The CTI-CMM Assessment Resource

Introduction

The CTI-CMM assessment is a stand-alone spreadsheet intended for users to download and use locally. Users self-evaluate their current maturity posture across each practice in a domain using the CTI0-CTI3 scale. In this assessment approach, CTI0 represents no capability, CTI1 a partial implementation, CTI2 largely implemented, and CTI3 for fully implemented.

The CTI-CMM assessment dynamically populates as the user fills out scores across each domain. Inside of the spreadsheet, there's an introductory section, an obligatory read me with instructions, and a primary dashboard, before displaying each domain's content.

How Long Will Each Assessment Take

The CTI-CMM assessment is comprised of 230 statements across its 11 domains. Each domain aligns to a different function or stakeholder a CTI program could service, which means that not all domains are relevant for every CTI program. As a result, some programs, especially those with a larger set of customers, may spend more time than others.

However, since the assessment is an introspective self-evaluation, the CTI program should document its sources of evidence and reasoning to support the evaluation score it provides. As a result, CTI programs who plan to use CTI-CMM as a benchmark for program maturity and organizational reach will reap the benefits from having spent time enumerating supporting documentation--called "Evidence" in the assessment--and the line of reasoning for scoring.

How to Perform a Domain Assessment

The only required inputs for each CTI-CMM domain is the evaluation score per objective. However, to support CTI program management, kickstart roadmap development, and speed up future CTI-CMM assessments, we have created the following optional fields:

• The “Evidence” field is designed for users to identify supporting documentation and where it lives inside an organization.
• The “POC” field represents the person, department, or owners of the evidence.
• The "Target Score" is the goal intended between this current assessment and the next, likely in 6 months or a year.
• The "Est. Impact" field is meant to capture the value the business gains from achieving the Target Score. Is the business able to identify or prevent threats more rapidly? Will this reduce the mean time to contain incidents? Resilience of the business should factor into the score.
• The "Est. LOE" represents how much work is required to achieve the Target Score maturity level.
• The "Priority" field is calculated based on the impact and level of effort, where high impact and low level of effort is the highest priority, and low impact high effort is the least priority.
• The "Target Date" field captures when the Target Score is intended to be achieved.
• The “Notes” field is a free-form capture to annotate the reasoning behind why you made the assessment you did. Ex) Why did you rate your program at a 2 instead of a 3? What are you lacking?

The more detail you put into your assessment now, the easier it will be to establish clear action plans for improvement.

How Often Should I Perform an Assessment?

We recommend CTI programs perform an assessment at least bi-annually, often after end-of-year strategic planning and also at the mid-point in the year to benchmark progress. If a CTI program re-structures or expands its remit, we would encourage CTI programs to develop a roadmap using the criteria identified in each domain then identify growth trajectory at the 6 month milestone.

Share Your Feedback or Experience

We’d love to hear from you! Whether you have suggestions to improve the CTI-CMM framework or want to share how you’ve used it in your organization, your insights help us grow and serve the community better.

🛠️ For feedback or feature ideas, please use this form or email us at contact@cti-cmm.org with the subject line Assessment Tool Feedback. When possible, include a vision for what the change might look like in a future version.

🗣️ Want to provide a testimonial? We’re always curious to learn how CTI-CMM has made an impact. If you're open to sharing your story, send us a note with the subject line Testimonial. Please let us know if we can use your words publicly (as-is, lightly edited, or anonymized).

We may follow up for clarity or to learn more—thank you for helping us improve and inspire others!