DSMM Data Security Capability Maturity Model

Building a scientific framework for enterprise data security

DSMM certification is based on the internationally recognized Capability Maturity Model (CMM), combined with China's data security governance practices, and proposes the advanced concept of "data centric and capability oriented". The launch of DSMM marks the entry of China's data security governance into the stage of "refined management".
Its core lies in:
• Data ontology protection: Focus on the security attributes of the data itself (confidentiality, integrity, availability), rather than generalized information system security;
• Dynamic capability evolution: Quantitatively evaluate enterprise security capabilities through 5 levels of maturity (initial level → optimization level), providing a step-by-step improvement path;
• Full process integration: covering six major links of data collection, transmission, storage, processing, exchange, and destruction, achieving deep collaboration between business flow and security flow

DSMM focuses on data and constructs a three-dimensional evaluation system around the data lifecycle, covering four security capability dimensions, five maturity level dimensions, and seven data security process dimensions, forming a scientific management framework.

DSMM divides data security capabilities into five levels, with higher levels indicating better management of the enterprise's data security capabilities, used to evaluate the organization's data security capabilities.

DSMM Level 2 is suitable for enterprises that have initially established a data security system, DSMM Level 3 is suitable for organizations with high levels of data security practice, DSMM Level 4 is suitable for organizations that are leading in the field of data security, and DSMM Level 5 is currently not open for application.

DSMM is not only a compliance tool, but also a "health check" and "compass" for enterprise data security capabilities. Its core values include:
1. Compliance and risk prevention: Meet regulatory requirements such as the Data Security Law and the Personal Information Protection Law to reduce the risk of data leakage and economic losses;
2. Competitiveness enhancement: Certification can enhance customer trust, such as a company's DSMM certification enhancing its competitive advantage in the international market;
3. Systematic construction: Help enterprises identify security weaknesses, establish a protection system covering the entire lifecycle, and promote the release of data element value;
4. Industry benchmark role: For example, a certain power grid enterprise became the industry's first DSMM Level 4 certified unit through Tianrongxin's support, achieving quantitative management of safety goals.

Key applicable areas:
Internet platforms involving a large number of citizens' personal information (such as e-commerce and social APP)
Financial institutions that handle sensitive industry data (payment data, credit information)
Government big data center participating in the construction of digital government
Intelligent manufacturing enterprises that rely on industrial data (process parameters, supply chain data

The application for DSMM certification must meet the following basic requirements, and additional conditions must be met for different certification levels (such as Level 3 and Level 4):

1. Basic conditions
Independent legal entity qualification: The applying organization must be an independent legal entity registered in accordance with the law.
Legal qualifications: Based on industry characteristics, possess relevant business qualifications (such as financial licenses required for the financial industry).
Professional team: Equipped with data security technicians, some high-level certifications require CDSP-DSMM certified assessors (with a technical team of at least 10% or at least 5 people).
Management System: A data security management system that complies with the GB/T 37988-2019 standard has been established and at least one internal audit has been completed.
Compliance: No major data security incidents or violations (such as false declarations, certificate abuse, etc.) within five years.

2. Additional conditions for high-level certification
Historical qualification requirements: To apply for Level 4 certification, one must already hold Level 3 qualification and have completed a certain period of time.
Quantitative management capability: It is necessary to have quantitative indicators of data security goals (such as risk coverage, incident response time, etc.).
Technical tool coverage: Key data links (such as storage and transmission) require the deployment of encryption, desensitization, and other technical tools, with a coverage rate of ≥ 80%.

matters needing attention:
It is recommended to start with Level 2 (Plan Tracking Level) for initial certification, Level 3 requires standardized processes, and Level 4 requires quantitative management capabilities
Starting from 2025, companies that have not obtained DSMM certification will not be able to participate in government data cooperation projects

1. Material optimization suggestions
Prioritize improving the data classification and grading system to ensure clear and traceable logic;
Replace paper records with electronic certificates (such as data destruction logs, emergency drill reports).

2. Common rejection risks
Insufficient personnel qualifications: less than 8% certificate holding ratio or missing training hours (proof must be submitted within 15 days);
The coverage rate of technical tools does not meet the standard: for example, the encryption system does not cover the core database (which needs to be rectified and re evaluated).

3. Policy linkage support
Simultaneously applying for CMMI Level 3, ISO9001 and other qualifications can enjoy government bidding bonus points and a maximum subsidy of 3 million yuan.

The continuous improvement requirements for DSMM (Data Security Capability Maturity Model) certification are mainly reflected in three aspects: supervision and audit, certificate maintenance, and upgrade mechanism.
The following is a detailed explanation: