Overview
In Cye Exposure Management Platform, the NIST CSF 2.0 maturity model uses a combination of inputs—ratings, linked findings, technologies, processes, and system insights—to calculate your maturity score. This article breaks down how scoring works at the subcategory, category, function, and organizational levels.
Organizational Maturity Score: Completion Requirements
To generate an organization-level maturity score, these thresholds must be met:
At least 50% of subcategories must be rated within each category to calculate the category score
At least 50% of categories must be completed to calculate the function score
At least 4 of 6 functions (67%) must be completed to calculate the organization score
How Findings Impact Maturity
Progress-Based Scoring: Maturity is influenced by remediation progress (%); as work is completed, the score improves incrementally. For more on how remediation assets and manual overrides determine this percentage, see [Understanding Maturity].
Averaging Finding Impact: Within a subcategory’s total score, the finding component is calculated as the average of the maturity values of all linked findings. This ensures every bit of progress contributes to the overall score.
Global Application: Findings linked to multiple subcategories apply their individual maturity values to every subcategory they are linked to.
Default Maturity Targets:
Fully Remediated: Findings with 100% progress default to level 3. Once a finding’s status is changed to Fixed, you can manually override this value to reflect a different remediation level.
System-Resolved: Findings automatically fixed by Cye Platform are set to level 2 (automatic fixes get a slightly lower maturity score compared to manual fixes since they represent system-driven resolution rather than deliberate organizational action).
Severity Weighting: For findings in progress, maturity is weighted by severity. High-severity issues require more progress to reach higher maturity levels than lower-severity issues:
Critical/High severity = 1
Low/Medium severity = 2
Subcategory Score Calculation
The system calculates maturity levels by distributing weight equally among all data components present in a subcategory (Manual Rating, Findings, Technologies, and Processes).
How Security Controls Affect Scoring:
Security controls—which include both Technologies (like EDR or SIEM) and Processes—provide a structured baseline for your maturity.
Default Maturity: Both technologies and processes are assigned a default maturity level of 3 upon being linked to a subcategory. This level can be manually edited within the Assets page or the Standards tab to reflect your actual implementation.
The "Improvement Only" Rule: Cye Platform applies a "do no harm" logic to security controls. A linked technology or process is only factored into the calculation if it improves the subcategory score. If the control's maturity level is lower than the current subcategory score, it is ignored to ensure your score never drops due to adding a control.
Dynamic Weighting: The influence of security controls depends on the number of data components present for a subcategory (Manual Rating, Findings, Technologies, and Processes):
If all four components exist, each (including Tech and Processes) accounts for 25% of the score.
If only three components exist, each accounts for 33.3%.
If only a technology or process is linked, it accounts for 100% of the score.
Data Components Present | Weight per Component |
4 Components: Rating + Findings + Tech + Processes | 25% each |
3 Components: (e.g., Rating + Tech + Processes) | 33.3% each |
2 Components: (e.g., Tech + Processes) | 50% each |
1 Component: (Only Rating, Tech, OR Process) | 100% |
Rating is “Unknown” or “Not Relevant” | 100% of linked items (if any) |
Special Scenarios
Dynamic Component Values: While Technology and Process default scores are 3, you can manually adjust this value to reflect your specific environment.
Manual Evaluation: In cases of manual evaluation, if your selection is Unknown or Not Relevant, the system ignores that selection and calculates maturity based solely on other linked elements.
Manual Precedence: For any of the four maturity components (Manual Evaluation, Findings, Technologies, or Processes), manual input takes full precedence when no linked data is available.
Calculation Exclusions: To maintain accuracy, findings or remediation assets in Draft statuses (Draft, Awaiting Approval, Approved, Not Approved) or those marked as Not Relevant do not impact maturity calculations and are excluded from the Maturity Assessment view.
Wrap-up / Next Steps
Understanding how maturity scores are calculated helps you use the model more effectively. By thoughtfully linking findings, processes, and technologies—and rating subcategories accurately—you can better reflect your organization’s security posture and guide improvement.