As an avid user and contributor to a couple of frameworks, I had to learn a thing or two about models. There are many kinds of frameworks, controls, standards, regulations, and yes, models, but I'll stick to my wheelhouse of Maturity Models, Capability Models, and Capability Maturity Models for this post. It's important to understand what each one is, what it can be used for, and how they differ because picking out the right model to guide your security program is a huge first step in bringing formality and structure to a wild west or an ad-hocracy.
No matter what model or framework you choose, there's a couple of calibration steps that you should consider before picking The One. Here are a couple of things that you should judge frameworks on (a sort of framework for frameworks, or models for models):
Resolution - When looking at who will use a framework, there are so many steps in resolution. Like a 2000x vs a 20x microscope lens, the resolution determines how much detail they're able to measure and provide guidance on. The SLSA framework is a great framework for DevOps tool admins looking to secure a build pipeline, but is too big for a developer to write code against, and is too small for a VP of Application Security to build a security program around. NIST's SSDF and the BSIMM are meant for CISOs and AppSec Directors to be able to survey their kingdoms and some of the neighboring lands, but aren't the best fit for a security architect or pen tester. Pick the right resolution framework for what you need to measure.
Scope - Resolution impacts scope. A more zoomed in resolution will necessitate a smaller scope. In order to make the framework understandable, manageable, and usable by a single individual or team, framework authors have to limit the amount of content they include in their frameworks. This means there is a trade-off between scope and resolution where the more detail you get, the less ground that detail covers. While broader frameworks provide less detail but cover more ground. Pick a framework that provides the right amount of scope to cover all the things you care about.
Role or intended Audience - Like scope can impact who will benefit from the results of a framework (Senior Leaders vs Managers vs Practitioners), the framework's target audience or roles can change with what is included in the scope of the framework. There are a pair of NIST frameworks, the CSF and SSDF, that have roughly similar scope areas and resolutions (i.e. they cover the same amount of "stuff" and have the same level of detail), but are meant for different roles and cover different grounds.
This factors may impact your decision when picking a framework and may explain why a DevOps team may adopt SLSA while the product security team or larger development organization may adopt SSDF as their security framework. The differences in scope and resolution mean they're useful for different purposes.
When looking at models and frameworks, the other factor is understanding how they measure what they measure. There are two main approaches and they're not incompatible, in fact they're often combined into one. These three types are capability models, maturity models, and capability maturity models,
A capability model works by measuring "what" or "how much" in terms of providing a map's worth of ground to cover and assigning activities for each little plot that it measures. When using capability models, it's useful for gap assessments because missing activities are missing gaps. Each activity has a minimum bar for maturity, effectiveness, coverage, or depth that has to be crossed before credit can be given, but beyond those bars, no judgments around maturity are provided by the framework. Examples of capability models are BSIMM and SSDF.
The way people "read" capability model results is often "more ground covered = more better" where the goal is to tick all of the boxes and cover all of the ground. I read capability models as a menu of possibilities. If there are gaps, it represents plots of land that could be tilled and farmed for productive use, but not all land needs to be developed. Security-focused capability models present a potential universe of things a reasonable security program could adopt, but don't set a real target for progress.
The counterpart for a capability model is a Maturity Model. These types of models aim to measure "how well" and utilize criteria that measures a capability's or activity's depth, effectiveness, coverage, drawbacks, and/or optimization. A maturity model has the bonus of being able to provide a real report card about how existing capabilities are performing while also providing a target for how to improve. Examples of maturity models are the Process Maturity Framework and Capability Maturity Model (CMM, not CMMI which is a different sort).
A drawback is that how in a capability model, each capability or activity requires a tuned threshold to cross before being mature enough to give credit, a maturity model has to be tuned and calibrated to what it measures. This means that when measuring one thing, each level has to be set to a certain listing of criteria, and measuring another capbility means doubling that work.
To save end-users the heartache of having calibrate maturity levels for every capability, there are combined capability maturity models that measure the maturity of individual capabilities. One example of this is the SLSA framework that assigns maturity levels based on what capabilities are observed. This means that the SLSA framework can be used not only to provide a menu of future expansions, but it can also be used to assign a grade in a report card. Unfortunately because combined capability models are a lot of work to tune and calibrate, they're kind of rare and capability models that are usable as controls listings are far more common.
So now that you know how to pick out a framework that's right for you, go out and measure what you've built already, use it to formulate a target state, and then connect the dots to get from here to there.
There's always more words to spend on a topic like this one, but I've hit my budget for now. Stay secure, and never forget the humans.