Security Maturity Levels
The Program Review for Information Security Assistance (PRISMA) project was last updated in 2007; NIST Interagency Report (IR) 7358 and the corresponding PRISMA tool continue to serve as useful resources for high-level guidance and as a general framework, but may not be fully consistent with changes to requirements, standards and guidelines for securing systems. The PRISMA project is being incorporated into the NIST Cybersecurity Risk Analytics and Measurement project, and research to support updates will begin in FY24. For questions or comments regarding the NIST Cybersecurity Risk Analytics and Measurement project, please contact cyberriskanalytics@nist.gov.
The PRISMA review is based upon five levels of maturity: policy, procedures, implementation, test, and integration. A brief description of each level is provided below.
The PRISMA team assesses the maturity level for each of the review criteria. A higher maturity level can only be attained if the previous maturity level is attained. Therefore, if there is an implementation, but there isn't a policy for a specific criteria, none of the maturity levels are attained for the specific criteria.
IT Security Maturity Level 1: Policies
- Formal, up-to-date documented policies stated as "shall" or "will" statements exist and are readily available to employees.
- Policies establish a continuing cycle of assessing risk and implementation and use monitoring for program effectiveness.
- Policies written to cover all major facilities and operations agency-wide or for a specific asset.
- Policies are approved by key affected parties.
- Policies delineate the IT security management structure, clearly assign IT security responsibilities, and lay the foundation necessary to reliably measure progress and compliance.
- Policies identify specific penalties and disciplinary actions to be used if the policy is not followed.
IT Security Maturity Level 2: Procedures
- Formal, up-to-date, documented procedures are provided to implement the security controls identified by the defined policies.
- Procedures clarify where the procedure is to be performed, how the procedure is to be performed, when the procedure is to be performed, who is to perform the procedure, and on what the procedure is to be performed.
- Procedures clearly define IT security responsibilities and expected behaviors for
- asset owners and users
- information resources management and data processing personnel, management, and
- IT security administrators.
- Procedures contain appropriate individuals to be contacted for further information, guidance, and compliance.
- Procedures document the implementation of and the rigor in which the control is applied. .
IT Security Maturity Level 3: Implementation
- Procedures are communicated to individuals who are required to follow them.
- IT security procedures and controls are implemented in a consistent manner everywhere that the procedure applies and are reinforced through training.
- Ad hoc approaches that tend to be applied on an individual or case-by-case basis are discouraged.
- Policies are approved by key affected parties.
- Initial testing is performed to ensure controls are operating as intended.
IT Security Maturity Level 4: Test
- Tests are routinely conducted to evaluate the adequacy and effectiveness of all implementations.
- Tests ensure that all policies, procedures, and controls are acting as intended and that they ensure the appropriate IT security level.
- Effective corrective actions are taken to address identified weaknesses, including those identified as a result of potential or actual IT security incidents or through IT security alerts issued by FedCIRC, vendors, and other trusted sources.
- Self-assessments, a type of test that can be performed by agency staff, by contractors, or others engaged by agency management, are routinely conducted to evaluate the adequacy and effectiveness of all implementations
- Independent audits such as those arranged by the General Accounting Office (GAO) or an agency Inspector General (IG), are an important check on agency performance, but are not viewed as a substitute for evaluations initiated by agency management.
- Information gleaned from records of potential and actual IT security incidents and from security alerts, such as those issued by software vendors are considered as test results. Such information can identify specific vulnerabilities and provide insights into the latest threats and resulting risk.
- Vulnerabilities and provide insights into the latest threats and resulting risk. Evaluation requirements, including requirements regarding the type and frequency of testing, are documented, approved, and effectively implemented.
- The frequency and rigor with which individual controls are tested depend on the risks that will be posed if the controls are not operating effectively.
IT Security Maturity Level 5: Integration
- Effective implementation of IT security controls is second nature.
- Policies, procedures, implementations, and tests are continually reviewed and improvements are made.
- A comprehensive IT security program is an integral part of the culture.
- Decision-making is based on cost, risk, and mission impact.
- The consideration of IT security is pervasive in the culture.
- There is an active enterprise-wide IT security program that achieves cost-effective IT security.
- IT security is an integrated practice.
- Security vulnerabilities are understood and managed.
- Threats are continually reevaluated, and controls adapted to changing IT security environment.
- Additional or more cost-effective IT security alternatives are identified as the need arises.
- Costs and benefits of IT security are measured as precisely as practicable.
- Status metrics for the IT security program are established and met.