Skip to content
  • There are no suggestions because the search field is empty.

What is a MIL (Maturity Indicator Level), and how is it used?

This article will cover what the MIL levels are, and provide some examples of how they play into the product and overall scoring within an Assessment.

The Maturity Indicator Level (MIL) is how we map the maturity of a series of progressive Practices. For example, MIL1 Practices are usually foundational and are referred to as Initiated.  The MIL2 Practices are those that are Performed, and then finally MIL3 practices are Managed.

Here is a simplified example from the Risk Management Domain under the Objective of Establishing a Risk Management Strategy:

  • An example of a MIL1 Practice would be: The Organization has identified the cyber security risks to the organization.  Most organizations might say they have "Largely Implemented" this Practice as they have identified the cyber risks to their business.
  • An example of a progressive MIL2 Practice would be: These identified risks have been documented. Most organizations might indicate that they have "Partially Implemented" this Practice. They likely have a simple Risk Register in XLS and review it once or twice annually.
  • Finally, an example of a progressive MIL3 Practice would be: These identified and documented Risks prioritized by the potential impact to the delivery of business services. A majority of organizations might indicate that they have "Not Implemented" this Practice. This is because, as stated above, they are only partially documenting the identified Risks. 

So now, using a combination of Implementation Response and a series of progressively more mature Practices, in this simplistic example we can effectively score the Maturity of a Risk Register.  While the number of Practices and scoring is a bit more complicated in the actual assessments, one can see based on these 3 questions broken into MIL1-3 this organization would have a hypothetical Cyber Maturity Index (CMI) of 1.2 out of 5.0 when analyzing the maturity of their Risk Register program.  They have identified their Risks, partially documented those risks, and then are currently doing nothing with that list to limit the impact on service delivery. We would also know their next steps in maturity would be a centralized Risk Register, a topology, classification, defined Risk Committee, and an organizationally defined timeline on which they would meet to review and use the analysis of those Risks in the Register to minimize impact to service delivery. 

Using the combination of progressively more mature Practices, organized by MIL 1-3, as well as the Implementation Response to these Practices, the CRT can produce quantified and repeatable scoring across any organization irrespective of vertical or industry. The CRT can also measure and report on the incremental maturity improvement because improvement to a MIL1 or initiation of a foundational element affects the scoring more than a MIL3 or Performed Practice improving. For example, if a MIL1 Practice moved from a "Not Implemented" state to a "Largely Implemented" State, it would drive the score higher than several MIL3 Practices making the same maturity improvement as the business risk associated with not performing foundational and/or basic cyber hygiene items is much more impactful to the reduction of risk than the reporting, monitoring, or performance tasks associated with MIL3 Practices.