Technical guide · Cybersecurity
Cybersecurity Maturity
Information security readiness assessed across the 6 functions of NIST CSF 2.0 — with C2M2 and CMMC Level 2 adherence.
01 · The problemWhat this assessment solves
Antivirus, firewall, and a password policy — maybe even a NIST SP 800-171 self-assessment in SPRS. But continuous monitoring was never implemented and the incident response plan was never tested.
In the DoD supply chain, the problem isn't bad faith: it's self-assessment without rigor. Companies that consider themselves ready for CMMC Level 2 discover, in a C3PAO assessment, dozens of partially met controls.
02 · What it isWhat the model is
It measures cybersecurity maturity across the 6 functions of NIST CSF 2.0 (including the new Govern function), in 95 questions, with a score by function, by theme, and an overall level.
It integrates the depth of C2M2 v2.1 and explicitly maps the 5 levels to the CMMC Levels — useful for CMMC, NIS2, ISO 27001, and LGPD.
03 · The scaleThe 5 maturity levels
Each dimension — and the organization as a whole — is placed at one of these levels, always with a color, number, and name.
No structured cybersecurity program: reactive, ad hoc practices, with no asset inventory, formal policy, or ability to detect threats. Equivalent to the pre-CMMC Level 1 stage — it wouldn't meet even the basic controls.
Basic practices started inconsistently — access control, antivirus, some phishing awareness —, with no formal documentation, systematic asset management, or response plan. In practice, equivalent to CMMC Level 1.
Structured program, with documented policies, asset inventory, formal access controls, and a basic incident response plan. Practices are more consistent, but there are still gaps in continuous monitoring and third-party protection.
Mature, documented, auditable program: MFA implemented, active event monitoring, regular vulnerability scans, tested response plans, and critical suppliers controlled. Equivalent to CMMC Level 2 (the 110 controls).
Cybersecurity as a strategic, institutionalized function: metrics-driven continual improvement, integrated threat intelligence, regular response exercises, and a controlled supply chain. Equivalent to C2M2 MIL3.
04 · The structureWhat the assessment evaluates
No critical area is left out. Each dimension brings together the themes evaluated by the assessment.
Govern — Governance & Program Management
Formal program, policies, leadership accountability, risk, and a security culture.
Identify — Asset & Risk Identification
Asset inventory, data classification, risk assessment, and CUI/FCI mapping.
Protect — Asset & System Protection
Identity and access with MFA, encryption, patch management, and network and perimeter protection.
Detect — Detection & Situational Awareness
Continuous monitoring, logs, scans, threat intelligence, and penetration testing.
Respond — Incident Response
IR plan and training, containment, forensics, and 72h notification to the DoD via DIBNet.
Recover — Recovery & Continual Improvement
A tested plan with RTO/RPO, ransomware continuity, and maintenance of the SSP and SPRS score.
05 · HighlightsWhy apply this assessment
06 · AudienceWho it's for
07 · How to applyFrom questionnaire to plan
There are 95 questions organized into 6 dimensions and 19 themes, all mandatory — answer based on your current and verifiable reality.
In minutes you receive an overall score, by dimension and by theme, the maturity level (with the CMMC equivalence), and an analysis with prioritized gaps and an initial action plan.
08 · ReferencesBased on international standards
In practiceWhat the assessment reveals
A DoD Tier 2 supplier submitted an 88/110 SPRS score by self-assessment and thought it was ready for CMMC Level 2. The assessment revealed controls 'on paper', with no verifiable evidence.
We had controls in the policies, not in the evidence.