Understanding the CR-CMM Toolkit
Helping organizations enhance their ability to anticipate, withstand, recover from, and adapt to adverse cyber events. Its primary goal is to provide a structured approach for assessing an organization’s current cyber resilience maturity and identifying priority areas for improvement.
What is CR-CMM?
The Cyber Resilience Capability Maturity Model (CR-CMM) was developed through comprehensive research in cybersecurity maturity assessment methodologies. Our research team analyzed existing maturity models, industry best practices, and real-world implementation challenges to create a practical, evidence-based framework for cybersecurity capability assessment.
Unlike traditional compliance-focused approaches, CR-CMM emphasizes research-backed, sustainable processes that evolve with organizational needs and the changing threat landscape. The toolkit incorporates findings from our ongoing cybersecurity research and industry collaboration.
10 Practices
CR-CMM is structured into ten practices, each containing three focus areas. This structure helps accelerate the completion of the assessment questionnaire and supports the effective identification and prioritization of improvement opportunities.
Criticality Analysis
Asset prioritization and business impact assessment
Sub-Practices
Situational Awareness
Threat landscape monitoring and intelligence
Sub-Practices
Threat Informed Defense
Intelligence-driven security controls
Sub-Practices
Defensible Architecture
Security-by-design system architecture
Sub-Practices
Crisis Management
Incident response and crisis coordination
Sub-Practices
Scenario Simulation
Realistic cyber attack simulations
Sub-Practices
Contingency Testing
Backup and recovery validation
Sub-Practices
System Testing
Security control validation
Sub-Practices
Offensive Testing
Red team and penetration testing
Sub-Practices
Cyber Recovery
Post-incident recovery operations
Sub-Practices
What is CR-CMM
A note from
Francesco Chiarini
Founder, High Value Target
The Challenge
Achieving true cyber resilience requires a structured, measurable approach and accountable leadership to continuously driving the awareness and improvement of a cyber resilient posture. Like Zero Trust, cyber resilience is an overused term that means different things to different players - whether in industry or among regulators. This lack of clarity makes it harder to define what true cyber resilience capabilities are, and to choose the right set and scale of capabilities for an organization.
The Mission
An organization's cyber resilience efforts primarily aim to implement strategies and tactics that ensure the survivability of mission-critical functions before, during, or after a coordinated, destructive cyber-attack. Such cyber resilience strategies and tactics require capabilities to address the continuously evolving risks from advanced and unpredictable adversaries.
The Solution
The Cyber Resilience Capability Maturity Model (CR-CMM) helps organizations measure, benchmark, and enhance their resilience across ten key domains. The CR-CMM is a community-driven practical tool inspired by the famous SOC-CMM and aligned with NIST SP 800-160, the MITRE Cyber Resiliency Engineering Framework, and other best-in-class frameworks (such as ORF, Sheltered Harbor, CTI-CMM). While being sector- and size-agnostic, the CR-CMM aligns with industry best practices and draws from widely recognized frameworks maintained by organizations such as NIST and MITRE.
The Approach
The maturity levels range from initial (where resilience practices are reactive and uncoordinated) to optimized (where resilience is proactive, integrated into all aspects of system design, and supported by continuous improvement). It's important to note that the CR-CMM is not yet another "standard" or "framework". It's a toolkit. It consolidates that spectrum by leveraging world-class best practice and shows how to achieve cyber resilience with 150+ evidence-based questions and their related maturity scoring. The model is structured around four key enabling domains that mirror those used in the SOC-CMM: Technology, Process, People, and Business, but adapted to emphasize cyber resilience Services. There are ten core Practices that are leveraged to build capabilities, which are visible in the slide below. These sit at the heart of the CR-CMM.
CR-CMM Executive FAQ
Essential insights for leadership teams evaluating cyber resilience capabilities
Boards need proof the organization can actually survive cyber disruption, not just pass audits and comply with rules. CR-CMM concretely measures with precision an organization's real-life ability to anticipate, withstand, recover and adapt, then converts the results into an actionable, costed roadmap that executives can approve and operational teams can execute.
Existing frameworks like NIST CSF describe what good looks like but leave gaps in the cyber-to-business resilience and continuity intersection. CR-CMM is not another framework. It consolidates that spectrum by leveraging world-class best practice and shows how to achieve cyber resilience: 151 evidence-based checkpoints, maturity scoring and an automated prioritization engine built on industry best practice and regulatory requirements. Leaders get turn-by-turn guidance, not just a compass.
CR-CMM combines CMMI measurement discipline with control mappings from NIST 800-160, NIST 800-172, MITRE ATT&CK and ISO 27001. Developed by High Value Target with input from ISSA and the global Cyber Resilience Officer community, it is progressing through formal endorsements. Every question includes an evidence tag for audit transparency and risk control design traceability.
No. Practical and material capability uplift is the goal; compliance mapping is embedded. Dashboards cross-reference major regulations (for example DORA and NIS2), eliminating duplicate data calls while still satisfying regulators.
One half-day, facilitator-led workshop completes the initial self-assessment. The spreadsheet automates scoring and visualization. Reassess twice per year to track progress. Resource demand is measured in hours, not weeks.
• Heat-mapped maturity profile that highlights weak links for immediate action. • Ranked backlog with effort-and-impact scores for capital planning. • Independent benchmarks as community adoption grows. • Progress towards cyber resilience accountability and a clear operating model.
CR-CMM is released under Creative Commons Attribution-NonCommercial 4.0. Internal use is free. Commercial resale or derivative work requires written consent from the authors at High Value Target, protecting community benefit and intellectual property.
The High Value Target team provides on-demand assistance and structured engagements for rapid or in-depth assessments. Consulting firms can benefit as well for trainings to either assess maturity or build cyber resilience operating models. Contact them at contact@highvaluetarget.org.
Ready to Start Your Assessment?
Discover your organization's current maturity level and get actionable recommendations for improvement.