Transportation Management Center Information Technology Security
Appendix A. Sample CyberSecurity Resilience Review Self‑Assessment
Maturity Indicator Levels Defined
Maturity Indicator Levels (MIL)29 are assigned by Domain and represent a consolidated view of performance. CERT-RMM MILs describe attributes that would be indicative of mature capabilities as represented in the model’s capability levels. However, they do not fully represent capability levels as defined because a capability level can only be assigned through a formal appraisal process, not as the result of using an assessment-based instrument.
Indicates that Practices in the Domain are not being performed as measured by responses to the relevant Cyber Resilience Review (CRR) questions. If MIL0 is assigned, no further assessment of maturity indicator is performed.
Indicates that all Practices in a Domain are being performed as measured by responses to the relevant CRR questions. MIL1 means that there is sufficient and substantial support for the existence of the practices.
Indicates that all Practices in Domain are not only performed, but are supported by sufficient planning, stakeholders, and relevant standards and guidelines. A planned process/practice is:
- Established by the organization (Is the practice documented and communicable to all who need to know?).
- Planned (Is the practice performed according to a documented plan?).
- Supported by stakeholders (Are the stakeholders of the practice known and are they aware of the practice and their role in the practice?).
- Supported by relevant standards and guidelines (Have the standards and guidelines that support the practice been identified and implemented?).
Indicates that all Practices in a Domain are performed, planned, and have the basic infrastructure in place to support the process. A managed process/practice:
- Is governed by the organization (Is the practice supported by policy and is there appropriate oversight over the performance of the practice?).
- Is appropriately staffed and funded (Are the staff and funds necessary to perform the practice as intended available?).
- Is assigned to staff who are responsible and accountable for the performance of the practice (Have staff been assigned to perform the practice and are they responsible and accountable for the performance of the practice?).
- Is performed by staff who are adequately trained to perform the practice (Are the staff who perform the practice adequately skilled and trained to perform the practice?).
- Produces work products that are expected from performance of the practice and are placed under appropriate levels of configuration control (Does the practice produce artifacts and work products that are expected from performing the practice, and if so, are the configurations of these artifacts/work products managed?).
- Is managed for risk (Are risks related to the performance of the practice identified, analyzed, disposed of, monitored, and controlled?).
Indicates that all Practices in a Domain are performed, planned, managed, monitored, and controlled. A measured process/practice is:
- Periodically evaluated for effectiveness (Is the practice periodically reviewed to ensure that it is effective and producing intended results?).
- Monitored and controlled (Are appropriate implementation and performance measures identified, applied, and analyzed?).
- Objectively evaluated against its practice description and plan (Is the practice periodically evaluated to ensure that it adheres to the practice description and the plan for the practice?).
- Periodically reviewed with higher-level management (Is higher-level management aware of any issues related to the performance of the practice?).
Indicates that all Practices in a Domain are performed, planned, managed, monitored, controlled, and consistent across all internal constituencies who have a vested interest in the performance of the practice. A defined process/practice ensures that the organization reaps the benefits of consistent performance of the practice across organizational units and that all organizational units can benefit from improvements realized in any organizational unit. At MIL5, a process/practice:
- Is defined by the organization and tailored by organizational units for their use (Is there an organization-sponsored definition of the practice from which organizational units can derive practices that fit their unique operating circumstances?).
- Is supported by improvement information that is collected by and shared among organizational units for the overall benefit of the organization (Are practice improvements documented and shared across internal constituencies so that the whole organization reaps benefits from these improvements?).