search menu icon-carat-right cmu-wordmark

Are Your DevSecOps Capabilities Mature?

This session was presented by Tim Chick of the SEI at DevSecOps Days Washington D.C., held on Thursday, October 12.

Software Engineering Institute


A maturity model is a set of characteristics, attributes, indicators, and patters that represent progression and achievement in a particular domain or discipline. A maturity model allows an organization to have its practices, processes, and methods evaluated against a clear set of artifacts that establish a benchmark. Capability maturity levels are arranged in an evolutionary scale that defines measurable transitions from one level of capability to another. Maturity models can be used to (1) determine an organization’s current level of capability and then apply these methods over time to drive improvements, and (2) determine how well a program is performing by examining the capabilities of its sister programs.

As a DevSecOps system matures, so will its capabilities. This presentation will discuss how the DevSecOps Platform Independent Model (PIM) can be used to evaluate an instantiated DevSecOps pipeline’s capabilities. The DevSecOps PIM is an interactive authoritative Agile and DevSecOps reference architecture built using Model Based Systems Engineering (MBSE) SysML. It is broken down into 10 key capabilities along 4 maturity levels, which provides the basis for articulating one’s current level of DevSecOps maturity.