As part of a Cybersecurity Strategy, a high level plan, an instance of which is documented on Wikipedia
The collection of capability data and measurement is achieved using a strategy with a 5 layout plan.
A 'layout' being defined as the way in which the parts of something are arranged or laid out.[1].
The 5 Layout plan is measured using a standard CMM Capability Maturity Model for Cybersecurity.
The acronym CS5L CMM is for the Cybersecurity 5 Layout Capability Maturity Model.


Evolution to be inclusive

In the Information Technology industry IT, the evolution of the Capability Maturity Model CMM began with the Capability modeling for software development. There was a security component limited to security elements included in the development of software applications. Capability Maturity Model.
With the advent of many cybersecurity solutions providers, including those that developed cybersecurity solutions into their products, like CISCO, and others that were solely cybersecurity solutions providers, the model became outdated as it failed to include these elements. In the energy industry a cybersecurity capability maturity model developed, named C2M2. It has been progressive in addressing measurement specific to SCADA compliance, but did not include all elements or areas of cybersecurity.

A strategic approach

In collaboration with many companies, associations and government, a strategic approach, to include the elements or areas in 5 layouts. The layouts included Training. The 5 layout strategy was adopted, and became part of many initiatives, in organizing cybersecurity measurement in state government and private industry. The approach is to have a strategic defense, hence a cybersecurity strategy. This is much like a military defense strategy, where assets (Air force, Tanks, Infantry are used strategically to develop a tactical plan) Cybersecurity Strategy.
  • Simplifies the analytic phase of the resulting data collected, and the data acquisition process in the CMM, having the strategy is broken out into 5 areas or Layouts.
  • Allows easier identification of responsible parties in an organization, areas that cybersecurity solutions providers are focused, and an simplified view for management.
  • Inherently provides a clear understanding that a cybersecurity strategy is an executive responsibility reaching across the organization, (including training) encompassing computer systems, hardware, software, people, policies and procedures.
  • Helps negate, "ask my IT guy about compliance", and the "white horse cybersecurity solution".


This modeling evolved to address the layouts and encompass all vendors providing cybersecurity solutions, and thereby provide a model that is useful at an executive level, to measure and manage not only its enterprise but those it does business with, and allows access to its systems.

Hence we arrive at a Cybersecurity Strategy 5 Layout Capability Maturity Model. CS5L CMM.

Cybersecurity Strategy

The Cyber Security Strategy is a framework to determine gaps and to measure using 5 Layout approach (CS5L), which results in standard measurement from which a tactical plan can be developed. In military terms the strategy is how we plan our defenses. The tactical plan is how we implement and perform it.

In practice, companies have various vendors that provide security, most of which participate in providing data, have system interfaces and are able to supply iterative answers to their layout of defense, sometimes spanning more than one areas or layouts.
The five layouts cover the general areas known at this time, and the strategy model formalizes measurement of each, and facilitates a road map to improve by using capability maturity modeling. (CMM)
This is a way to identify security risks, address them, and have a plan to improve going forward, whilst maintaining a record of such.
We show how the CS5L CMM measurement fits into a complete 'mature' defense approach.
A ‘mature’ cyber security defense includes a cycle of before and after processes to the data gathering CS5L and measurement CMM, namely, before, a situation awareness study (largely a self study), and after, vulnerability and compliance mapping and risk management. The CS5L CMM framework is developing quickly into a measurement standard, this is the groundwork of the complete cycle.
The 5 Layouts:
* help organize an all encompassing approach
* lends to separating the data into manageable segments for measurement.
In the analysis phase, this allows drill down of the measurement results, which results in identifying security risks, addressing them, and devising a plan to manage and improve improve going forward.
CS5L The Cybersecurity Strategy 5 layout are the strategic asset areas, devices, people, policies and procedures, in the strategy model.
CMM Using a Capability Maturity Model, which formalizes and standardizes measurement of each layout, and facilitates a road map to improve capability.

The CS5L CMM is used in the two processes, to collect data and to measure.
See the two steps in the Cybersecurity Strategy:

  1. Data gathering (a checklist of questions and answers and data inputs on a user and devise level) - CS5L,
  2. Measurement using a Capability Maturity Model - CMM,

Cybersecurity 5 layout

File:CS5L CMM Diagram.png

Five Layouts The 5 layout Cyber Security defense strategy, CS5L is a developed standard for measuring people, procedures and systems at an enterprise. When engaged at a client site, System Soft deploys trained Cyber Security, system and analytical experts to support this five layout approach to Cyber security. The process begins with a ‘situational awareness study’ which is primarily done together with the client. The process is performed in two stages, gathering data and measurement. Both are performed using the 5 layouts:

1. AppSec (Software systems)

AppSec (Application Security) are applications developed by the client that interact with services hosted by the client, and applications that are installed on any part of their network, either hosted, on an end client or server. This includes, Wireless, DMZ servers, Telephony, Border routing, Remote Administration, Web Security Gateway, Remote Access VPN, etc. Access policies, authentication and methods to systems and data.

2. Network (Communication)

Vendors providing VPN Virtual Private Network hardware, networking equipment, Firewall and software. E.g.: CISCO. This is part of a defense layout to every endpoint and BYOD Bring your own devise. Includes data gathering on, network encryption and all devices, and user access. Analysis on the design and configuration of these networks and firewalls, with a focus on vulnerabilities.

3. Security Awareness (People capability and procedures)

Often measured by the level of training. A part of which is sometimes called Employee cyber Security Awareness Training (ESAT). Measure access to ESAT for all employees, and agents or B2B companies that have tier 1. The ESAT program should work through an online Web app which under the control of the IT department and collaboration of HR, performs a cyber-security attack on employees known a Phishing and measures performance. Then it runs a training programs driven via email and performed on the Web which allows users to proceed at their pace allowing stopping and restarting. Once complete the ‘dummy’ attack is performed again and measured. Security awareness would also include developer training for application developers, administration policy, managing privacy, and risk assessment.

4. Internal Defense (In-house scanning, policies and controls)

AV Anti-Virus, Data Encryption, Disaster recovery, Backup and recovery, Installation and version control, USB usage, Managing alerts, and incident mitigation.

5. Forensics (CSI and real time monitoring)

Analyze and measure the configuration of, and monitoring of all system access. Design and deliver custom action plans for responsive action to denial of service attacks and access breach attempts. E.g.: Sourcefire now a CISCO product.


File:CyberSecurity Strategy CS5L Capability Maturity Model CMM Steps.png
The levels are each measured using the Capability Maturity Model (CMM) for all 5 layouts.
GRADE A. Self optimizing
At the optimizing level, processes are constantly being improved through monitoring feedback from current processes and introducing innovative processes to better serve the :::organization's particular needs. At the self optimizing level, the organization has the processes in place to in addition to be managed, replicate and educate the process to have an ongoing maturing capability as the organization changes, people come and go, and the processes change.
GRADE B. Managed
At the managed level, an organization monitors and controls its own processes through data collection and analysis.
GRADE C. Defined and Measured
At the defined and measured level, an organization has developed its own standard process through greater attention to documentation, standardization, and integration.
GRADE D. Repeatable
At the repeatable level, basic project management techniques are established, and successes could be repeated, because the requisite processes would have been made established, defined, and documented.
GRADE E. Initial
At the initial level, processes are disorganized, even chaotic. Success is likely to depend on individual efforts, and is not considered to be repeatable, because processes would not be sufficiently defined and documented to allow them to be replicated.

Data Collection

Using the Cyber Security Strategy CS5L CMM system, two steps are performed to collect data for each layout.

1. a survey of questions directed to the responsible person in the organization is performed, and
2. where applicable data is drawn in and applied dynamically to the CMM.

Capability for each question is rated on each CMM level;

    1. 'As is' (where you are now) and
    2. 'To be' (where you need to be) .

the choice of levels, where you are at today and where you need to be establishes the 'gaps' which enables us to identify and focus on maturing your capability. Hence we call this Capability Maturity Modeling.

An example of how a question is presented;

In step 2., where data is drawn in dynamically, (an example would be each users training courses completed), the data is applied to the CMM by the system, using some preset rules, like if the user has completed these sets of courses the user will be mapped to the CMM level say, manged.

Dynamic links are setup in co-operation with each cybersecurity vendor. Questions are created in co-operation with each cybersecurity vendor.

Questions are assigned to a responsible person in the organization to provide answers, all communicated using emails.

CS5L CMM system

The CS5L CMM system is a open web SAAS system which delivers measurement data to a MS SQL Database which is then available free to report on the measured data.

There are two parts, Data collection CS5L, and measurement CMM.

Data is collected on Policies, procedures, devices, users, each employees training maturity, in each area or layout by questions and answers and input feeds from various vendors. (sometimes crosses two or more layouts).

As part of the CS5L Data is collected in these main ways,

1. In a survey method, using emails, questions and CMM Answers (CMM levels are selected) to the responsible person for a layout or part thereof,

Questions that will be added to the database of questions that are specific for a vendor, are surveyed and added in to the system. These are then in turn send out to the responsible person for the management of that security vendors product.

2. Data inputs are configured specifically for the security vendor, and inserted into the database, for later dynamic CMM level assignment, that is specifically configurable.

As part of the CMM, data is applied and analysed.

The CMM records data through it's maturity and assists in drill downs to easily identify deficits, and retains and reports the CMM data.


Related Publications

  • Energy Sector Cybersecurity Framework Implementation Guidance (January 2015)

Significant coverage

  • AIF Associated Industries of Florida, Building an initiative to bring capability measurement to Florida State
  • RSA Conference 2015, Where the world talks security - the US, the EMEA region and the Asia-Pacific region - See more at:

Reliable sources

In collaboration with academic institutions like Florida State University FSU, and independent corporations, a federal and state governments, there is a growing need to have a standard in measurement of cyber security capability and maturity. Not only to measure organizations themselves, but who they do business with, and allow tier 1 access to their systems, thus exposing their defense to malware insertions and such like. Retail giants with thousands of agents/suppliers are the most exposed.

Independent sources

The framework, CS5L CMM is open source, as a SAAS solution, and is made available without cost to enhance the measurement and thereby cybersecurity, including the human element like training. There are many security vendors that deliver solutions in any and combinations of the layers. They voluntary contribute to the measurement techniques.


  • The intent of the Cybersecurity Strategy Capability Maturity Model framework is to adopt a measurement standard of an all inclusive cybersecurity defense which includes gathering performance data via question and data links to security vendors for the measurement of PEOPLE (Training), PROCEDURES, HARDWARE, SOFTWARE, DATA and ACCESS.
  • According to Gartner; CISOs Must Own the Following Six Security Processes and Ensure That They Are Defined and Executed Reliably

Security Governance, Policy Management, Awareness and Education, Identity and Access Management, Vulnerability Management, Incident Response

  • CISOs Must Ensure That the Following Four Processes Are Defined and Executed Reliably, Regardless of Ownership

Change Management, Business Continuity Management, and Disaster Recovery Management, Project Life Cycle Management Vendor Management

  • These processes are accounted for in the cybersecurity strategy measurement framework.
  • The current version of the CERT® Resilience Management Model (CERT®-

Advancing the CMM by adding levels, argument by the 'Software Engineering institute', see references.

  • RMM v1.2) utilizes the maturity architecture (levels and descriptions) as provided in the
Capability Maturity Model Integration (CMMI) constellation models to ensure consistency with
CMMI. The spacing between maturity levels often causes CERT-RMM practitioners some
difficulty. To address some of these issues, the CERT Division of Carnegie Mellon University’s
Software Engineering Institute did a comprehensive review of the existing specific and generic
goals and practices in CERT-RMM to determine if a better scale could be developed to help users
of the model show incremental improvement in maturity without breaking the original intent of
the CMMI maturity levels. This technical note presents the results: the maturity indicator level
scale, or CERT-RMM MIL scale.

[Category:Computer Security]

This article uses material from the Wikipedia article Cybersecurity strategy 5 Layout Capability Maturity Model, that was deleted or is being discussed for deletion, which is released under the Creative Commons Attribution-ShareAlike 3.0 Unported License.
Author(s): StarryGrandma Search for "Cybersecurity strategy 5 Layout Capability Maturity Model" on Google
View Wikipedia's deletion log of "Cybersecurity strategy 5 Layout Capability Maturity Model"