Maturity Lab
Sign in Founder access

Cybersecurity

Cybersecurity Maturity

Information security readiness assessed across the 6 functions of NIST CSF 2.0 — with C2M2 and CMMC Level 2 adherence.

95 questions 6 dimensions 5 levels Results in minutes
Get founder access See a sample report

The problem it solves

Antivirus, firewall, and a password policy — maybe even a NIST SP 800-171 self-assessment in SPRS. But continuous monitoring was never implemented and the incident response plan was never tested.

In the DoD supply chain, the problem isn't bad faith: it's self-assessment without rigor. Companies that consider themselves ready for CMMC Level 2 discover, in a C3PAO assessment, dozens of partially met controls.

What it assesses

What the assessment evaluates

Each dimension is assessed in depth — no critical area is left out.

Govern — Governance & Program Management

Formal program, policies, leadership accountability, risk, and a security culture.

Identify — Asset & Risk Identification

Asset inventory, data classification, risk assessment, and CUI/FCI mapping.

Protect — Asset & System Protection

Identity and access with MFA, encryption, patch management, and network and perimeter protection.

Detect — Detection & Situational Awareness

Continuous monitoring, logs, scans, threat intelligence, and penetration testing.

Respond — Incident Response

IR plan and training, containment, forensics, and 72h notification to the DoD via DIBNet.

Recover — Recovery & Continual Improvement

A tested plan with RTO/RPO, ransomware continuity, and maintenance of the SSP and SPRS score.

The scale

The 5 maturity levels

Each dimension and the organization as a whole are placed at a clear level — color, number, and name.

1
Exposed

No structured program: reactive practices, with no asset inventory, formal policy, or detection capability (pre-CMMC L1).

2
Initial

Inconsistent basic practices — access, antivirus, phishing awareness —, with no formal documentation or response plan (CMMC L1).

3
Managed

Structured program: policies, inventory, and access controls, with gaps in continuous monitoring and third parties.

4
Structured

Mature, auditable program: MFA, active monitoring, scans, and tested incident response — equivalent to CMMC Level 2.

5
Optimized

Cybersecurity as a strategic function: metrics-driven continual improvement, threat intelligence, and a controlled chain (C2M2 MIL3).

Calibrated, not generic

Provenance and calibration

The analysis carries the reasoning of the reference frameworks — that’s what separates a calibrated assessment from generic advice.

NIST CSF 2.0C2M2 v2.1CMMC 2.0

Want to go deeper? Understand the methodology, dimensions, and levels in detail in the technical guide.

Understand the model in depth

Secure your founder access

Join by August 1, 2026 and get 6 months of Pro free — plus 6 more for active founders. No card.

Get founder access