The Community Cyber Security Maturity Model

CCSMM Cube

The consortium is organized around the Community Cyber Security Maturity Model (CCSMM). This model is based on over a decade of experience with states and communities trying to develop viable and sustainable cyber security programs. It addresses three main requirements:

A “yardstick” to allow a state or community to measure their current level of cyber security maturity. They can determine where they are in the model.

A “roadmap” so a state or community can know what they need to do in order to advance the state of their cyber preparedness. There are clear steps for them to improve their security posture.

A common point of reference so individuals from different states and communities can discuss their programs and the issues they face from a common perspective.


The model identifies the characteristics of communities and states as they mature their cyber security programs. It uses the four dimensions as focus areas such as cyber security awareness, information sharing within and between organizations, incorporating cyber security into policies and community plans.

The model takes into consideration that states are made up of communities and communities are composed of organizations and the model recognizes these very different needs.

There are five levels in the CCSMM and organizations, communities and states progress through each of the five levels in order. The transition from one level to another is referred to as a phase and thus there are four phases in the model. The NCPC's courses have been developed around these phases and are listed in our Training Catalog.

CCSMM linear progression diagram with phases.

Level 1 - Initial

Organizations, communities and states at this level have little to no cyber security awareness, analysis and assessments. There is little inclusion of cyber threats and issues in the continuity of operations plans.

Level 2 - Established

The leadership of organizations, communities and states at this level is aware of cyber threats, issues and the imperative to embrace cyber security. They also recognize the need for cooperative cyber security training and education. There is informal information sharing throughout the organization, state or community in this level, although there may be participation in professional information sharing organizations such as Infragard.

Level 3 - Self-Assessed

In this level, leaders within organizations, communities and states actively promote cyber security awareness and cooperate with others in establishing training and education programs. At this level, cyber security is included in continuity of operations plans and those plans are tested and assessed through exercises.

Level 4 - Integrated

When cyber security is integrated, it is incorporated into every process that an organization, community or state has. It is no longer an after-thought but part of the planning process. At this level, information sharing is formalized and there is fusion of cyber information.

Level 5 - Vanguard

For organizations, communities and states at this level, cyber security is a business imperative. It has been so thoroughly integrated into processes that it is no longer considered a separate discipline. Entities at this level are capable of teaching and mentoring others.