For the best experience with CNAMM, please visit our interactive website where you can explore the framework, take a quick assessment, and access all resources in a user-friendly interface.
Our mission is to provide organizations with an effective and measurable way to evaluate and enhance their Cloud Native security posture. We aim to enable organizations to confidently design, deploy, and operate secure Cloud Native systems through a self-assessment model that drives continuous improvement.
The Cloud Native Assurance Maturity Model (CNAMM) is a framework designed to help organizations measure and improve their Cloud Native security and assurance capabilities. This toolkit provides a structured approach to assess your organization's current maturity level and identify areas for improvement.
- Interactive Website: Explore the framework, take the quick assessment, and access all resources
- Quick Assessment: Get an immediate overview of your Cloud Native security maturity in minutes
- Sample Assessment: View a completed assessment with scorecard visualization
- Full Toolkit: Download the comprehensive assessment toolkit
CNAMM evaluates eight critical business functions, each containing three Practice Areas with two assessment Streams:
- Strategy and Risk Governance
- Supply Chain and Vendor Security
- Infrastructure and Platform Security
- Application and Data Protection
- Identity and Access Governance
- Runtime Security Operations
- Threat Detection and Response
- Resilience and Service Assurance
- Stream A (Core): Essential capabilities and security controls
- Stream B (Advanced): Advanced capabilities and innovative practices
- 1.0: Foundation - Basic security controls and initial processes
- 1.1-2.0: Standardized - Consistent security practices and documentation
- 2.1-3.0: Optimized - Efficient processes and automation
- 3.1-3.5: Leading - Advanced capabilities and proactive security
- 3.6-4.0: Transformative - Innovative practices and industry leadership
Your organization's context affects your target security maturity level through a profile multiplier (0.9-1.2x) based on:
- Industry Requirements
- Regulatory Obligations
- Organizational Scale
- Cloud Native Maturity
- Overall Maturity Score and Level
- Assessment Completion Status
- Business Function Scoring Summary
- Comprehensive Visualizations
This repository contains essential tools and documentation for implementing CNAMM:
- CNAMM Assessment Toolkit v1.1.xlsx: Interactive assessment tool with comprehensive scoring system
- CNAMM-Framework-Documentation-v1.1.pdf: Detailed guide covering framework fundamentals and implementation
- Sample Assessment.xlsx: Example of a completed assessment with visualizations
-
Visit our interactive website for the most user-friendly experience
-
Download the Assessment Toolkit
- Open the CNAMM Assessment Toolkit
- Navigate to the Intro tab
-
Complete Organization Profile
- Define your context
- Understand your target maturity
-
Conduct Assessment
- Evaluate each business function
- Document evidence
- Review scores and insights
-
Plan Improvements
- Identify gaps
- Prioritize enhancements
- Track progress
We welcome community contributions to improve CNAMM:
- Share your results through our Industry Benchmark Survey
- Submit improvements via pull requests
- Provide feedback and suggestions
- Check our contribution guidelines
For questions or support:
- Email: info@devsecflow.com
- Submit issues through GitHub
- Join community discussions
- Abdel Sy Fane - CTO of DevSecFlow and Co-Founder and Executive Director of CyberSecurity NonProfit (CSNP)
- Francis Ofungwu - CEO of DevSecFlow
This work is licensed under the Creative Commons Attribution-Share Alike 4.0 License. To view a copy of this license, visit http://creativecommons.org/licenses/by-sa/4.0/legalcode
© 2025 DevSecFlow Community. All Rights Reserved.