CNAMM Framework

Cloud Native Assurance Maturity Model - a comprehensive framework for measuring
and improving cloud native security posture across your organization.

Cloud Native Assurance Maturity
Model (CNAMM)

A comprehensive framework designed to help organizations measure and improve their Cloud Native security posture through structured evaluation of critical business functions and security controls.

CNAMM Maturity Scoring System

Organizations progress through four maturity levels, from Foundation (1.0) to Transformative (5.0)

Foundation: 1.0 Standardized: 2.0 Optimized: 3.0 Leading: 4.0 Transformative: 5.0

Key Business Functions Evaluated

Strategy and Risk Governance
Identity and Access Governance
Supply Chain and Vendor Security
Runtime Security Operations
Infrastructure and Platform Security
Threat Detection and Response
Application and Data Protection
Resilience and Service Assurance

Explore CNAMM resources

Comprehensive Visualization of Security Maturity

CNAMM provides weighted scores based on your organization's context, giving you a clear picture of where you stand and what steps to take next for improved cloud native security.

Visit CNAMM.org

CNAMM Maturity Levels

The four stages of cloud native security maturity

1.0

Foundation

Basic security controls established with initial processes documented and limited automation implemented

Manual security processes
Reactive security posture
Limited visibility into cloud assets
Basic access controls

2.0

Standardized

Consistent security controls across environments with documented procedures and basic automation

Documented security policies
Security integrated into some processes
Periodic security assessments
Basic automated controls

3.0

Optimized

Comprehensive controls with integration, efficient processes and advanced automation capabilities

Security as code practices
Ongoing compliance monitoring
Comprehensive threat detection
Automated remediation

4.0

Leading

Industry-leading practices implemented with highly automated processes and innovative security measures

Proactive threat hunting
AI-driven security analysis
Real-time risk modeling
Automated compliance assurance

5.0

Transformative

Security drives business transformation with full automation, integration and continuous innovation

Setting industry standards
Continuous innovation
Predictive compliance
Security as business enabler

1.0

Foundation

Basic security controls established with initial processes documented and limited automation implemented

Manual security processes
Reactive security posture
Limited visibility into cloud assets
Basic access controls

2.0

Standardized

Consistent security controls across environments with documented procedures and basic automation

Documented security policies
Security integrated into some processes
Periodic security assessments
Basic automated controls

3.0

Optimized

Comprehensive controls with integration, efficient processes and advanced automation capabilities

Security as code practices
Ongoing compliance monitoring
Comprehensive threat detection
Automated remediation

4.0

Leading

Industry-leading practices implemented with highly automated processes and innovative security measures

Proactive threat hunting
AI-driven security analysis
Real-time risk modeling
Automated compliance assurance

5.0

Transformative

Security drives business transformation with full automation, integration and continuous innovation

Setting industry standards
Continuous innovation
Predictive compliance
Security as business enabler

1.0

Foundation

Basic security controls established with initial processes documented and limited automation implemented

Manual security processes
Reactive security posture
Limited visibility into cloud assets
Basic access controls

2.0

Standardized

Consistent security controls across environments with documented procedures and basic automation

Documented security policies
Security integrated into some processes
Periodic security assessments
Basic automated controls

3.0

Optimized

Comprehensive controls with integration, efficient processes and advanced automation capabilities

Security as code practices
Ongoing compliance monitoring
Comprehensive threat detection
Automated remediation

4.0

Leading

Industry-leading practices implemented with highly automated processes and innovative security measures

Proactive threat hunting
AI-driven security analysis
Real-time risk modeling
Automated compliance assurance

5.0

Transformative

Security drives business transformation with full automation, integration and continuous innovation

Setting industry standards
Continuous innovation
Predictive compliance
Security as business enabler

Key Business Functions

CyberScore was created to democratize security assessments for organizations
of all sizes

Strategy and Risk Governance

How security strategy aligns with business objectives and manages risk

Supply Chain and Vendor Security

Security practices for managing third-party dependencies and services

Infrastructure and Platform Security

Protection measures for cloud infrastructure, containers, and platforms

Application and Data Protection

Security controls for applications and sensitive data throughout the lifecycle

Identity and Access Governance

Management of identities, authentication, and authorization

Runtime Security Operations

Security monitoring and protection in production environments

Strategy and Risk Governance

How security strategy aligns with business objectives and manages risk

Supply Chain and Vendor Security

Security practices for managing third-party dependencies and services

Infrastructure and Platform Security

Protection measures for cloud infrastructure, containers, and platforms

Application and Data Protection

Security controls for applications and sensitive data throughout the lifecycle

Identity and Access Governance

Management of identities, authentication, and authorization

Runtime Security Operations

Security monitoring and protection in production environments

Strategy and Risk Governance

How security strategy aligns with business objectives and manages risk

Supply Chain and Vendor Security

Security practices for managing third-party dependencies and services

Infrastructure and Platform Security

Protection measures for cloud infrastructure, containers, and platforms

Application and Data Protection

Security controls for applications and sensitive data throughout the lifecycle

Identity and Access Governance

Management of identities, authentication, and authorization

Runtime Security Operations

Security monitoring and protection in production environments

Ways to Support Our Mission

Choose the support option that best aligns with your interests and capabilities

Financial Support

Donate to fund our mission of providing free cybersecurity education to everyone.

One-time Donation
Corporate Giving

Learn more

Corporate Partnerships

Partner with us to boost your ESR efforts and support cybersecurity education.

Sponsorship Opportunities
Strategic Partnerships

Learn more

In-Kind Support

Contribute tools, software, or services to support our educational programs.

Software Donations
Service Donations

Learn more

Learn about our mission

CNAMM Framework

Cloud Native Assurance Maturity Model (CNAMM)

CNAMM Maturity Scoring System

Key Business Functions Evaluated

Comprehensive Visualization of Security Maturity

CNAMM Maturity Levels

Foundation

Standardized

Optimized

Leading

Transformative

Foundation

Standardized

Optimized

Leading

Transformative

Foundation

Standardized

Optimized

Leading

Transformative

Key Business Functions

Strategy and Risk Governance

Supply Chain and Vendor Security

Infrastructure and Platform Security

Application and Data Protection

Identity and Access Governance

Runtime Security Operations

Strategy and Risk Governance

Supply Chain and Vendor Security

Infrastructure and Platform Security

Application and Data Protection

Identity and Access Governance

Runtime Security Operations

Strategy and Risk Governance

Supply Chain and Vendor Security

Infrastructure and Platform Security

Application and Data Protection

Identity and Access Governance

Runtime Security Operations

Ways to Support Our Mission

Financial Support

Corporate Partnerships

In-Kind Support

Cloud Native Assurance Maturity
Model (CNAMM)