PKI Maturity Model
The objective of this document is to provide a definition of the PKI maturity model and what is the maturity assessment process and procedures in order to rate the current maturity level according the model and track progress.
Maturity Model
The maturity model is based on the Capability Maturity Model Integration (CMMI) developed by Carnegie Mellon University. It should provide the following::
- Quickly understand the current level of capabilities and performance of the PKI
- Support comparison of PKI maturity with similar organizations based on size or industry (anonymized)
- Action plans on how to improve the capabilities of the current PKI
- Improve overall PKI performance
Maturity Levels
The maturity model consists of several categories which are directly associated with the PKI and covers all aspects and activities (people, processes, technology). Based on the maturity model parts, the overall maturity level is determined as a single value representing the current state of capabilities and performance.
Each category can be separately assessed for its maturity level. Maturity levels are generally defined as follows:
| Maturity level | Short description (general) |
|---|---|
| Initial | Unpredictable process with poor control and always reactive |
| Basic | Process is characterized by each particular case or project and controls are often reactive |
| Advanced | Process is characterized by organizational standards and controls are proactive |
| Managed | Processes are measured and controlled, proactive approach |
| Optimized | Continuous improvement of the processes and procedures, proactive approach for future technology improvement |
Modules
There are 4 modules defined for the maturity model. Each of the module is focused on the specific parts of the PKI.
| Module | Description |
|---|---|
| Governance | Consist of the leadership, overall structures, and processes to enable organization using the PKI in a sustainable way. In also consists of having strategy and objectives and proper decision making |
| Management | Translates the governance into actions that support the PKI, management of the resources to maintain the required level of trust |
| Operations | Includes day to day business as usual activities that lead to secure and future-proof PKI in accordance with the organization goals |
| Resources | Ensures that the activities related to the PKI are performed with a proper knowledge and experience, with enough capacities, and that it provides complete and accurate information to relying parties |
Categories and weights
The following categories of the PKI maturity model are defined with the appropriate weight based on the applicability and importance:
| Category | Weight |
|---|---|
| Strategy and vision | 5 |
| Policies and documentation | 4 |
| Compliance | 2 |
| Processes and procedures | 3 |
| Key Management | 4 |
| Certificate Management | 4 |
| Interoperability | 2 |
| Infrastructure Management | 2 |
| Change Management and Agility | 3 |
| Sourcing | 4 |
| Knowledge and Training | 3 |
| Monitoring and Auditing | 2 |
| Automation | 2 |
| Awareness | 3 |
| Resilience | 4 |
For more information on categories, please refer to the Categories Maturity Evaluation.
The weights of the categories are used to calculate the overall maturity level of the PKI.
Modules and categories
Each module consists of specific categories related to them:
| Governance | Management | Operations | Resources |
|---|---|---|---|
| Strategy and visionPolicies and documentationComplianceProcesses and procedures | Key ManagementCertificate ManagementInfrastructure ManagementChange Management and Agility | ResilienceAutomationInteroperabilityMonitoring and Auditing | SourcingKnowledge and TrainingAwareness |
Overall maturity level
Based on the nature of PKI part, these maturity levels are described accordingly. Overall maturity level is calculated as weighted average of maturity level of PKI categories.
There are defined the following overall maturity levels for the PKI Maturity Model:
| Maturity level | Indicators | Associated risks |
|---|---|---|
| 1 – Initial | PKI is ad-hoc managed, reactive There are minimum processes and procedures, which are typically not followed and There is no approach how to address certificate related issues PKI does not take into account any industry standards or regulations Insufficient resources and knowledge | High probability of compromise High probability of operational issues No trust |
| 2 - Basic | PKI is ad-hoc managed, often reactive There are defined processes and procedures which are followed PKI is not managed according industry standards and regulations Insufficient knowledge | High probability of operational issues Medium probability of compromise No trust |
| 3 – Advanced | Certificate services are not consistent Procedures are defined and followed CP and CPS partially exist Partially available resources and knowledge | Medium probability of operational issues Low probability of compromise |
| 4 – Managed | PKI is consistently managed Well defined CP and CPS for provided services Available skilled resources Documented processes and procedures to manage certificates and related keys Inconsistent approach to certificate related activities | Low probability of operational issues Low probability of compromise and loosing trust |
| 5 – Optimized | Well defined CP and CPS Effective procedures for certificate management exists Resources with knowledge and experience available Consistent PKI with alignment to current practice and regulation Future proof | Minimal probability of operational issues Minimal probability of compromise and loosing trust |
