PROGRESS Methodology
PROGRESS applies sector-wide cyber resilience assessment through a structured process, practical advisory outputs, and a capability maturity matrix aligned with NIST Core Functions.
How we do it
We break down a sector into sub-components, assess their capacity and maturity, and identify ways to strengthen the sector.
The assessment brings sector stakeholders into one structured dialogue around shared resilience objectives.
1. Model the sector
We map the institutions, regulators, suppliers, and external capabilities that shape the sector's resilience profile.
2. Assess maturity
We analyze the sector across four dimensions of operation and align findings to the NIST Core Functions, using real data to populate the matrix.
3. Identify capability gaps
The assessment surfaces specific vulnerabilities and shows where focused improvement can strengthen the sector.
4. Produce a roadmap
We formulate prioritized actions to strengthen governance, coordination, capability, and resilience across the sector.
Standards-aware structure
Assessment logic aligns with recognized standards and governance practice, including the NIST Cybersecurity Framework and ISO/IEC 27001. PROGRESS bridges national- and enterprise-level perspectives with a sector lens and integrates prior assessments where they exist.
Benefits / why PROGRESS?
PROGRESS produces sector-specific recommendations that target capability gaps in people, processes, and technology, sequenced into a prioritized roadmap.
What makes PROGRESS distinct
PROGRESS is built as a sector instrument: designed for sector-wide insight, linking national and enterprise views, and for use when assessments combine many stakeholders, prior studies, and disruption in the sector.
Structural strengths
- It bridges the gap between national and enterprise levels.
- It provides a sector-specific roadmap to enhance cyber resilience.
- It prioritizes forward-looking cyber resilience indicators.
- It offers effective and cost-efficient ways to capture a sector view.
- It applies to sectors that stretch across national borders.
- It addresses supply chain and third-party risks.
- It has been applied across multiple sectors and countries.
In assessment and recommendations
- Incorporating suppliers, human capital, regulators, and national-level capabilities enhances feasibility and effectiveness.
- Performing a sectoral assessment brings together diverse stakeholders and fosters communication, cooperation, and improved resilience objectives.
- PROGRESS model recommendations address capabilities, roles, and responsibilities across all four dimensions of operation.
- It provides a more detailed assessment than many other models (24 assessed instances across a 4x6 matrix).
- It fills the gap between national- and enterprise-level models by incorporating prior assessments such as the Oxford Cybersecurity Capacity Maturity Model for Nations or enterprise-level models, and accepts disruption as inevitable.
The model assumes inevitable disruptions: degraded performance, interrupted service, and partial sector collapse.
Advisory outcome
The final advisory report sets out specific recommendations for the sector: vulnerabilities, risks, and practical improvements.
The methodology covers 46 topics, each examined across the four dimensions of operations.
What PROGRESS CCMM does differently
PROGRESS CCMM addresses every stakeholder in an economic sector and integrates their interactions, enabling targeted recommendations and efficient resource allocation.
The PROGRESS model offers sharp and focused recommendations that are:
- Service-specific: focusing on required capabilities in sectors such as power, financial services, and healthcare.
- Grounded in diagnostics: anchored in current capabilities and performance dimensions.
- Holistic: incorporating people, policy, and supply-chain considerations alongside technical controls.
- Outward-facing: incorporating external capabilities and collaboration with state agencies.
The PROGRESS model analyzes sectors in four dimensions of operations.
Dimensions of operations
To illustrate how the dimensions work in practice, take electricity as an example of a critical-infrastructure sector. That sector includes generation, transformation, transmission, and distribution subsectors.
| What is analyzed | Electricity-sector example |
|---|---|
| Dimension 1: Key entities | |
| Typically, large organizations and their capabilities are analyzed. | In the power sector, this includes power generation, transmission, and distribution facilities operated by monopolies in the industry and country. |
| Dimension 2: Sectoral supervisors | |
| Analysis of regulators and regulations in the industry, including interactions with key entities and other stakeholders. | This may involve the Ministry of Energy or other electric authorities, as well as additional regulators like environmental protection organizations. |
| Dimension 3: IT & OT supply chain | |
| Examination of smaller players in the sector such as service providers, suppliers, and other elements in the supply chain. | For the power sector, this includes fuel suppliers, providers of critical goods, vendors of professional services and power generation equipment, and security and monitoring organizations. |
| Dimension 4: National cybersecurity capacity | |
| Assessment of stakeholders outside the sector, such as national Critical Infrastructure Protection (CIP) agencies or supply chains. | This involves evaluating national or state-level capabilities in cyber defense, intelligence, law enforcement, forensics, and certifications established by state or professional unions. |
NIST Core Functions
Findings are mapped to the NIST Cybersecurity Framework Core Functions to support implementation planning and reporting across institutions.
- Govern: Cybersecurity strategy, roles, policy, oversight, and risk governance across sector stakeholders.
- Identify: Critical assets, dependencies, and sector-level risk posture.
- Protect: Safeguards, baseline controls, workforce readiness, and resilience of essential services.
- Detect: Monitoring, visibility, information sharing, and early warning capability across the sector.
- Respond: Coordination, incident management, communications, and continuity under disruption.
- Recover: Restoration planning, service recovery, lessons learned, and adaptation over time.
The PROGRESS capability maturity matrix
Combining the dimensions with the NIST Core Functions produces the matrix, which scales to any number of nodes and links.
The PROGRESS CCMM assessment covers 46 topics across multiple dimensions of operations, generating 24 assessed instances (4x6) for each sector assessed.
Extending PROGRESS: AI capability maturity
AI systems run on top of the sectors PROGRESS was built to diagnose: power, data networks, cloud infrastructure, and the supply chains that make them work. AI resilience therefore depends on the cybersecurity of those foundations. The CRL is extending PROGRESS to AI capability maturity; this work is in progress and not yet published.
Outputs & further reading
To read more about the PROGRESS model:
- PROGRESS: the sectoral approach to cyber resilience (International Journal of Information Security, Springer)
- Incorporating Systems Thinking into a Cyber Resilience Maturity Model (IEEE Engineering Management Review)
- Publications & resources (additional links and context)
To find out more about PROGRESS and see how you can benefit, please contact Lior Tabansky. See Contact.
Frequently asked questions
How is PROGRESS different from enterprise-only models?
PROGRESS is built for the full sector system, including regulators, operators, supply-chain actors, and national capability context across multiple organizations.
Which standards inform the method?
The methodology aligns with recognized practice including the NIST Cybersecurity Framework and ISO/IEC 27001.
What is the main output of an assessment?
The main output is a prioritized, practical roadmap that addresses capability gaps across governance, coordination, and operational resilience.
Updated: May 2026.
