The purpose of this document is to harmonize and reconcile the existing CMMI, NIST CSF, and C2M2 maturity models to allow effortless mapping, conversion, or adoption of these cyber maturity frameworks. The goal is not to invent a fourth maturity framework, it is to identify on behalf of the global community and make available publicly, this mapping between these frameworks. At first glance our deliverables may appear as a new framework, but it is harmonization of existing frameworks.
One of the most frustrating things in OT cybersecurity? Working hard for two years, making real progress — and then watching a maturity assessment come back with the same score as the year before.
It's not that the work wasn't done. It's that most maturity models weren't built to capture formative progress — the architecture, the tooling rollouts, the process definitions that happen before you can claim a higher level.
That's exactly what our Director of OT Cybersecurity, Donovan Tindill, sat down to talk about on a recent podcast episode. Donovan has spent the last 25 years assessing OT environments, and he's seen this pattern play out over and over. His answer: a publicly available methodology to reconcile the three major maturity frameworks — CMMI, NIST CSF, and C2M2 — into one consistent, defensible model.
The problem Donovan keeps running into
If you've ever tried to justify OT security investment to leadership, you've probably seen the same dynamic: cybersecurity gets treated like a project with a finish line. Fund it, deliver it, close it. But OT security is a long-term capability-building effort, especially when safety, availability, and vendor constraints shape what progress even looks like.
The bigger issue is that CMMI, NIST CSF, and C2M2 — all widely used — don't speak the same language. Three assessors using three different frameworks can look at the same environment and arrive at three different conclusions. That inconsistency makes it hard to benchmark across sites, compare year-over-year progress, or make a credible case for budget.
"I have seen companies stuck in the same maturity level for multiple years — not because they weren't making progress, but because the model didn't have a way to credit where they actually were."
What the paper actually proposes
The technical paper behind this conversation isn't a new framework — it's a reconciliation of the ones that already exist. Donovan's goal was to build a public crosswalk that allows organizations to map between CMMI, NIST CSF, and C2M2 without inventing a proprietary translation layer every time.
A few things make this approach different from what most consultants do privately:
Why the "Developing" level matters
This is probably the most practical addition for anyone running a multi-year OT security program. The new Level 1.5 — "Developing" — is designed to recognize the formative phase: planning is underway, tools are being deployed, training has started. The work is happening, even if the full bar for the next level hasn't been cleared yet.
Within this stage, Donovan suggests reporting progress the same way a project manager would — as a percentage complete, or using the S-curve from project management. If your infrastructure rollout is 40% done, your maturity in that area can be reported as 40% Developing. That's a much more honest — and defensible — picture than staying stuck at Level 1 for three years.
What's next
The podcast touches on what this framework ultimately unlocks: once you have a consistent, lower-variance maturity backbone, you can start doing more sophisticated things — like using maturity as an input to risk modelling, benchmarking controls effectiveness across industries, and connecting maturity scores to actual financial exposure.
That's the direction DeNexus is headed, and this paper lays the conceptual groundwork for it.
If the ideas above resonate, we'd encourage you to read the original blog post where Donovan goes deeper on the methodology — and download the full technical paper, which includes the complete crosswalk tables, level-by-level requirements checklists, and scoring guidance.
- Read the harmonized maturity blog
Download the reconciled and harmonized maturity technical paper