defence, criminal justice, and the CSIRT community
  • Increases funding and guides investment priorities for cyber security capacity building
  • Nationally owned process, supported by a neutral external evaluation
  • Is foundational to the country’s strategy and policy development
Paulius Daukšas
Cybersecurity consultant

For more information, please contact
Tel.: +370 680 18 058

Let's get in touch