CMMI Security v3.0

In the context of security, two essential practice areas are “Enabling Security” and “Managing Security Threats and Vulnerabilities.”


Enabling security involves the development and maintenance of a comprehensive security approach that anticipates, identifies, and addresses security issues to minimize their impact on the organization or solution. The value of enabling security lies in reducing the effects of security threats and vulnerabilities on business performance. Security needs and constraints are not time-bound; they require continuous attention and consideration, 24/7, 365 days a year. This includes systematically identifying, assessing, and addressing security needs across various aspects, such as physical security, mission security, personnel security, process security, and cybersecurity.

The “CIA triad” forms the basis of enabling security, covering the following areas:

  • Confidentiality: Protecting sensitive information from unauthorized access and defining access levels for data.
  • Integrity: Ensuring data is kept updated and preventing unauthorized modifications.
  • Availability: Ensuring that authorized users can access the required data when needed.

Numerous elements contribute to organizational security, ranging from access control and authentication to incident response and vulnerability management. To enhance security, a defense-in-depth approach is applied, involving multiple layers of security measures that create redundancies to protect against various attack vectors.


Managing security threats and vulnerabilities involves identifying potential risks that could compromise the organization or solution, analyzing their impacts, and taking actions to address and mitigate them. This practice area adds value by increasing an organization’s capability and resilience to identify, mitigate, and recover from threats and vulnerabilities. The process of managing security threats and vulnerabilities is continuous and ongoing, necessitating a holistic and systematic approach to prioritize critical risks based on their potential impact on the business or solution.

Developing a continuous threat and vulnerability strategy enables the organization to anticipate and mitigate security risks systematically throughout the project or solution’s lifecycle. The approach includes creating security risk and opportunity management plans, identifying sources of risks and vulnerabilities, analyzing risks, and implementing security actions to handle them effectively.

Periodic security risk assessments are conducted to identify and address mitigation requirements that may impact the solution’s development, deployment, operation, or decommissioning. Early identification and removal of security weaknesses and vulnerabilities prevent incidents and external reporting of security flaws, ensuring customer trust and minimizing the effort required for handling incidents and vulnerabilities.

Both enabling security and managing security threats and vulnerabilities are integral to maintaining a secure and resilient organizational environment, safeguarding critical assets, and upholding the organization’s reputation and trustworthiness.