Cyber Maturity Expectation (CME) Framework Reference Guide
Understanding Your Organization’s Validation Rigor Classification and Control Expectations
Testify - Portfolio Cyber Security
Version 1.1 - April 2026
For Portfolio Principals, CISOs, and Security Analysts
Contents
- What Is CME?
- How Is My CME Level Determined?
- What Does My CME Level Mean in Practice?
- CME Control Expectations
- CME in Validation Campaigns
- Real-World Scenarios
- Governance and Special Features
- Frequently Asked Questions
- Glossary
What Is CME?
Cyber Maturity Expectation (CME) is a four-level classification system that determines how much evidence your organization needs to provide when demonstrating cybersecurity control compliance — and which controls your organization is expected to comply with.
CME serves two complementary purposes:
- Evidence rigor — CME defines how rigorously controls are validated. A 20-person startup and a 20,000-person logistics company require fundamentally different evidence to validate the same claim. CME defines that difference systematically.
- Control expectations — CME defines which subset of controls each company is expected to meet. The PE firm recommends that ALL portfolio companies complete a full CIS or NIST CSF assessment (this is industry best practice and provides a complete picture of security posture). However, CME also sets realistic expectations: a CME-1 company assessed across all 153 CIS safeguards is only expected to be compliant on the ~56 Implementation Group 1 controls. Non-compliance on an IG3 control at a CME-1 company is treated as aspirational, not as a gap.
The core question CME answers
When two companies both claim they have implemented the same security control, should we accept the same proof from both? And should we hold both companies to the same set of controls in the first place? CME answers both questions by matching evidence standards and control expectations to each organization’s complexity, asset criticality, and investment profile.
Every organization in the portfolio is assigned one of four CME levels:
| Level | Name | What It Means |
|---|---|---|
| CME-1 | Foundational | Validation relies on document review. A single reviewer examines artifacts you provide — spreadsheets, screenshots, policy documents. Annual validation cadence. Expected to comply with baseline controls (e.g., CIS IG1). |
| CME-2 | Structured | Validation includes document review plus targeted interviews with your staff. Tool-generated reports expected (not just screenshots). Semi-annual validation for critical controls. Expected to comply with intermediate controls (e.g., CIS IG1+IG2). |
| CME-3 | Managed | Validation includes document review, structured interviews, and sample-based testing. Multiple corroborating artifacts per control. Platform-generated reports from GRC, TPRM, or security tools expected. Quarterly validation for critical controls. Expected to comply with advanced controls (e.g., CIS IG1+IG2+IG3). |
| CME-4 | Enterprise | Full multi-source corroboration. Evidence from internal tools cross-referenced with independent third-party audits. Statistical sampling. External audit reports expected. Continuous or monthly validation for critical controls. Expected to comply with all controls in the framework. |
Your CME level is visible on your organization’s profile within Testify and appears as a badge next to your company name throughout the platform — on portfolio dashboards, campaign assignments, and analytics views.
How Is My CME Level Determined?
Your CME level is computed from a set of input factors that describe your organization’s complexity profile and the investor’s position. These factors are organized into two groups.
Organization Factors
These describe your company itself. They are the same regardless of who is evaluating you.
Information Asset Criticality
This is the single most important factor. It measures how critical your most valuable information assets are — and it looks beyond regulated data to include intellectual property and trade secrets.
The platform evaluates three dimensions independently:
| Dimension | What It Measures | Example |
|---|---|---|
| Regulated data exposure | Volume and classification of data subject to legal protection: PII, PHI, PCI, classified data | A hospital with 500,000 patient records scores Critical. A manufacturer with only employee HR records scores Low. |
| Intellectual property value | Economic value of trade secrets, proprietary formulas, algorithms, source code, or research data relative to total company valuation | A deep-tech startup whose entire $200M valuation depends on one manufacturing formula scores Critical. A services company with no proprietary technology scores Low. |
| Competitive advantage concentration | How concentrated your company’s value is in a small number of protectable assets | A company with one breakthrough product scores Critical. A company with 200 product lines where no single product drives more than 2% of revenue scores Low. |
The highest dimension wins. Your overall information asset criticality score equals the highest score among these three dimensions. If your regulated data exposure is Low but your intellectual property value is Critical, your criticality score is Critical. This ensures that a startup with a billion-dollar trade secret but no regulated data receives the same scrutiny as a hospital system with millions of patient records.
The platform also records which dimension drove your score (the “criticality driver”). This matters because it affects what kind of evidence you’ll be asked to provide during validation campaigns. An organization scored Critical for IP reasons will receive different evidence guidance than one scored Critical for regulated data reasons — even if they’re at the same CME level.
Other Organization Factors
| Factor | What It Captures |
|---|---|
| Operational complexity | The breadth of your technology footprint: multi-cloud environments, legacy systems, operational technology (IoT, SCADA), data centers, and critical infrastructure designations. A global manufacturer with factory-floor IoT and SCADA systems scores higher than a cloud-only SaaS company with double the revenue. |
| Regulatory exposure | The number and stringency of regulatory frameworks that apply to your operations: SOC 2, HIPAA, PCI DSS, GDPR, SOX, CMMC, industry-specific mandates. Multiple concurrent frameworks push the score higher. |
| Employee count | Total headcount including contractors with system access. This is a secondary factor — organizational size alone is a weak predictor of validation rigor needs. A 20-person healthtech with 500K patient records needs more scrutiny than a 3,000-person manufacturer with no sensitive data. |
| Third-party ecosystem | Measured in both directions: how many vendors have access to your data or systems (upstream), and how many customers or organizations depend on your platform (downstream). A SaaS provider embedded in 200 customer environments carries significant downstream exposure. |
| Operational jurisdictions | Countries and regions where you have active operations or data processing. Multi-jurisdiction operations add regulatory complexity and cross-border incident response considerations. |
Investor-Position Factors
These describe the evaluating firm’s relationship to your organization. They reflect how much capital is at risk and how much governance leverage the firm has. Your Portfolio Principal provides these inputs.
| Factor | What It Captures |
|---|---|
| Investment amount | Total capital deployed. This is a high-weight factor because it represents the materiality of the investment — the higher the capital at risk, the more evidence is warranted. The system also considers the investment-to-revenue ratio to flag cases where a breach would be existential relative to the investment. |
| Ownership percentage | The firm’s total ownership stake across fund vehicles. Higher ownership means greater fiduciary exposure and stronger governance leverage to enforce evidence requirements. |
| Board seat count | Board seats held by the investing firm, including observer seats. More seats mean more oversight responsibility and greater ability to mandate compliance with evidence standards. |
| Revenue / valuation | Your organization’s annual revenue or most recent valuation. Used as a supplementary sizing factor and for insurance crossover calculations. |
How the Score Is Computed
Each factor is scored on a 1-4 scale (Low, Moderate, High, Critical). The scores are weighted and combined into a single composite score, which is then mapped to one of the four CME levels.
Organization factors carry the majority of the weight because they describe the actual risk profile. Investor-position factors provide the governance and materiality overlay.
Your Portfolio Principal enters the factor inputs in Testify. The computation runs automatically. You can view your current CME level, the factor breakdown, and the composite score on your organization’s profile page.
The computation is objective, but overridable. The CME level is computed algorithmically to ensure consistency across the portfolio. However, your Portfolio Principal can manually override the computed level with a documented justification. All overrides are logged in the audit trail. If you believe your classification doesn’t reflect your actual risk profile, raise it with your Portfolio Principal — the override mechanism exists for exactly this purpose.
What Does My CME Level Mean in Practice?
Your CME level directly affects three things during validation campaigns: the type of evidence you need to submit, the number of artifacts required per control, and how that evidence is reviewed. It also determines which controls your organization is expected to comply with (see CME Control Expectations).
CME-1: Foundational
CME-1 — Typical organization: A 20-person SaaS startup, single cloud environment, no regulated data beyond employee HR records. Limited cybersecurity budget. No dedicated security staff.
Control scope: Baseline controls only. For CIS Controls v8, this aligns to Implementation Group 1 (~56 safeguards). For NIST CSF 2.0, this covers Identify and Protect functions.
- Validation approach: Document review only. A single reviewer examines the artifacts you submit.
- Evidence artifacts per control: 1-2
- Recommended cadence: Annual for most controls
- Acceptable evidence types:
- Spreadsheet-based tracking lists (asset inventories, vendor lists, access reviews)
- Screenshots of tool configurations (MFA settings, firewall rules, endpoint protection dashboard)
- Single policy documents (information security policy, acceptable use policy)
- Vendor confirmation emails or contract excerpts
- Tool settings exports
CME-2: Structured
CME-2 — Typical organization: A 200-person regional services firm. Hybrid cloud with some on-premises systems. SOC 2 Type II. Stores PII and financial data for clients. Has a small IT security team.
Control scope: Intermediate controls. For CIS Controls v8, this aligns to Implementation Groups 1 and 2 (~130 safeguards). For NIST CSF 2.0, this covers Identify, Protect, Detect, and Respond functions.
- Validation approach: Document review plus targeted interviews with relevant staff (CISO, IT director, system administrators).
- Evidence artifacts per control: 2-4
- Recommended cadence: Semi-annual for critical controls, annual for others
- Acceptable evidence types:
- Tool-generated reports from security platforms (EDR dashboard exports, SIEM event summaries, vulnerability scan reports)
- Documented procedures with revision history (not just policy documents — actual operational procedures)
- Access review exports from IAM platforms
- Training completion records from your LMS
- Vendor risk register exports
- Sample contracts with security addenda
CME-3: Managed
CME-3 — Typical organization: A 2,000-person healthcare company. Multi-cloud with on-premises systems and medical devices. HIPAA, HITECH, and state breach notification requirements. 50+ vendors with data access. Dedicated security team.
Control scope: Advanced controls. For CIS Controls v8, this aligns to Implementation Groups 1, 2, and 3 (all 153 safeguards). For NIST CSF 2.0, this covers Identify, Protect, Detect, Respond, Govern, and Recover functions.
- Validation approach: Document review, structured interviews, and sample-based testing. Evidence must be corroborated across multiple sources.
- Evidence artifacts per control: 4-6, corroborated
- Recommended cadence: Quarterly for critical controls, semi-annual for others
- Acceptable evidence types:
- GRC platform exports with control mappings
- Automated vulnerability scan and configuration compliance results
- Board-level security reporting artifacts
- Incident response tabletop exercise reports
- Third-party penetration test executive summaries
- TPRM platform vendor risk scores and critical vendor assessment reports
- Contract clause matrices demonstrating security addendum coverage across vendor portfolio
CME-3 with IP criticality driver: If your organization is classified CME-3 because of intellectual property value rather than regulated data, your evidence requirements will emphasize different controls: source code repository access controls, design file encryption verification, insider threat program documentation, supply chain integrity evidence, and IP-specific access segmentation. The platform automatically adjusts the evidence guidance based on what drove your classification.
CME-4: Enterprise
CME-4 — Typical organization: A 20,000-person global logistics company. Multi-cloud, on-premises data centers, OT/SCADA in distribution facilities. SOX, GDPR, PCI DSS. 200+ vendors. $500M+ investment. Operations in 15+ countries.
Control scope: All controls in the framework. For CIS Controls v8, this covers all 153 safeguards across all Implementation Groups. For NIST CSF 2.0, this covers all functions and categories.
- Validation approach: Full multi-source corroboration. Document review, interviews, technical verification, and cross-reference with independent external audit reports.
- Evidence artifacts per control: 6+, from multiple independent sources
- Recommended cadence: Continuous monitoring or monthly for critical controls, quarterly for others
- Acceptable evidence types:
- Multi-source corroboration: GRC platform data cross-referenced with SIEM logs, TPRM reports, and scan outputs
- Continuous monitoring dashboards (not point-in-time snapshots)
- Independent third-party audit reports (SOC 2 Type II, ISO 27001 certification, CMMC assessment)
- Regulatory examination findings and documented remediation evidence
- Supply chain risk tiering with sub-processor assessment summaries
- Executive risk committee meeting minutes demonstrating governance oversight
- M&A cybersecurity due diligence workpapers (if applicable)
CME Control Expectations
In addition to defining evidence rigor, each CME level defines a Control Expectation Set — the specific controls a company is expected to comply with. This allows the platform to distinguish between genuine compliance gaps and aspirational stretch goals.
The PE firm recommends that all portfolio companies complete a full assessment against the chosen framework (all 153 CIS safeguards or all NIST CSF categories). This is industry best practice and provides the most complete picture of security posture. However, not every company is expected to be compliant on every control. CME Control Expectations define realistic, tier-appropriate compliance targets.
Default Control Expectations by Framework
CIS Controls v8
Default expectations align to CIS Implementation Groups, which were designed for exactly this purpose — progressive control adoption based on organizational complexity.
| CME Level | Expected Controls | Approximate Count | Description |
|---|---|---|---|
| CME-1 | Implementation Group 1 (IG1) | ~56 safeguards | Essential cyber hygiene. The foundational set of controls every organization should implement regardless of size or resources. |
| CME-2 | Implementation Groups 1 + 2 (IG1+IG2) | ~130 safeguards | Intermediate controls for organizations with moderate complexity, dedicated IT staff, and data sensitivity. |
| CME-3 | Implementation Groups 1 + 2 + 3 (IG1+IG2+IG3) | All 153 safeguards | The complete set of CIS safeguards for organizations with significant complexity, regulatory exposure, or asset criticality. |
| CME-4 | All Implementation Groups (IG1+IG2+IG3) | All 153 safeguards | Same control scope as CME-3, but with the most rigorous evidence and validation requirements. |
NIST CSF 2.0
Default expectations align to a function-based progression, introducing additional NIST CSF functions as organizational maturity increases.
| CME Level | Expected Functions | Description |
|---|---|---|
| CME-1 | Identify, Protect | Core asset awareness and protective measures. The minimum functions needed to establish a security baseline. |
| CME-2 | Identify, Protect, Detect, Respond | Adds the ability to detect security events and respond to incidents. Appropriate for organizations with active monitoring capability. |
| CME-3 | Identify, Protect, Detect, Respond, Govern, Recover | Adds governance oversight and recovery planning. Full functional coverage for organizations with mature security programs. |
| CME-4 | All functions and categories | Complete NIST CSF 2.0 coverage with the most rigorous validation requirements. |
Each tier is a strict superset of the one below. Every control expected at CME-1 is also expected at CME-2, CME-3, and CME-4. Controls are only added as you move up tiers, never removed.
Customization
The PE firm can customize which controls are expected at each tier. This is done at the platform level — it is a portfolio-wide configuration, not a per-company setting.
- Where to configure: Settings > CME Control Expectations
- Who can configure: Portfolio Principals only
- What can be changed: Individual controls can be added to or removed from any tier
- Constraint: The strict superset rule is enforced. You cannot add a control to CME-1 without it also appearing in CME-2, CME-3, and CME-4. You cannot remove a control from CME-3 if it is still present in CME-2.
- When to customize: Common scenarios include adding industry-specific controls (e.g., requiring HIPAA-relevant safeguards at CME-2 for a healthcare-focused portfolio) or removing controls that are not applicable to the portfolio’s technology profile.
Configuration is done once and applies across all companies at each tier. If a specific company requires an exception, the Portfolio Principal can use the existing manual override mechanism to adjust that company’s CME level, which changes the entire expectation set.
How Control Expectations Affect Compliance and Reporting
CME Control Expectations change how compliance rates, gap analysis, and reports are calculated throughout the platform.
Compliance rates are scoped to expected controls by default. When a CME-1 company is assessed across all 153 CIS safeguards but is only expected to comply with ~56 (IG1), their compliance rate is calculated against those 56 controls. A CME-1 company that is compliant on 50 of their 56 expected controls has a meaningful 89% compliance rate — rather than a misleading 33% against the full 153.
Gap analysis separates expected gaps from aspirational gaps.
- Expected Gaps — Controls within the company’s CME expectation set where the company is not yet compliant. These are genuine compliance gaps that require remediation attention.
- Aspirational Gaps — Controls outside the company’s CME expectation set where the company is not compliant. These represent stretch goals. Non-compliance is expected and is not treated as a deficiency.
This distinction ensures that CISOs and Portfolio Principals focus remediation effort where it matters most and are not overwhelmed by gaps on controls that are beyond the company’s current tier.
Reports offer a scope toggle. All compliance-related reports in Testify provide a view selector:
- CME-Scoped (default) — Shows compliance rates, gaps, and trends calculated against only the controls in the company’s CME expectation set.
- Full Standard — Shows compliance rates, gaps, and trends calculated against all controls in the framework, regardless of CME expectations.
Both views are always available. The CME-Scoped view is the default because it provides the most actionable picture for day-to-day portfolio management. The Full Standard view is useful for board reporting, due diligence, and understanding the complete security posture.
“Meeting expectations” in the Maturity Distribution report requires both maturity and compliance. A portfolio company is considered “meeting expectations” only when:
- Its maturity score meets or exceeds the target for its CME level, AND
- It is 100% compliant on all controls in its CME expectation set.
Both conditions must be satisfied. A company with a strong maturity score but gaps in its expected controls is not yet meeting expectations, and vice versa.
CME in Validation Campaigns
When your Portfolio Principal launches a validation campaign that includes your organization, Testify uses your CME level to tailor the experience.
What Happens Behind the Scenes
- The campaign assigns one or more validation recipes to your organization. Each recipe defines how to validate a specific security control (for example, CIS 15.1 — Establish and Maintain an Inventory of Service Providers).
- The platform checks your CME level and your criticality driver.
- For each recipe, the platform selects the evidence tier definition that matches your CME level and criticality driver. If a domain-specific tier exists (for example, a CME-3 tier specifically for organizations with IP-driven criticality), that version is selected. Otherwise, the generic tier for your level is used.
- The selected evidence tier determines: the evidence guidance shown to you in the Validation Workspace, the minimum number of artifacts required, whether interviews or technical testing are expected, and the reviewer’s evaluation criteria.
What You See as a CISO
In the Validation Workspace, you will see:
- Your organization’s CME level displayed as a badge
- Evidence guidance specific to your tier — a clear description of what to submit and in what format
- Minimum artifact count — how many pieces of evidence are required for this control at your tier
- Recommended evidence types — a list of acceptable artifact types (e.g., tool exports, platform reports, audit summaries)
You do not need to know or understand the scoring algorithm. The platform handles the classification and evidence tier selection automatically. Your job is to submit evidence that matches the guidance provided for your tier level.
Real-World Scenarios
The following examples illustrate how CME classifies different types of organizations and what evidence looks like at each level for the same security control.
Same Control, Four Different Evidence Standards
Control: CIS 15.1 — Establish and Maintain an Inventory of Service Providers
| Level | Organization | Evidence Submitted |
|---|---|---|
| CME-1 | 20-person SaaS startup, AWS-only, no regulated data | A shared Google Sheet listing 8 vendors with contract dates and a column indicating which handle customer data. |
| CME-2 | 200-person services firm, SOC 2, hybrid cloud | Vendor risk register export from their IT management tool showing 35 vendors with risk ratings. Sample contract (1 of 35) with security addendum. Annual vendor review meeting notes for top 5 critical vendors. |
| CME-3 | 2,000-person healthcare company, HIPAA, multi-cloud | TPRM platform dashboard export showing 120 vendors with risk scores. Critical vendor assessment reports (top 10 vendors by risk). Contract clause matrix showing security addendum coverage across all 120 vendors. Quarterly vendor review cadence documentation. |
| CME-4 | 20,000-person logistics, SOX + GDPR + PCI, global ops | TPRM platform reports for all 250 vendors. Independent third-party vendor risk assessments for critical vendors. Contractual SLA dashboards showing vendor compliance metrics. Supply chain sub-processor audit summaries. Quarterly executive risk committee minutes documenting vendor risk review. |
The Crown Jewels Scenario
Consider two companies, both with approximately 30 employees:
CME-1 — Company A: Digital marketing agency. No regulated data, no proprietary technology, no trade secrets. Value is in client relationships and staff expertise. CME classification: CME-1. Evidence standard: spreadsheets and screenshots. Expected to comply with ~56 IG1 controls.
CME-3 — Company B: Deep-tech hardware startup. No regulated data, but holds a proprietary semiconductor manufacturing process that is the entire basis for a $200M investment. If this formula were stolen by a competitor or nation-state actor, the investment goes to zero. CME classification: CME-3 (driven by IP value and competitive advantage concentration). Evidence standard: platform reports, access control verification, insider threat program documentation. Expected to comply with all 153 CIS safeguards.
Both companies have 30 employees and zero regulated data. Under a naive size-based model, they would receive the same evidence standard. Under CME, the startup with the critical trade secret is appropriately classified at a higher tier because the information asset criticality dimensions correctly identify that the IP is the “crown jewel” that must be protected.
Governance and Special Features
Manual Overrides
Your Portfolio Principal can override the computed CME level in either direction. Overrides require a written justification and are permanently recorded in the audit trail. Overrides are appropriate when:
- A recent acquisition has changed the organization’s risk profile but factor inputs haven’t been updated yet
- Industry-specific risk factors not captured by the standard input factors warrant a higher tier
- The organization is undergoing a major technology migration that temporarily elevates complexity
Governance Leverage Alerts
The platform automatically detects when an organization’s computed CME level may exceed what the investing firm’s governance position can realistically enforce. For example, if an organization computes to CME-3 but the firm holds only a 12% minority stake with no board seats, the platform surfaces a warning.
This is informational only — it does not change the CME level. The underlying risk assessment remains objective. The alert helps the Portfolio Principal decide whether to seek additional governance leverage, accept the gap, or work collaboratively with the portco leadership to voluntarily meet the evidence standard.
Subsidiary Floor Inheritance
If your organization is a subsidiary of a parent company that also has a CME level in Testify, your CME level cannot fall more than one tier below your parent’s level. For example, if the parent company is classified CME-3, the minimum level for any subsidiary is CME-2. This ensures governance accountability flows through corporate hierarchies while acknowledging that subsidiaries may genuinely be simpler operations.
Your organization’s own factor-computed tier can exceed this floor — the floor only raises, never lowers.
CME Level History
Every change to your organization’s CME level is recorded in an immutable audit log, including:
- The previous and new CME levels
- Which factor inputs changed and by how much
- The source of the change (automated recomputation, manual override, post-acquisition review)
- Who initiated the change and when
- Written justification for manual overrides
This history is accessible on your organization’s profile page in Testify and can be exported for board reporting or audit purposes.
Frequently Asked Questions
Who decides my organization’s CME level?
The CME level is computed automatically from factor inputs entered by your Portfolio Principal. The Portfolio Principal can override the computed level with a documented justification. As a CISO, you can view your level and the factor breakdown, and you should raise concerns with your Portfolio Principal if you believe the classification doesn’t accurately reflect your organization’s profile.
Can I change my CME level?
You cannot directly change it, but you can influence it. If your organization’s profile changes — for example, you decommission an OT environment, reduce your vendor count, or obtain a SOC 2 report — ask your Portfolio Principal to update the relevant factor inputs and trigger a recomputation. If the underlying factors change, the CME level will adjust accordingly.
Does a higher CME level mean my security is worse?
No. CME levels measure organizational complexity and the corresponding evidence standard — not security quality. A CME-4 organization is not less secure than a CME-1 organization. It is more complex, carries more sensitive assets, and therefore requires more rigorous proof of compliance and is held to a broader set of expected controls.
Does my CME level change which CIS controls I need to implement?
This answer has nuance. The full assessment still covers all controls in the framework — the PE firm recommends that every portfolio company be assessed against the complete standard (all 153 CIS safeguards or all NIST CSF categories) as an industry best practice. However, CME now defines which controls your organization is expected to comply with. A CME-1 company is assessed across all 153 CIS safeguards but is only expected to meet the ~56 IG1 controls. Non-compliance on controls outside your CME scope (for example, an IG3 control at a CME-1 company) is flagged as aspirational rather than as a gap. This means CME does not reduce assessment scope, but it does set realistic compliance expectations and focuses remediation priorities on the controls that matter most for your tier.
What if I think my organization is classified too high?
Review the factor breakdown on your organization’s profile page. If specific factors seem inaccurate (for example, the employee count includes contractors who no longer have system access, or a regulatory framework listed no longer applies), bring the specifics to your Portfolio Principal. They can update the inputs and recompute.
What if I think my organization is classified too low?
This is equally important to surface. If your organization handles sensitive IP or has complexity not captured in the current factor inputs, notify your Portfolio Principal. Under-classification means validation campaigns may not catch real gaps.
How often is my CME level re-evaluated?
The level is recomputed on demand whenever a Portfolio Principal updates your factor inputs. It should be reviewed at minimum annually, at the time of any acquisition or major organizational change, and at 90 days post-close for newly acquired companies.
Does CME apply to assessment campaigns or only validation campaigns?
CME currently drives evidence requirements in validation campaigns (evidence-based control verification). Assessment campaigns (self-reported maturity scoring) use the same controls and scoring regardless of CME level. However, your CME level may inform which supplemental questions are included in an assessment campaign.
Can the same validation campaign include organizations at different CME levels?
Yes. A single campaign can include organizations across all four CME tiers. The platform automatically selects the appropriate evidence tier for each organization-recipe pair. Your evidence guidance will reflect your specific level, not the overall campaign settings.
What is a “criticality driver” and why does it matter?
The criticality driver is which dimension of information asset criticality (regulated data, intellectual property, or competitive advantage concentration) produced your highest score. It matters because validation recipes can have evidence guidance tailored to each driver. An organization classified CME-3 for PHI reasons receives compliance-focused evidence guidance, while one classified CME-3 for trade secret reasons receives IP-protection-focused guidance.
What are CME Control Expectations?
CME Control Expectations define the specific set of controls each company is expected to comply with based on their CME level. For CIS Controls v8, the defaults align to Implementation Groups: CME-1 companies are expected to comply with IG1 (~56 safeguards), CME-2 with IG1+IG2 (~130 safeguards), and CME-3/CME-4 with all 153 safeguards. For NIST CSF 2.0, the defaults align to a function-based progression. Control Expectations determine how compliance rates are calculated, how gaps are categorized (expected vs. aspirational), and what “meeting expectations” means in portfolio reporting. See CME Control Expectations for full details.
Can the PE firm customize which controls are expected at each tier?
Yes. The Portfolio Principal can customize the Control Expectation Set for each CME tier via Settings > CME Control Expectations. Individual controls can be added to or removed from any tier, subject to the constraint that each tier must remain a strict superset of the tier below it. This configuration applies portfolio-wide — it is not a per-company setting. Common use cases include adding industry-specific controls (e.g., HIPAA-relevant safeguards for a healthcare portfolio) or removing controls that are not applicable to the portfolio’s technology profile.
Does this mean I only need to assess the controls in my CME scope?
No. The PE firm recommends a full assessment against the complete framework for every portfolio company, regardless of CME level. A full assessment provides the most complete picture of your security posture and identifies opportunities for improvement beyond your current tier. CME Control Expectations determine which controls you are expected to be compliant on — not which controls you are assessed against. Think of it this way: you take the full exam, but your “passing grade” is based on the questions appropriate for your level.
Glossary
| Term | Definition |
|---|---|
| CME Level | Cyber Maturity Expectation level. One of four tiers (CME-1 through CME-4) that defines the validation evidence rigor and control compliance expectations for an organization. |
| CME-Scoped Compliance | Compliance rate calculated against only the controls in a company’s CME expectation set, rather than all controls in the framework. This is the default compliance view in Testify and provides the most actionable measure of a company’s compliance posture relative to its tier. |
| Composite Score | The continuous numeric score (0-100) computed from all weighted factors before discretization into a CME level. |
| Control Expectation Set | The specific controls a company is expected to comply with based on their CME level. Defaults align to CIS Implementation Groups or NIST CSF function progression. Customizable by the Portfolio Principal via Settings > CME Control Expectations. |
| Criticality Driver | The specific sub-dimension of information asset criticality (regulated data, IP value, or concentration) that produced the highest score for an organization. |
| Evidence Tier | A set of evidence requirements (artifact types, minimum counts, assessment methods) associated with a specific CME level and optionally a criticality domain. |
| Governance Leverage | The evaluating entity’s ability to enforce evidence requirements, derived from ownership percentage and board representation. |
| Information Asset Criticality | The highest-weight factor in CME classification. Computed as the maximum score across three sub-dimensions: regulated data exposure, IP value, and competitive advantage concentration. |
| Manual Override | A Portfolio Principal’s ability to set the CME level to a value different from the computed result, with a required written justification. |
| Portfolio Principal | The PE firm administrator who manages portfolio-wide security operations in Testify, including CME factor inputs and campaign creation. |
| Subsidiary Floor | The minimum CME level enforced on a subsidiary, equal to its parent organization’s CME level minus one tier. |
| Validation Campaign | A structured evidence-collection initiative where organizations submit proof of security control compliance, reviewed against tier-appropriate evidence requirements. |
| Validation Recipe | A reusable template defining how to validate a specific security control, including expected evidence types, scoring rubrics, and CIS control mappings. |
Testify - CME Framework Reference Guide
Cyber Flag