The global skills and competency framework for the digital world

Maturity Modelling, NIST CSF and SFIA

How SFIA can be used alongside cybersecurity frameworks and maturity models.

Registered users can download a pdf version : Download the NIST Cybersecurity Framework (CSF) 2.0 to SFIA v9 Skills Mapping pdf document . Registration is free, and provides access to this pdf and a range of valuable documents.

How to use this guidance

This guidance is intended to help organisations understand how SFIA can be used alongside cybersecurity frameworks and maturity models, rather than to prescribe a single implementation approach.

You can use this guidance by:

  • starting with your chosen cybersecurity framework or maturity model (such as NIST CSF 2.0) to identify the outcomes your organisation wants to achieve
  • using the NIST CSF to SFIA skills mapping to identify the SFIA skills that are relevant to those outcomes
  • considering which SFIA levels of responsibility are required to deliver those activities reliably and consistently in your organisational context
  • using SFIA to define role expectations, workforce capability gaps, and sourcing requirements in a consistent and objective way

This guidance is deliberately high-level and adaptable. It is designed to support conversations between security leaders, technology teams, HR, procurement and senior management, using a shared and well-defined skills language.

SFIA does not determine your target maturity level or organisational structure. Instead, it provides a practical way to describe and develop the people capability needed to move from your current state toward your desired cybersecurity outcomes.

Maturity Modelling Cyber Security Capabilities

Maturity models help organisations understand how well they perform across processes, governance, technology and culture. However, a recurring challenge in applying these models is that organisations often know what they want to achieve but struggle to convert those aspirations into the people capability required.

  • This is where the SFIA offers a practical solution. SFIA introduces a structured, consistent way to define the skills, responsibilities and behaviours needed to achieve higher levels of capability maturity.
  • By adding a workforce lens to established process and capability models, SFIA helps organisations change maturity uplift from an abstract goal into a practical, people-centred transformation pathway.

This guidance explains the principles and benefits of using SFIA with cyber security maturity models. For detailed skill mappings to each NIST CSF 2.0 outcome and subcategory, see the companion document: NIST Cyber Security Framework (CSF) 2.0 to SFIA v9 Skills Mapping.

While SFIA itself is not a maturity model, it can provide the workforce dimension that enables organisations to operationalise their chosen maturity frameworks effectively. Think of maturity models as defining what needs to be achieved and how well, while SFIA defines who can do it and at what level of responsibility.

Understanding Process and Capability Maturity

When assessing organisational maturity, organisations typically look at it from the lens of process or capability. These are closely related but measure different things for different purposes.

Process maturity models focus on how well an organisation's processes are defined, documented, executed and improved over time.

  • They look at whether the organisation follows consistent procedures, whether those procedures are repeatable and whether they are monitored and refined.
  • A process maturity model is essentially asking the question: How good are we at following and improving our processes? 
  • These models are often used in areas like project management, software development and service delivery, where consistency and repeatability are essential.

Capability maturity models look more broadly at an organisation's ability to achieve desired outcomes.

  • They consider not only processes but also people, skills, technology, culture and governance.
  • A capability maturity model asks: Do we have the competencies, resources and behaviours needed to operate effectively and deliver results?
  • Because it looks at more than just processes, this type of model is often used in cyber security, risk, business resilience and workforce development.

In simple terms, you can think of the difference like this: Processes are about how work gets done and capabilities are about the ability to get work done well.

Given the global cyber security skills shortage, workforce capability planning becomes increasingly important for maturity outcomes.

  •  Many organisations find that recruitment alone may not be sufficient to achieve higher maturity levels.
  • Competition for experienced cyber security professionals can be intense, and salary expectations can exceed budget constraints.
  • This context means organisations often need to consider strategic development of internal talent, informed sourcing decisions, and ways to ensure that vendors deliver genuine capability.
  • SFIA can provide the precision to support these decisions, enabling objective capability assessment and measurement of workforce investments.

When looking at capability maturity, people form one of the fundamental dimensions alongside processes, technology and governance. SFIA strengthens this people dimension by mapping professional skills to a seven-level responsibility model, ranging from entry-level practitioners to strategic leaders. These levels articulate increasing autonomy, influence, complexity and professional behaviour. They also make clear what is required to perform work reliably and consistently at each maturity stage.

For example, increasing capability maturity in incident response is not just a matter of implementing new tools. It requires analysts who can triage events autonomously, specialists who can perform detailed forensic analysis, and managers who can coordinate enterprise-wide responses. SFIA defines these competencies with precision, helping to reduce ambiguity and supporting organisations in moving beyond generic job titles or inconsistent skill assumptions.

This precision becomes particularly valuable when assessing capability gaps. Without SFIA, organisations might conclude they need "more senior security analysts" or "better incident response capability." With SFIA, they can specify that they need capability at Level 4 for Incident Management (USUP), Level 4-5 for Digital Forensics (DGFS), and Level 5-6 for Security Operations (SCAD). This specificity enables targeted recruitment, focused learning and development, and accurate vendor capability assessments. It transforms vague capability aspirations into measurable workforce requirements.

Using SFIA and NIST CSF 2.0 as a Framework for Capability

SFIA complements frameworks such as the Cyber Security Framework (CSF) developed by the US National Institute of Standards and Technology.

  • The NIST CSF is a widely adopted, voluntary set of standards and best practices designed to help organisations understand, manage and reduce cyber security risk.
  • It provides a structured and repeatable approach built around six core functions: Govern, Identify, Protect, Detect, Respond and Recover.

Organisations increasingly face regulatory requirements to demonstrate cyber security maturity.

  • Frameworks such as the Digital Operational Resilience Act (DORA) in financial services, the Network and Information Security Directive (NIS2) in the European Union, and sector-specific regulations worldwide are driving organisations to formalise their approaches to cyber risk management. These regulations often require not just technical controls but demonstrable workforce competency and governance.
  • SFIA can support organisations in meeting these expectations by providing a standardised, auditable approach to defining and assessing the professional capabilities supporting their cyber security maturity claims. It helps answer the regulator's question: "How do you know your people are capable of doing what your framework says they should do?"

These functions outline the essential outcomes required for effective cyber risk management and give organisations a common language to plan, prioritise and improve their security posture in a way that aligns with business objectives.

Maturity models help determine how well those functions are delivered, and SFIA then identifies the specific human capability required to achieve the target state.

For instance, the "Detect" CSF function requires ongoing monitoring, threat analysis and escalation. Maturity models will assess whether those processes are ad hoc, documented, consistently executed or optimised. SFIA can bridge the two by defining the skill requirements associated with each element of the Detect function. As a result, workforce planning becomes directly tied to the organisation's desired maturity level rather than being driven by assumptions or broad role descriptions.

This integration helps organisations identify when maturity targets may exceed their current workforce capability. A common challenge is organisations implementing processes and technologies associated with higher maturity levels while workforce capability develops at a different pace. This can result in processes that appear mature but may not perform consistently because the supporting skills are still developing. SFIA can help make capability gaps visible during planning, supporting more realistic implementation timelines.

Practical Applications: From Strategy to Operations

SFIA supports the operationalisation of mature processes by enabling role clarity and repeatability. Mature processes rely on consistent human execution, yet many organisations operate with blurred boundaries between roles or inconsistent expectations of what practitioners at different levels should deliver. SFIA addresses this ambiguity through its detailed skill descriptions and responsibility levels. When these are aligned to process steps, organisations gain a predictable workforce model where the right work is performed by the right people with the right demonstrated capability. This stabilises operations, reduces dependency on specific individuals and enables consistent improvement over time.

Making It Work: Sourcing and Procurement Decisions

This clarity around capability requirements also supports decisions around insourcing, outsourcing or hybrid delivery models. When organisations lack the skills or workforce depth needed to reach their target maturity, SFIA makes those gaps visible and quantifiable. For example, if an organisation cannot staff a 24/7 monitoring function with analysts capable of operating at the required SFIA levels, outsourcing may be the most viable option. Conversely, if the organisation has strong internal skills across key SFIA roles, insourcing may better support agility and long-term capability growth. These decisions become evidence-based rather than subjective.

SFIA also plays a central role in procurement and contract structuring. When outsourcing occurs, SFIA provides a framework for defining the capability providers need to deliver by defining the skills, levels and responsibilities they must supply. This avoids the common industry challenge where vendors meet contractual obligations with staff whose skills do not match the complexity of the required work.

By specifying skill levels, experience expectations and role responsibilities using SFIA definitions, organisations can evaluate vendors objectively and ensure alignment between service delivery and their maturity goals. This creates measurable, enforceable expectations and provides a framework for ongoing performance management. Contracts can specify that a Security Operations Centre must be staffed with personnel demonstrating SFIA Level 4-5 capability in Security Operations (SCAD) and Level 4 capability in Incident Management (USUP), making vendor commitments tangible and auditable.

Using the NIST CSF 2.0 to SFIA Mapping

The companion mapping document provides detailed skill alignments for each NIST CSF 2.0 outcome and subcategory. For each CSF function (Govern, Identify, Protect, Detect, Respond, Recover), the mapping identifies:

- Illustrative SFIA levels of responsibility for the overall outcome – indicating the typical seniority and autonomy required

- Specific SFIA skills relevant to each subcategory – showing which professional competencies are needed

- Typical participation patterns across organisational levels – clarifying who should be involved and at what level

These illustrative levels reflect common patterns but should be adapted to your organisation's size, structure and maturity context. A small organisation may require individuals to work at higher levels across multiple skills, while larger organisations can distribute responsibilities more widely.

This granular mapping supports organisations in translating their CSF implementation objectives directly into workforce capability requirements, supporting precise job design, skills assessment, learning and development planning, and vendor evaluation. It moves workforce planning from generic assumptions to evidence-based decisions grounded in the specific outcomes your organisation needs to achieve.

Putting This Into Practice

Organisations can begin applying this approach through several practical steps:

1. Establish baseline maturity 

Use your chosen framework (such as NIST CSF) to assess current capability maturity across relevant functions. Identify where processes are ad hoc, documented, consistently executed or optimised.

2. Define target state 

Determine which areas require maturity uplift and by how much, based on business risk, regulatory requirements and strategic priorities. Not all functions need to reach the highest maturity level.

3. Map skills requirements 

Use the NIST CSF 2.0 to SFIA mapping to identify the specific skills and responsibility levels needed to achieve your target state in each function. This reveals the precise workforce capability required.

4. Assess current workforce 

Evaluate existing team members against the identified SFIA skills and levels to reveal capability gaps. This assessment can be evidence-based, looking at demonstrated competency rather than job titles.

5. Develop action plans 

Create targeted strategies for closing gaps through learning and development, recruitment, reorganisation or selective outsourcing. Different gaps require different solutions.

6. Implement and measure 

Execute your plans and track progress both against maturity framework metrics and workforce capability indicators. Regularly review whether improved capability is translating into higher maturity outcomes.

The detailed NIST CSF 2.0 to SFIA mapping provides the granular skill definitions needed to support each of these steps, enabling evidence-based workforce decisions rather than assumptions about capability.

Conclusion

SFIA supports human-centred maturity modelling by making workforce capability requirements actionable and measurable. It provides a framework for connecting what an organisation wants to achieve, how well it currently performs, and the people capability required to progress. By providing a consistent skills language across executives, HR, technology teams, procurement and operational staff, SFIA can help replace assumptions with greater clarity and support organisations in creating an integrated path from maturity assessment to workforce uplift.
When used alongside frameworks such as NIST CSF 2.0, organisations can use SFIA to support sustainable capability development, moving from ad hoc approaches toward more predictable, systematic practices. Together, the conceptual understanding provided by this guidance and the detailed skill mappings in the companion document offer organisations a structured approach to building cyber security workforce capability aligned to industry-standard maturity frameworks.