Great work!!

[nma-io]

Great work on this!

Some initial thoughts:

Section 6.9 - CTI Mission statement - Dangling "T" at the end of the paragraph.

In the early stages of the document, for example, ASSET, the maturity model seem to go from zero to 99 pretty quickly. For example, CTI-1 in "Improve Asset Visibility" is nearly impossible for organizations larger than 10 people. I struggle every day at obtaining and maintaining an accurate inventory - let alone classifying that. Not saying we shouldn't be there, but reality is that asset inventory (physical, software and data) are some of the hardest areas of the security domain (opinion).

I wonder if there is a level at the beginning, where assets are identified, even if they're not yet formally inventoried and classified?

I do like the note on exposures. Many organizations often overlook detecting public exposures of private data.

As the document progresses, there seems to be a little more relaxation in the maturity levels. For example, when we get to ARCHITECTURE, the levels are more aligned with what I would see most organizations achieving, and it shows a pathway to maturity from immature to very mature.

Overall, this document is well thought out and easy to follow. I feel it will help organizations build as well as mature their programs. I can't wait to see it progress!