<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=323641658531367&amp;ev=PageView&amp;noscript=1">
SCF logo


The Security & Privacy Capability Maturity Model (SP-CMM) gives organizations an objective way to evaluate the maturity of their security and privacy program. It was designed and launched by the Secure Controls Framework, a non-profit organization dedicated to providing content that helps organizations navigate the security and compliance maze.  

The SP-CMM is built on top of an existing framework, the Systems Security Engineering Capability Maturity Model v2.0 (SSE-CMM). It adds to it by providing control-level criteria to the model. The SP-CMM is meant to solve the problem of objectivity in both establishing and evaluating cybersecurity and privacy controls.

In plain English, companies can use the SP-CMM to benchmark their security readiness relative to an objective standard framework, with detailed definitions and specific to company size. Not every company can expect to find themselves in the top 2 levels, especially smaller organizations. But the framework makes it very clear what it will take to reach a goal of a certain level over time. 

Bringing the SP-CMM to Life 


Ostendio fully endorses the SP-CMM, since it provides organizations an objective viewpoint of their controls maturity, as well as a path forwards to greater maturity targets. MyVCM shows companies where they stand relative to the criteria of the SP-CMM, and how they are changing over time.  

Is your organization in the Negligent Zone?

We hosted an exclusive conversation with the author of the SP-CMM, Tom Cornelius, on September 26th, 2019.

Watch Now


Whether you are trying to achieve compliance with a specific regulation like SOC 2, or need a better way to document and improve your risk management capabilities, you should take a look at Ostendio MyVCM.

Ostendio Logo