Development Standards

Measuring security maturity

Introduction

Measuring security maturity helps teams understand their current security posture and identify areas for improvement. Regular assessments support continuous improvement and help prioritise investment in training, tooling and secure development practices.

Guidance

Teams MUST:

• complete a security self-assessment every quarter
• use the NIST SSDF, NCSC CAF, and MVSP frameworks to assess their maturity
• record a RAG status for each relevant standard or control
• track changes over time to identify trends and inform decisions

Assessment results MAY be used to:

• identify training needs
• prioritise security tooling or automation
• guide process improvements

Measurement

ID	Indicator	Green	Amber	Red
MSM-1	RAG status recorded for each standard	Updated quarterly	Updated annually	Not recorded
MSM-2	Trends monitored over time	Used to inform improvements	Tracked but not used	Not tracked

References

• Minimum Viable Secure Product (MVSP)
• NCSC Cyber Assessment Framework (CAF)
• NIST Secure Software Development Framework (SSDF)

---

Published: 24 July 2025
Last updated: 7 August 2025
Page Source