The Cybergovernance Maturity Oversight Model (CMOM) tests maturity across 10 functional Domains (listed below). The "domains" are simply different components that make up a successful cybersecurity program. A Curator, or owner, is assigned to each Domain, and that person or curator is in charge for seeking answers to assessment questions for that particular Domain.
Risk Management (RM)
RM focuses on strategies, practices, and policies related to cyber risk management. Many of the assessment questions probe practices that are common in operational risk management and test the degree to which those are applied to the cybersecurity realm. Other assessment questions focus on collaboration between risk managers and other functions within the organization.
Asset, Change, & Configuration Management (ACM)
ACM deals with the processes and policies that guide IT and information asset management. This includes inventorying, configurations, and tracking of any changes. Assessment questions are designed to test the ability of the organization to maintain a current, fine-grained understanding of IT and information assets. In many cases it crosses over with Risk Management.
Identity & Access Management (IAM)
IAM tests processes and policies related to the granting of access privileges. Assessment questions test the rigor of procedures that assign identities, credentials, and access levels. There is significant collaboration with IT, HR, and Risk.
Threat & Vulnerability Management (TVM)
TVM deals with processes and procedures for seeking out and addressing cybersecurity threats (external) and vulnerabilities (internal). These are by definition technical issues, but also rely heavily on collaborative processes between IT and security teams as well as external entities that provide relevant information.
Situational Awareness (SA)
SA is a broad topic that spans technology efforts to monitor systems and communication efforts focused on informing the workforce. The efficacy of SA is a function of numerous efforts in IT, security, HR, risk management, and others. This is a highly collaborative function that will benefit from high-level oversight.
Information Sharing & Communications (ISC)
ISC deals with activities around sharing cybersecurity and event data with outside entities. This refers to Information Sharing and Analysis Centers (ISAC), law enforcement, or other firms or agencies that collect and disseminate cybersecurity information.
Event & Incident Response, Business Continuity (IR)
IR is concerned with the development, maintenance, exercise, and dissemination of plans for responding to cybersecurity events. It crosses many other Domains and requires heavy collaboration by IT, security, operations, risk management, human resources, and others.
External Dependency Management (EDM)
EDM is concerned with managing risks related to external entities – partners, vendors, and customers. These relationships can easily be the entry point for cyber criminals, and, as a result, external entities should be rigorously vetted. This domain involves collaboration between procurement, risk, and many others.
Workforce Management (WM)
WM deals with human resources efforts to recruit, screen, hire, train, test, and maintain a workforce with strong cybersecurity capabilities. This function depends on collaboration with various security functions, risk management, and other departments.
Cybersecurity Program Management (CPM)
CPM covers executive-level oversight and sponsorship of cybersecurity programs. The goal should be to achieve an organization-wide cybersecurity strategy that is led by senior executives and executed by the workforce in concert.