CR-CMM frequently asked questions.

Boards need proof the organization can actually survive cyber disruption, not just pass audits and comply with rules. CR-CMM concretely measures with precision an organization's real-life ability to anticipate, withstand, recover and adapt, then converts the results into an actionable, costed roadmap that executives can approve and operational teams can execute.

Existing frameworks like NIST CSF describe what good looks like but leave gaps in the cyber-to-business resilience and continuity intersection. CR-CMM is not another framework. It consolidates that spectrum by leveraging world-class best practice and shows how to achieve cyber resilience: 151 evidence-based checkpoints, maturity scoring and an automated prioritization engine built on industry best practice and regulatory requirements. Leaders get turn-by-turn guidance, not just a compass.

CR-CMM combines CMMI measurement discipline with control mappings from NIST 800-160, NIST 800-172, MITRE ATT&CK and ISO 27001. Developed by High Value Target with input from ISSA and the global Cyber Resilience Officer community, it is progressing through formal endorsements. Every question includes an evidence tag for audit transparency and risk control design traceability.

CR-CMM is the community-driven cyber resilience capability maturity model, guided by an Advisory Board for technical integrity and strategic input. Anyone from the community, especially from prominent cyber resilience subject-matter expert groups, can submit change requests to the CR-CMM team via email, to its Advisory Board members or via its LinkedIn page. Any change request is then periodically reviewed and triaged by the Advisory Board. CR-CMM is sponsored and owned by High Value Target, a boutique cyber resilience firm.

CR-CMM is made available for community benefit under its published licensing terms. High Value Target retains ownership, sponsorship, and control of official branding, external positioning, and approved commercial use.

No. Practical and material capability uplift is the goal; compliance mapping is embedded. Dashboards cross-reference major regulations (for example DORA and NIS2), eliminating duplicate data calls while still satisfying regulators.

One half-day, facilitator-led workshop completes the initial self-assessment. The spreadsheet automates scoring and visualization. Reassess twice per year to track progress. Resource demand is measured in hours, not weeks.

Heat-mapped maturity profile that highlights weak links for immediate action. Ranked backlog with effort-and-impact scores for capital planning. Independent benchmarks as community adoption grows. Progress towards cyber resilience accountability and a clear operating model.

CR-CMM is released under Creative Commons Attribution-NonCommercial 4.0. Internal use is free. Commercial resale or derivative work requires written consent from the authors at High Value Target, protecting community benefit and intellectual property.

The High Value Target team provides on-demand assistance and structured engagements for rapid or in-depth assessments. Consulting firms can benefit as well for trainings to either assess maturity or build cyber resilience operating models. Contact them at contact@cr-cmm.org.