Measuring, managing, and maturing cyber security

A comprehensive cyber security maturity model to help clients measure, manage, and mature their cyber security programs


The CyberM³® Reference Model is a logically structured body of intellectual capital that anyone—in any environment—can use to gauge completeness and maturity of their cybersecurity program, using detailed or executive-level measures. While the model can be used in many ways, its fundamental use is to understand the current state of a program, derive what risks the business face, and articulate a pragmatic roadmap for strengthening the program in a risk-based and cost-effective manner. The contents of the model enable the quick understanding of a client's cybersecurity posture.

  • Provides a holistic perspective of an organization's cybersecurity program that combines industry best practices with Booz Allen's cyber expertise, honed over decades of providing leading technology services to government and commercial clients.
  • Provides a comprehensive framework to assess a full range of cyber capabilities and drive improvements to the people, processes, and technologies that support effective cyber programs. It is continually updated to meet emerging cyber risks, such as cloud, insider threat, and mobile security.


To view all resources, please log in.


CyberM³® allows scale and flexibility to address organizations' specific concerns and can include:
  • Program-level assessment of 27 areas of functional and enabling cyber security, providing baseline maturity across people, process, and technology dimensions
  • Technical deep-dives, zeroing in on high-risk areas
  • Supplemental technical assessments (e.g., penetration testing and advanced adversary hunting)
  • Workshops to align leaders on threat, risk, and future state
  • Industry benchmarking to understand maturity relative to peers
  • Integration with key priority areas such as privacy, fraud, and enterprise risk
  • Strategic roadmaps and project planning to drive maturity gains