Helping organizations enhance their ability to anticipate, withstand, recover from, and adapt to adverse cyber events. Its primary goal is to provide a structured approach for assessing an organization's current cyber resilience maturity and identifying priority areas for improvement.
Want something quicker? Start with the 5 minute version to get a first read, then unlock the workbook when you are ready for the deeper offline assessment.
CR-CMM is the community-driven cyber resilience capability maturity model, guided by an Advisory Board for technical integrity and strategic input. CR-CMM is sponsored and owned by High Value Target, a boutique cyber resilience firm.
Quick scan
Run online first to see where your gaps are.
Deep dive
Use the Excel workbook for the full CR-CMM assessment.
Expert support
Bring in our experts if you need a facilitated deep dive.
Resilience fails when teams operate on different assumptions. The CR-CMM workbench forces critical conversations and creates a single source of truth.
Break down silos between security, engineering, and business continuity by assessing capabilities together using a common language.
Move beyond policy checks. The 150+ checkpoints require demonstrable evidence, exposing blind spots in actual operational maturity.
The outcome is not a static score. It is a prioritized backlog and a targeted roadmap designed to create immediate operational momentum.
Evidence Notes
Verified via Airgap config in AWS. Partial implementation noted as legacy DBs remain in transit.
CR-CMM is not a passive checklist or a compliance audit. It is designed to be used live in a room (or virtual room) with key stakeholders. The toolkit structures the conversation, ensuring you ask the right questions and capture reality accurately.
The CR-CMM workbook is structured around ten core practices that map the operational lifecycle of cyber resilience capabilities.
Asset prioritization and business impact assessment.
Threat landscape monitoring and intelligence.
Intelligence-driven security controls.
Security-by-design system architecture.
Incident response and crisis coordination.
Realistic cyber attack simulations.
Backup and recovery validation.
Security control validation.
Adversarial security validation and penetration testing.
Post-incident recovery operations.
The CR-CMM already carries strong community endorsement from leaders shaping cyber resilience practice.
Community endorsement
“The Cyber Resilience Capability Maturity Model (CR-CMM) is a framework that enables organizations to evaluate their cybersecurity posture and determine areas for improvement. It offers a structured method for strengthening resilience and ensuring security practices remain aligned with changing threats and business requirements.”
Jimmy Sanders
President, ISSA International
Information Systems Security Association - ISSA InternationalCommunity endorsement
“In the modern world of complex cyber-physical systems, the focus has shifted from stove piped cybersecurity activities to building and deploying systems that are resilient. System resilience requires a multidimensional protection strategy that includes penetration resistant architectures, damage limiting operations, and cyber resiliency. The Cyber Resilience Capability Maturity Model (CR-CMM) is a framework that helps organizations understand their cyber resiliency posture and take specific actions to make meaningful improvements that support mission and business objectives.”
A structured progression designed to keep the room focused, objective, and moving toward actionable decisions.
Gather key stakeholders from security, IT, and risk.
Work through evidence-based checkpoints live.
Generate the current-state maturity heatmap.
Identify critical gaps and build the backlog.
Establish a realistic roadmap to Target Zero.
Walk out of the working session with tangible artifacts that leadership can understand and engineers can execute.
A visual matrix showing exactly where your capabilities sit across the 5 maturity levels.
Identified gaps translated into specific, prioritized capability improvements.
A sequenced plan to move from current state to your required target maturity.
A standardized foundation allowing you to track progress over time and demonstrate ROI.
CR-CMM is the starting point. Connect your assessment to broader organizational action.
Get a fast online baseline first so you know where resilience looks strongest and where deeper work is worth the time.
Use the workbook after the quick assessment when you want the full offline assessment, facilitation, and deeper review.
Route methodology questions, collaboration requests, or execution support to the right CR-CMM contact path.
Start with the quick online assessment to get an immediate baseline. When you are ready to go deeper, unlock the XLSX workbook for the full offline assessment.
