The National Security Agency has seen a need for a more appropriate information systems security assessment. While companies provide commercial security products and services, it would usually take them so long to develop new products and services relevant to the times and to the technologies of today. Not only does in lag in time factor, the process of innovating products and services would also usually entail large amounts of money and this expense would then be passed on the end users. Another thing is that these products they come up with seldom go through independent evaluation. The users are then left to decide for themselves based on the claims of the providers.
NSA then sees a way to tackle this need. And that is by developing a Capability Maturity Model for security engineering. This CMM National Security Agency effort is the agency’s contribution to the security engineering community. It was set forth in 1993 with the hope that the entire industry would respond by coming up with a criteria on which CMM would be based upon.
The main purpose, of course, of the CMM National Security Agency effort is to help the consumers judge whether one security product and service provider has good qualifications or not. It also aims to improve the overall quality of the services rendered by the industry. By providing a valid and solid way to do assessment, customers would be guided accordingly. Through this CMM not only will the criteria be provided but a standardized metric as well.